Live Response is a feature that’s available across all products on the Carbon Black Cloud. Live Response allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.
The Live Response API is asynchronous; calling an API to execute a command on the remote endpoint, for example, will return immediately with a command ID. You can then poll the API using the command ID until a result status is returned.
All Live Response API requests except Start Session and Get All Sessions require an active “session”. Requests, where session id is required, will return errors if one is not established or has timed out. A device with an active session will keep an open connection to the Carbon Black Cloud for as long as the session has not timed out or has not been closed with Close Session call. See the Session Management section for details on “sessions”.
If you use a previous version of the Live Response APIs, see this document for details of what has changed and how to migrate to v6
Note: There is a known issue that the enumerated values for the status field on the following API requests handled
by the /commands endpoint are returned in lower case. In a near term release this will be fixed to be upper case.
We recommend you use case-insensitive matching on the returned values of the status field. Further information is available
here.
Live Response provides Analysts with direct access to the endpoint during Alert Triage or Incident Response
In addition to Incident Response, Live Response can be used for IT Operations use cases including:
Access Level: Before you create your API Key, you need to create a “Custom” Access Level:
For the category Session Management:
Allow full permissions for each notation or see each call below for individual requirements.
CREATE, READ, UPDATE, DELETEFor the category File Management:
Allow full permissions for each notation or see each call below for individual requirements.
CREATE, READ, DELETEFor the category Command Endpoint:
Allow full permissions for each notation or see each call below for individual requirements.
READREAD, EXECUTE, DELETEREAD, CREATE, DELETECREATE, READ, UPDATE, DELETEREADUse the Start Session and Issue Command calls to send the directory list command to an endpoint. Then use the Retrieve Command Status call to get the results of the command requested in Issue Command.
To send commands to an endpoint, first establish a “session” with a device. A device with an active session will keep an open connection to the Carbon Black Cloud for as long as the session has not timed out or has not been closed with Close Session call. All Live Response requests except Start Session and Get All Sessions require a valid session id.
For more details on "sessions", go to the Session Management section.
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessionsX-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"{
"device_id": 8612331
}{
"id": "1923756:8612331",
"device_id": 8612331,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"create_time": "2021-04-07T17:49:58.792Z",
"device_check_in_time": "2021-04-07T17:49:58.793Z"
}The Issue Command request accepts a number of different body parameters depending on the requested command.
For a full list of the supported commands and their parameters, go to the Issue Command section.
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commandsX-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"{
"name": "directory list",
"path": "c:\\Windows\\"
}{
"values": [],
"id": 4,
"name": "directory list",
"result_code": 0,
"result_desc": "",
"status": "PENDING",
"sub_keys": [],
"files": [],
"input": {
"name": "directory list",
"object": "c:\\Windows\\"
},
"create_time": "2021-04-08T11:07:57Z",
"finish_time": "2021-04-08T11:07:57.433Z"
}Retrieve the results of the command requested in Issue Command with the Retrieve Command Status call.
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/4X-AUTH-TOKEN: "ABCD1234/DEFG12354"{
"values": [],
"id": 4,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "COMPLETE",
"sub_keys": [],
"files": [
{
"size": 11264,
"attributes": [
"ARCHIVE"
],
"filename": "write.exe",
"alternate_name": "",
"create_time": "2018-09-15T07:12:55Z",
"last_access_time": "2018-09-15T07:12:55Z",
"last_write_time": "2018-09-15T07:12:55Z"
}
],
"input": {
"name": "directory list",
"object": "c:\\Windows\\"
},
"create_time": "2021-04-08T11:07:57Z",
"finish_time": "2021-04-08T11:07:57Z"
}All interaction with endpoints must occur in the context of a session. The correct flow is:
Existing sessions can be found by their id with Get Session by ID or by returning a list of all available sessions with Get All Sessions. Each session will keep an open connection to the Carbon Black Cloud for as long as it is active. Sessions are kept alive for a certain timeout period and then terminated once it has expired. This period is 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call. Only one session per device can be active at a time, but it can be used by multiple callers.
