Live Response API
Overview
Live Response is a feature that’s available across all products on the Carbon Black Cloud. Live Response allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.
The Live Response API is asynchronous; calling an API to execute a command on the remote endpoint, for example, will return immediately with a command ID. You can then poll the API using the command ID until a result status is returned.
All Live Response API requests except Start Session and Get All Sessions require an active “session”. Requests, where session id is required, will return errors if one is not established or has timed out. A device with an active session will keep an open connection to the Carbon Black Cloud for as long as the session has not timed out or has not been closed with Close Session call. See the Session Management section for details on “sessions”.
The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
If you use a previous version of the Live Response APIs, see this document for details of what has changed and how to migrate to v6.
Note: This API is not available in the AWS GovCloud (US) environment.
Use Cases
Live Response provides Analysts with direct access to the endpoint during Alert Triage or Incident Response
- Gather context:
- Determine if a malicious process is still running
- Get the content of a file or registry key
- Upload, execute, and get the results of a forensic toolkit
- Take action and remediate:
- Kill a malicious process
- Delete a malicious file
In addition to Incident Response, Live Response can be used for IT Operations use cases including:
- Executing and retrieving memory dumps of poorly performing processes
- Remotely manage endpoints through command line access
Requirements
- At least one Carbon Black Cloud product
- Device with Live Response enabled
- All API calls require an API key with appropriate permissions see Authentication
Authentication
Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.
Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- Live Response: {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse
Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
- Live Response > Live Response Session > org.liveresponse.session, allow permission to
CREATE, READ, DELETE - Live Response > Live Response File > org.liveresponse.file, allow permission to
CREATE, READ, DELETE - Live Response > Live Response Process > org.liveresponse.process, allow permission to
READ, EXECUTE, DELETE - Live Response > Live Response Registry > org.liveresponse.registry, allow permission to
CREATE, READ, UPDATE, DELETE - Live Response > Live Response Memory dump > org.liveresponse.memdump, allow permission to
READ - Live Response > Disable Live Response > org.liveresponse, allow permission to
DELETE
API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.
Cloud Services Platform Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with OAuth Access Control; API access is controlled using OAuth apps or User API Tokens. This is currently limited to the UK Point of Presence and AWS GovCloud (US).
Environment
Available on
Prod UK and AWS GovCloud (US). Full list of environments is available here; Use the Carbon Black Cloud Console URL from Cloud Services Platform, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- Live Response: {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse
Access Level
Before you create your OAuth App, you need to create a custom Role with the following permissions under IDENTITY & ACCESS MANAGEMENT > Roles > VMware Carbon Black Cloud:
- _API.Live.Response:org.liveresponse.session, allow permission to
CREATE, READ, DELETE - _API.Live.Response:org.Liveresponse.File, allow permission to
CREATE, READ, DELETE - _API.Live.Response:org.Liveresponse.Process, allow permission to
READ, EXECUTE, DELETE - _API.Live.Response:org.Liveresponse.Registry, allow permission to
CREATE, READ, UPDATE, DELETE - _API.Live.Response:org.Liveresponse.Memdump, allow permission to
READ - _API.Live.Response:org.liveresponse, allow permission to
DELETE
API Authentication
The Cloud Services Platform supports several authentication options, Access Token, API Token, and for backward compatibility, X-Auth-Token. To learn about the differences or how to use the authentication methods see the Authentication Guide.
Quick Start
Quick Start guides follow entire workflows for common scenarios on how you can use Live Response API.
This Quick Start guide follows a scenario for creating a folder on a remote endpoint and then uploading a file in it. The workflow steps are:
1. Start Session with a remote endpoint
2. Issue Command - create directory to create the directory on the remote endpoint
3. Retrieve Command Status to get the status of the issued command in step 2
4. Upload File to Carbon Black Cloud file must first be uploaded to Carbon Black Cloud before sending it to the endpoint
5. Issue Command - put file to send the file to the remote endpoint
6. Retrieve Command Status to check if the issued command in step 5. succeeded
Note: Special characters, like quotes and backslashes commonly used in file paths, need escaping with a single backslash. Not escaping special characters can result in syntax errors.
1. Start Session
All interaction with endpoints must occur in the context of a session.Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessionsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"device_id": 11412673
}Response Body
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-27T09:45:02.191Z",
"device_check_in_time": "2021-10-27T09:45:01.608Z"
}2. Issue Command - create directory
The Issue Command call accepts a number of different body parameters depending on the command.For a full list of the supported commands and their parameters, go to the Issue Command section.