Creates a new Live Response session for the specific device. The returned session id is required by all other requests in this API except Get All Sessions. This session will be kept alive for a timeout period of 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
CREATE |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions
Request Body - application/json
{
"device_id": integer
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
device_id
REQUIRED |
Device id to start the session for | Integer | N/A |
Response Status Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successful Response | application/json | Example response below |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessionsX-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"{
"device_id": 8612331
}{
"id": "1923756:8612331",
"device_id": 8612331,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"create_time": "2021-04-07T17:49:58.792Z",
"device_check_in_time": "2021-04-07T17:49:58.793Z"
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
-X POST \
-H X-Auth-Token=ABCD1234/DEFG1234 \
-H Content-Type=application/json \
-d device_id=8612331
{
"id": "1923756:8612331",
"device_id": 8612331,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"create_time": "2021-04-07T17:49:58.792Z",
"device_check_in_time": "2021-04-07T17:49:58.793Z"
}Retrieve Live Response session by id. This call will refresh the 15-minute timeout of the “session” created by Start Session request.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331X-AUTH-TOKEN: "ABCD1234/DEFG12354"{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1923756:8612331",
"device_id": 8612331,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-04-07T18:01:28.690Z",
"device_check_in_time": "2021-04-07T18:01:22.672Z"
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331 \
-X GET \
-H X-Auth-Token=ABCD1234/DEFG1234 \
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1923756:8612331",
"device_id": 8612331,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-04-07T18:01:28.690Z",
"device_check_in_time": "2021-04-07T18:01:22.672Z"
}Get all Live Response sessions.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 204 | Successful Response with empty response body when no active sessions present | N/A | N/A |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessionsX-AUTH-TOKEN: "ABCD1234/DEFG12354"[
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1923756:8612331",
"device_id": 8612331,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-04-07T18:05:04.821Z",
"device_check_in_time": "2021-04-07T18:04:55.117Z"
}
]$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
-X GET \
-H X-Auth-Token=ABCD1234/DEFG1234 \
[
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1923756:8612331",
"device_id": 8612331,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-04-07T18:05:04.821Z",
"device_check_in_time": "2021-04-07T18:04:55.117Z"
}
]Close Live Response session before the session’s 15 minute timeout.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
DELETE |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | N/A | N/A | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331X-AUTH-TOKEN: "ABCD1234/DEFG12354"No Content$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331 \
-X DELETE \
-H X-Auth-Token=ABCD1234/DEFG1234 \
No ContentPermanently disables the Live Response feature in the sensor of the requested device(s).
Note: This action cannot be undone. You must reinstall the sensor to restore Live Response.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse |
DELETE |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/kill
Request Body - application/json
[ integer ]Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| N/A | Array of device ids to disable Live Response | Array | [ integer ] |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 404 | Org Not Found or Sensor Not Found or File Not Found | application/json | |
Example
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/killX-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"[
8612331
]{
"id": "1923756:8612331",
"device_id": 8612331,
"create_time": 1502467167,
"session_timeout": 900,
"device_check_in_time": "2020-10-01T14:17:21.668Z",
"check_in_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"hostname": null,
"address": "string",
"os_version": null,
"current_working_directory": "C:\\",
"supported_commands": [
"process list"
],
"drives": [
"C:\\"
]
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill \
-X POST \
-H X-Auth-Token=ABCD1234/DEFG1234 \
-H Content-Type=application/json \
-d FIXME add array here
{
"id": "1923756:8612331",
"device_id": 8612331,
"create_time": 1502467167,
"session_timeout": 900,
"device_check_in_time": "2020-10-01T14:17:21.668Z",
"check_in_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"hostname": null,
"address": "string",
"os_version": null,
"current_working_directory": "C:\\",
"supported_commands": [
"process list"
],
"drives": [
"C:\\"
]
}Manage Carbon Black Cloud files associated with a Live Response session.
To upload a file to an endpoint, it must first be uploaded to the Carbon Black Cloud with a specific session. Then the file can be uploaded and managed on one or more endpoints with the Issue Command API call.
Gets all Carbon Black Cloud files metadata associated with the Live Response session. Returns File objects associated with the session, but not the content of those files. Retrieve file content with the Get File Content call.
There is no defined limit to file size. No issues have been encountered with files over 1GB.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.file |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/filesX-AUTH-TOKEN: "ABCD1234/DEFG12354"[
{
"id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
"file_name": "test.txt",
"size": 25600,
"size_uploaded": 25600
}
]$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files \
-X GET \
-H X-Auth-Token=ABCD1234/DEFG1234 \
[
{
"id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
"file_name": "test.txt",
"size": 25600,
"size_uploaded": 25600
}
]Retrieve a particular File object by id for a session.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.file |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0X-AUTH-TOKEN: "ABCD1234/DEFG12354"{
"id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
"file_name": "test.txt",
"size": 25600,
"size_uploaded": 25600
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0 \
-X GET \
-H X-Auth-Token=ABCD1234/DEFG1234 \{
"id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
"file_name": "test.txt",
"size": 25600,
"size_uploaded": 25600
}Return the raw contents of the specified file.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.file |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}/content
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0/contentX-AUTH-TOKEN: "ABCD1234/DEFG12354"<string>$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0/content \
-X GET \
-H X-Auth-Token=ABCD1234/DEFG1234 \
<string>Upload local file to Carbon Black Cloud through the Live Response session. A timeout may occur when uploading very large files. More information on the timeout period for a session is included in the Session Management section.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.file |
CREATE |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files
Request Body - multipart/form-data
fileNameResponse
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successful Response | application/json | Example response below |
| 400 | Empty File Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/filesX-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "multipart/form-data"{
"id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
"file_name": "test.txt",
"size": 6,
"size_uploaded": 0
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files \
-X POST \
-H X-Auth-Token=ABCD1234/DEFG1234 \
-H Content-Type=multipart/form-data \
-F file=@/tmp/test.txt
{
"id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
"file_name": "test.txt",
"size": 6,
"size_uploaded": 0
}Delete a file and its contents from Carbon Black Cloud for a Live Response session.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.file |
DELETE |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successful deleted the file | NA | N/A |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0X-AUTH-TOKEN: "ABCD1234/DEFG12354"No Content$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0 \
-X DELETE \
-H X-Auth-Token=ABCD1234/DEFG1234 \
No ContentRetrieve all Live Response commands issued in the specific session.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ |
org.liveresponse.file |
READ |
org.liveresponse.registry |
READ |
org.liveresponse.memdump |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commandsX-AUTH-TOKEN: "ABCD1234/DEFG12354"[
{
"values": [],
"id": 10,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "COMPLETE",
"sub_keys": [],
"files": [
{
"size": 11264,