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "create directory",
"path": "C:\\demo"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"finish_time": "2021-10-27T10:45:54.904Z",
"create_time": "2021-10-27T10:45:54Z"
}3. Retrieve Command Status
Retrieve the results of Issue Command from the previous step by using its id.Note: The "result_code" field indicates the success/failure of the create directory command ("0" = success).
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/5Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
{
"status": "COMPLETE",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"create_time": "2021-10-27T12:20:11Z",
"finish_time": "2021-10-27T12:20:11Z"
}4. Upload File to Carbon Black Cloud
To send file to an endpoint, first upload it to the Carbon Black Cloud.Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/filesRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"Request Body
N/AResponse Body
{
"id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"size": 1,
"file_name": "example_file.txt",
"size_fileed": 1,
"upload_url": null
}5. Issue Command - put file
Using the id from the previous step, send the file to the endpoint in the directory created in step 2.Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123466789/ABCD123466"
Content-Type: "application/json"Request Body
{
"name": "put file",
"path": "C:\\demo\\example_file.txt",
"file_id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "put file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"file_id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"finish_time": "2021-10-27T09:43:07.809Z",
"create_time": "2021-10-27T09:43:07Z"
}6. Retrieve Command Status
Retrieve the results of Issue Command from the previous step by using its id.Note: The "result_code" field indicates the success/failure of the file upload command ("0" = success).
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/5Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
{
"status": "COMPLETE",
"values": [],
"id": 0,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-27T09:43:07Z",
"finish_time": "2021-10-27T09:43:07.809Z"
}This Quick Start guide follows a scenario for creating a process that writes output to a file and then terminates it. The workflow steps are:
1. Start Session with a remote endpoint
2. Issue Command - create process to run the process on the remote endpoint
3. Retrieve Command Status to get the status of the issued command in step 2
4. Issue Command - kill to terminate the created process using the pid from step 3
Note: Special characters, like quotes and backslashes commonly used in file paths, need escaping with a single backslash. Not escaping special characters can result in syntax errors.
1. Start Session
All interaction with endpoints must occur in the context of a session.Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessionsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"device_id": 11412673
}Response Body
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-27T09:45:02.191Z",
"device_check_in_time": "2021-10-27T09:45:01.608Z"
}2. Issue Command - create process
This command will open cmd.exe, list the contents of the current directory and save it to a file. The Issue Command call accepts a number of different body parameters depending on the command.For a full list of the supported commands and their parameters, go to the Issue Command section.
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "create process",
"path": "cmd.exe /c dir",
"output_file": "C:\\demo\\output.txt",
"wait": true
}Response Body
{
"status": "PENDING",
"values": [],
"process_details": {
"pid": 0,
"return_code": -1
},
"id": 15,
"name": "create process",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"wait": true,
"name": "create process",
"output_file": "C:\\demo\\output.txt",
"object": "cmd.exe /c dir"
},
"create_time": "2021-10-29T13:47:07Z",
"finish_time": "2021-10-29T13:47:07.732Z"
}3. Retrieve Command Status
Retrieve the results of Issue Command from the previous step by using its id.Note: The "process_details" object's "pid" and "return_code" indicate if the process has successfully started or not ("0" = success).
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/15Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
{
"status": "COMPLETE",
"values": [],
"process_details": {
"pid": 3272,
"return_code": 0
},
"id": 15,
"name": "create process",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"wait": true,
"name": "create process",
"output_file": "C:\\demo\\output.txt",
"object": "cmd.exe /c dir"
},
"create_time": "2021-10-29T13:47:07Z",
"finish_time": "2021-10-29T13:47:08Z"
}4. Issue Command - kill
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "kill",
"pid": 3272
}Response Body
{
"status": "PENDING",
"values": [],
"id": 16,
"name": "kill",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "kill",
"object": 3272
},
"create_time": "2021-10-29T13:56:27Z",
"finish_time": "2021-10-29T13:56:28.105Z"
}API Calls
Session Management
All interaction with endpoints must occur in the context of a session. The correct flow is:
- Start Session using Start Session API call
- Perform required actions
- Close Session using Close Session API cal
Existing sessions can be found by their id with Get Session by ID or by returning a list of all available sessions with Get All Sessions. Each session will keep an open connection to the Carbon Black Cloud for as long as it is active. Sessions are kept alive for a certain timeout period and then terminated once it has expired. This period is 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call. Only one session per device can be active at a time, but it can be used by multiple callers.