"attributes": [
"ARCHIVE"
],
"filename": "write.exe",
"alternate_name": "",
"create_time": "2018-09-15T07:12:55Z",
"last_access_time": "2018-09-15T07:12:55Z",
"last_write_time": "2018-09-15T07:12:55Z"
}
],
"input": {
"name": "directory list",
"object": "c:\\Windows\\"
},
"create_time": "2021-04-07T19:43:35Z",
"finish_time": "2021-04-07T19:43:35Z"
},
{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "CANCELLED",
"sub_keys": [],
"files": [
{
"size": 0,
"attributes": [
"DIRECTORY",
"NOT_CONTENT_INDEXED"
],
"filename": "System32",
"alternate_name": "",
"create_time": "2018-09-15T06:09:26Z",
"last_access_time": "2021-01-28T21:15:28Z",
"last_write_time": "2021-01-28T21:15:28Z"
}
],
"input": {
"name": "directory list",
"object": "C:\\Windows\\system32"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08Z"
}
]$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands \
-X GET \
-H X-Auth-Token=ABCD1234/DEFG1234 \
[
{
"values": [],
"id": 10,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "COMPLETE",
"sub_keys": [],
"files": [
{
"size": 11264,
"attributes": [
"ARCHIVE"
],
"filename": "write.exe",
"alternate_name": "",
"create_time": "2018-09-15T07:12:55Z",
"last_access_time": "2018-09-15T07:12:55Z",
"last_write_time": "2018-09-15T07:12:55Z"
}
],
"input": {
"name": "directory list",
"object": "c:\\Windows\\"
},
"create_time": "2021-04-07T19:43:35Z",
"finish_time": "2021-04-07T19:43:35Z"
},
{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "CANCELLED",
"sub_keys": [],
"files": [
{
"size": 0,
"attributes": [
"DIRECTORY",
"NOT_CONTENT_INDEXED"
],
"filename": "System32",
"alternate_name": "",
"create_time": "2018-09-15T06:09:26Z",
"last_access_time": "2021-01-28T21:15:28Z",
"last_write_time": "2021-01-28T21:15:28Z"
}
],
"input": {
"name": "directory list",
"object": "C:\\Windows\\system32"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08Z"
}
]Send a Live Response command to the sensor. This call will refresh the 15-minute timeout of the “session” created by Start Session request.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ, EXECUTE, DELETE |
org.liveresponse.registry |
CREATE, READ, UPDATE, DELETE |
org.liveresponse.file |
CREATE, READ, DELETE |
org.liveresponse.memdump |
READ |
Supported Commands and RBAC Permissions Required
| Command | Command Definition | Permission (.notation name) and Operations |
|---|---|---|
directory list |
List contents of directory/folder | org.liveresponse.file - READ |
process list |
List all running processes | org.liveresponse.process - READ |
create process |
Start a new process | org.liveresponse.process - EXECUTE |
kill |
Terminate a running process | org.liveresponse.process - DELETE |
delete file |
Delete File from endpoint | org.liveresponse.file - DELETE |
get file |
Start the sequence to download a file | org.liveresponse.file - READ |
put file |
Upload file to specified directory/folder | org.liveresponse.file - CREATE |
create directory |
Create Directory | org.liveresponse.file - CREATE |
reg create key |
Create a new registry key | org.liveresponse.registry - CREATE |
reg delete key |
Delete an existing registry key | org.liveresponse.registry - DELETE |
reg enum key |
Return the subkeys of the specified registry key | org.liveresponse.registry - READ |
reg query value |
Return the data in the specified registry value | org.liveresponse.registry - READ |
reg set value |
Update the data in the specified registry value | org.liveresponse.registry - UPDATE |
reg delete value |
Delete the specified registry value | org.liveresponse.registry - DELETE |
memdump |
Dump kernel memory on the endpoint | org.liveresponse.memdump - READ |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands
Request and Response Body - application/json
The Issue Command call may accept any one of the request objects described below. One command object per call can be used.
Details on each of the command request and response parameters can be found in the Schemas section.