Start Session
Creates a new Live Response session for the specific device. The returned session id is required by all other requests in this API except Get All Sessions. This session will be kept alive for a timeout period of 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.session |
CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.liveresponse.session:create |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions
Request Body - application/json
{
"device_id": integer
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
device_id
REQUIRED |
Device id to start the session for | Integer | N/A |
Response Status Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successful Response | application/json | Example response below |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessionsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"device_id": 11412673
}Response Body
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T08:55:03.535Z",
"device_check_in_time": "2021-10-29T08:54:49.868Z"
}Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"device_id": 11412673}'Response Body
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T08:55:03.535Z",
"device_check_in_time": "2021-10-29T08:54:49.868Z"
}Get Session by ID
Retrieve Live Response session by id. This call will refresh the 15-minute timeout of the “session” created by Start Session request.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.session |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.liveresponse.session:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:02:53.277Z",
"device_check_in_time": "2021-10-29T09:02:52.791Z"
}Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673 \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:02:53.277Z",
"device_check_in_time": "2021-10-29T09:02:52.791Z"
}Get All Sessions
Get all Live Response sessions.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.session |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.liveresponse.session:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 204 | Successful Response with empty response body when no active sessions present | N/A | N/A |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessionsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
[
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:06:59.186Z",
"device_check_in_time": "2021-10-29T09:06:54.293Z"
}
]Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
[
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:06:59.186Z",
"device_check_in_time": "2021-10-29T09:06:54.293Z"
}
]Close Session
Close Live Response session before the session’s 15 minute timeout.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.session |
DELETE |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.liveresponse.session:delete |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | N/A | N/A | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
No ContentRequest
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673 \
-X DELETE \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
No ContentDisable Live Response
Permanently disables the Live Response feature in the sensor of the requested device(s).
Note: This action cannot be undone. You must reinstall the sensor to restore Live Response.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse |
DELETE |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.liveresponse:delete |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/kill
Request Body - application/json
[ integer ]Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| N/A | Array of device ids to disable Live Response | Array | [ integer ] |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 404 | Org Not Found or Sensor Not Found or File Not Found | application/json | |
Example
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/killRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
[ 11412673 ]Response Body
{
"id": "1234567:11412673",
"device_id": 11412673,
"create_time": 1502467167,
"session_timeout": 900,
"device_check_in_time": "2020-10-01T14:17:21.668Z",
"check_in_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"hostname": null,
"address": "string",
"os_version": null,
"current_working_directory": "C:\\",
"supported_commands": [
"process list"
],
"drives": [
"C:\\"
]
}Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
-H 'Content-Type: application/json' \
-d '[11412673]'Response Body
{
"id": "1234567:11412673",
"device_id": 11412673,
"create_time": 1502467167,
"session_timeout": 900,
"device_check_in_time": "2020-10-01T14:17:21.668Z",
"check_in_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"hostname": null,
"address": "string",
"os_version": null,
"current_working_directory": "C:\\",
"supported_commands": [
"process list"
],
"drives": [
"C:\\"
]
}File Management
Manage Carbon Black Cloud files associated with a Live Response session.
To upload a file to an endpoint, it must first be uploaded to the Carbon Black Cloud with a specific session. Then the file can be uploaded and managed on one or more endpoints with the Issue Command API call.
Note: Special characters, like quotes and backslashes commonly used in file paths, need escaping with a single backslash. Not escaping special characters can result in syntax errors.
Get All Files Metadata
Gets all Carbon Black Cloud files metadata associated with the Live Response session. Returns File objects associated with the session, but not the content of those files. Retrieve file content with the Get File Content call.