{
"name": "directory list",
"path": "<string>"
}{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"files": [
{
"size": integer,
"attributes": [
"<string>"
],
"filename": "<string>",
"alternate_name": "<string>",
"last_write_time": "<string>",
"create_time": "<string>",
"last_access_time": "<string>"
}
]
}{
"name": "process list"
}
{
"id": integer,
"input": {
"name": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"processes": [
{
"process_pid": integer,
"process_path": "<string>",
"process_cmdline": "<string>",
"sid": "<string>",
"process_username": "<string>",
"parent_pid": integer,
"parent_create_time": "<string>",
"process_create_time": "<string>"
}
]
}
{
"name": "create process",
"path": "<string>",
"output_file": "<string>",
"wait": boolean
}
{
"id": integer,
"input": {
"wait": boolean,
"name": "<string>",
"working_directory": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"process_details": {
"pid": integer,
"return_code": integer
}
}
{
"name": "kill",
"pid": integer
}
{
"id": integer,
"input": {
"name": "<string>",
"object": integer
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
{
"name": "delete file",
"path": "<string>"
}
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": <string>,
"status": "<string>"
}
{
"name": "get file",
"path": "<string>",
"offset": integer,
"count": integer
}
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": <string>,
"status": "<string>",
"file_details": {
"file_id": "<string>",
"offset": integer,
"count": integer
}
}
{
"name": "put file",
"path": "<string>",
"file_id": integer
}
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"file_details": {
"file_id": "<string>",
"offset": integer,
"count": integer
}
}
{
"name": "create directory",
"path": "<string>"
}
{
"id": integer,
"input": {
"name": "create directory",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
{
"name": "reg create key",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
{
"name": "reg delete key",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>"
}
{
"name": "reg enum key",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"values": [
{
"registry_type": "<string>",
"registry_name": "<string>",
"registry_data": "<string>"
}
]
}
{
"name": "reg query value",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"values": [
{
"registry_type": "<string>",
"registry_name": "<string>",
"registry_data": "<string>"
}
]
}
{
"name": "reg set value",
"path": "<string>",
"value_data": "<string>",
"value_type": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>"
}
{
"name": "reg delete value",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
{
"name": "memdump",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"mem_dump": {
"percentdone": integer,
"return_code": integer
}
}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successful Response | application/json | Example response below |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled or Too Many Commands | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commandsX-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"{
"name": "directory list",
"path": "C:\\Temp"
}{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_desc": "",
"status": "PENDING",
"sub_keys": [],
"files": [],
"input": {
"name": "directory list",
"object": "C:\\Temp"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08.650Z"
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands \
-X POST \
-H X-Auth-Token=ABCD1234/DEFG1234 \
-H Content-Type=application/json \
-d name=directory list \
-d path=C:\\Temp
{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_desc": "",
"status": "PENDING",
"sub_keys": [],
"files": [],
"input": {
"name": "directory list",
"object": "C:\\Temp"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08.650Z"
}Retrieve the results of the command requested in Issue Command call.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ |
org.liveresponse.registry |
READ |
org.liveresponse.file |
READ |
org.liveresponse.memdump |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}
Query Parameters
| Field | Required |
|---|---|
wait |
No |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | application/json | Example response below | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found or Command Not Found | application/json | |
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11X-AUTH-TOKEN: "ABCD1234/DEFG12354"{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "COMPLETE",
"sub_keys": [],
"files": [
{
"size": 0,
"attributes": [
"DIRECTORY"
],
"filename": ".",
"alternate_name": "",
"create_time": "2018-09-15T06:09:26Z",
"last_access_time": "2021-01-28T21:15:28Z",
"last_write_time": "2021-01-28T21:15:28Z"
},
{
"size": 0,
"attributes": [
"DIRECTORY"
],
"filename": "..",
"alternate_name": "",
"last_access_time": "2021-05-06T18:20:28Z",
"last_write_time": "2021-04-13T15:42:03Z",
"create_time": "2018-09-15T06:09:26Z",
},
{
"size": 69666,
"attributes": [
"ARCHIVE"
],
"filename": "test.jpg",
"alternate_name": "TEST1.JPG",
"last_access_time": "2021-04-13T15:42:03Z",
"last_write_time": "2021-04-13T15:42:03Z",
"create_time": "2021-04-13T15:42:03Z"
}
],
"input": {
"name": "directory list",
"object": "C:\\Temp"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08Z"
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11 \
-X GET \
-H X-Auth-Token=ABCD1234/DEFG1234 \{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "COMPLETE",
"sub_keys": [],
"files": [
{
"size": 0,
"attributes": [
"DIRECTORY"
],
"filename": ".",
"alternate_name": "",
"create_time": "2018-09-15T06:09:26Z",
"last_access_time": "2021-01-28T21:15:28Z",
"last_write_time": "2021-01-28T21:15:28Z"
},
{
"size": 0,
"attributes": [
"DIRECTORY"
],
"filename": "..",
"alternate_name": "",
"last_access_time": "2021-05-06T18:20:28Z",
"last_write_time": "2021-04-13T15:42:03Z",
"create_time": "2018-09-15T06:09:26Z",
},
{
"size": 69666,
"attributes": [
"ARCHIVE"
],
"filename": "test.jpg",
"alternate_name": "TEST1.JPG",
"last_access_time": "2021-04-13T15:42:03Z",
"last_write_time": "2021-04-13T15:42:03Z",
"create_time": "2021-04-13T15:42:03Z"
}
],
"input": {
"name": "directory list",
"object": "C:\\Temp"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08Z"
}Cancel Live Response Command if the status is PENDING.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.process |
DELETE |
org.liveresponse.registry |
DELETE |
org.liveresponse.file |
DELETE |
org.liveresponse.memdump |
READ |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | application/json | Example response below | |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11X-AUTH-TOKEN: "ABCD1234/DEFG12354"{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "CANCELLED",
"sub_keys": [],
"files": [
{
"size": 0,
"attributes": [
"DIRECTORY",
"NOT_CONTENT_INDEXED"
],
"filename": "System32",
"alternate_name": "",
"create_time": "2018-09-15T06:09:26Z",
"last_access_time": "2021-01-28T21:15:28Z",
"last_write_time": "2021-01-28T21:15:28Z"
}
],
"input": {
"name": "directory list",
"object": "C:\\Windows\\system32"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08Z"
}$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11 \
-X DELETE \
-H X-Auth-Token=ABCD1234/DEFG1234 \{
"values": [],
"id": 11,
"name": "directory list",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"status": "CANCELLED",
"sub_keys": [],
"files": [
{
"size": 0,
"attributes": [
"DIRECTORY",
"NOT_CONTENT_INDEXED"
],
"filename": "System32",
"alternate_name": "",
"create_time": "2018-09-15T06:09:26Z",
"last_access_time": "2021-01-28T21:15:28Z",
"last_write_time": "2021-01-28T21:15:28Z"
}
],
"input": {
"name": "directory list",
"object": "C:\\Windows\\system32"
},
"create_time": "2021-04-07T19:44:08Z",
"finish_time": "2021-04-07T19:44:08Z"
}| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | directory list |
path
REQUIRED |
Full path to the directory on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | process list |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | create process |
path
REQUIRED |
The path and command line of the executable on the remote device | String | N/A |
output_file
REQUIRED |
Full path to existing file where process output should be redirected | String | N/A |
wait
REQUIRED |
Wait or not for the process for complete | Boolean | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | kill |
pid
REQUIRED |
PID of the process to kill | Integer | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | delete file |
path
REQUIRED |
Full path to the local file on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | get file |
path
REQUIRED |
Full path to the file on the remote device | String | N/A |
offset
REQUIRED |
Offset from the start of the file | Integer | N/A |
get_count
REQUIRED |
Number of bytes to read | Integer | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | put file |
path
REQUIRED |
Full path to the file on the remote device | String | N/A |
file_id
REQUIRED |
File id retrieved from the Upload File to Carbon Black Cloud API call | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | create directory |
path
REQUIRED |
Full path of the directory to be created on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | reg create key |
path
REQUIRED |
Full path to the key in the registry on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | reg delete key |
path
REQUIRED |
Full path to the key in the registry on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | reg enum key |
path
REQUIRED |
Full path to the key in the registry on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | reg query value |
path
REQUIRED |
Full path to the value in the registry on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | reg set value |
path
REQUIRED |
Full path to the value in the registry on the remote device | String | N/A |
value_data
REQUIRED |
Value of the new registry value | String | N/A |
value_type
REQUIRED |
Type of the new registry value | String | pbREG_NONE, pbREG_SZ, pbREG_EXPAND_SZ, pbREG_BINARY, pbREG_DWORD, pbREG_DWORD_BIG_ENDIAN, pbREG_MULTI_SZ, pbREG_QWORD |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | reg delete value |
path
REQUIRED |
Full path to the value in the registry on the remote device | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
name
REQUIRED |
Command being issued | String | memdump |
path
REQUIRED |
Full path to file on the remote device where the memory will be dumped. If the file exists, its content will be overwritten, else the file will be created | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
id
REQUIRED |
Id of issued command | Integer | N/A |
input
REQUIRED |
Command input containing more information based on the command submitted | Object | Command Response Schemas |
name
REQUIRED |
Command being issued as it was submitted by the create command request | String | Supported: directory list, process list, create process, kill, delete file, get file, put file, create directory, reg create key, reg delete key, reg enum key, reg query value, reg set value, reg delete value |
create_time
REQUIRED |
ISO 8601 UTC | String | Example: 2021-04-07T17:49:58.792Z |
finish_time
REQUIRED |
ISO 8601 UTC | String | Example: 2021-04-07T17:49:58.792Z |
result_code
REQUIRED |
Set to zero for successful execution, non-zero for errors | Integer | default: 0 |
result_desc
REQUIRED |
Result Description | String | N/A |
status
REQUIRED |
Issued command status | String | Supported: PENDING, RUNNING, COMPLETE, ERROR,CANCELLED |
| CommandObject | Response body for the specific issued command | Object | Command Response Schemas |
| Field | Definition | Data Type | Values |
|---|---|---|---|
files |
List of file objects within specified directory | Array | files Schema |
| Field | Definition | Data Type | Values |
|---|---|---|---|
processes |
List of process objects | Array | processes Schema |
| Field | Definition | Data Type | Values |
|---|---|---|---|
process_details |
Details of listed process | Object | process_details Schema |
| Field | Definition | Data Type | Values |
|---|---|---|---|
file_details |
Object containing file details | Object | file_details Schema |
| Field | Definition | Data Type | Values |
|---|---|---|---|
sub_keys |
Sub keys | String | N/A |
values |
Values | Array | values Schema |
| Field | Definition | Data Type | Values |
|---|---|---|---|
value |
Query value | Object | value Schema |
| Field | Definition | Data Type | Values |
|---|---|---|---|
mem_dump |
Details of issued memdump | Object | mem_dump Schema |
| Field | Definition | Data Type | Values |
|---|---|---|---|
filename |
File name | String | N/A |
attributes |
File attributes | Array | N/A |
last_access_time |
Last time file was accessed | String | N/A |
last_write_time |
Last time file was modified | String | N/A |
alternate_name |
File alternate name | String | N/A |
create_time |
File create time | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
process_pid |
Process id | Integer | N/A |
process_cmdline |
Process command line | String | N/A |
parent_pid |
Process id of parent process | Integer | N/A |
process_username |
Process username | String | N/A |
process_path |
Process path | String | N/A |
process_create_time |
Process create time | String | N/A |
sid |
Security id | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
pid |
Process id | Integer | N/A |
return_code |
Return code | Integer | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
file_id |
File id retrieved from the Upload File to Carbon Black Cloud API call | String | N/A |
offset |
Offset from the start of the file | Integer | N/A |
count |
Number of bytes to read | Integer | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
registry_type |
Registry type | String | N/A |
registry_name |
Registry name | String | N/A |
registry_data |
Registry data | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
registry_type |
Registry type | String | N/A |
registry_name |
Registry name | String | N/A |
registry_data |
Registry data | String | N/A |
| Field | Definition | Data Type | Values |
|---|---|---|---|
percentdone |
Percent done of memdump | Integer | N/A |
return_code |
Return code | Integer | N/A |