There is no defined limit to file size. No issues have been encountered with files over 1GB.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.file |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.Liveresponse.File:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/filesRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
[
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
]Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
[
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
]Get File Metadata
Retrieve a particular File object by id for a session.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.file |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.Liveresponse.File:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}Get File Content
Return the raw contents of the specified file.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.file |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.Liveresponse.File:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}/content
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0/contentRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
<string>Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea/content \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-o file_to_download_to.txt \
-LResponse Body
file_to_download_to.txtUpload File to Carbon Black Cloud
Upload local file to Carbon Black Cloud through the Live Response session. A timeout may occur when uploading very large files. More information on the timeout period for a session is included in the Session Management section.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.file |
CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.Liveresponse.File:create |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files
Request Body - multipart/form-data
fileNameResponse
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successful Response | application/json | Example response below |
| 400 | Empty File Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/filesRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"Response Body
{
"id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"size": 0,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: multipart/form-data' \
-F 'file=@example_file.txt'Response Body
{
"id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"size": 0,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}Delete File
Delete a file and its contents from Carbon Black Cloud for a Live Response session.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.liveresponse.file |
DELETE |
Majority of environments |
| VMware Cloud Services Platform | _API.Live.Response:org.Liveresponse.File:delete |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successful deleted the file | NA | N/A |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
No ContentRequest
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea \
-X DELETE \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
No ContentCommand Endpoint
Note: Special characters, like quotes and backslashes commonly used in file paths, need escaping with a single backslash. Not escaping special characters can result in syntax errors.
Get Commands List
Retrieve all Live Response commands issued in the specific session.
RBAC Permissions Required
For the environments where identity is managed in Carbon Black Cloud (the majority):
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ |
org.liveresponse.registry |
READ |
org.liveresponse.file |
READ |
org.liveresponse.memdump |
READ |
For the environments where identity is managed in VMware Cloud Services use the following permissions:
| Permission (.notation name) | Operation(s) |
|---|---|
_API.Live.Response:org.Liveresponse.Session |
READ |
_API.Live.Response:org.Liveresponse.Process |
READ |
_API.Live.Response:org.Liveresponse.Registry |
READ |
_API.Live.Response:org.Liveresponse.File |
READ |
_API.Live.Response:org.Liveresponse.Memdump |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Response | application/json | Example response below |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
[
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}
]Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
[
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}
]Issue Command
Send a Live Response command to the sensor. The Issue Command call may accept any one of the Command objects described below in its request body. One command object per call can be used.
This call is the second step of a workflow. The complete workflow is:
- Start Session or use an already existing one for the specific device.
- Issue Command to send a command to the device. This call returns
idand different meta information about the command, but not the actual command response. - Retrieve Command Status with the
idfrom Issue Command response to get the actual command response.
Note: This call will refresh the 15-minute timeout of the “session” created by Start Session call.
Note: When using the Issue Command call to create a process, use the “process_details” object’s “pid” and “return_code” from the response, to find out if the process has successfully started or not (return_code “0” = success).
Note: Special characters, like quotes and backslashes commonly used in file paths, need escaping with a single backslash. Not escaping special characters can result in syntax errors.
RBAC Permissions Required
For the environments where identity is managed in Carbon Black Cloud (the majority):
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ, EXECUTE, DELETE |
org.liveresponse.registry |
CREATE, READ, UPDATE, DELETE |
org.liveresponse.file |
CREATE, READ, DELETE |
org.liveresponse.memdump |
READ |
For the environments where identity is managed in VMware Cloud Services use the following permissions:
| Permission (.notation name) | Operation(s) |
|---|---|
_API.Live.Response:org.Liveresponse.Session |
READ |
_API.Live.Response:org.Liveresponse.Process |
READ, EXECUTE, DELETE |
_API.Live.Response:org.Liveresponse.Registry |
CREATE, READ, UPDATE, DELETE |
_API.Live.Response:org.Liveresponse.File |
CREATE, READ, DELETE |
_API.Live.Response:org.Liveresponse.Memdump |
READ |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands
Request Body - application/json
Click on any of the commands below to view its details or explore the example code snippets.
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
List the contents of a directory/folder on the remote device. To get the actual content of the directory, you need to make a Retrieve Command Status with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.file - READ
Request/Response Body - application/json
Request Body
{
"name": "directory list",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"files": [
{
"size": integer,
"attributes": [
"<string>"
],
"filename": "<string>",
"alternate_name": "<string>",
"last_write_time": "<string>",
"create_time": "<string>",
"last_access_time": "<string>"
}
]
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "directory list",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\"
}Response Body
{
"values": [],
"id": 4,
"name": "directory list",
"result_code": 0,
"result_desc": "",
"status": "PENDING",
"sub_keys": [],
"files": [],
"input": {
"name": "directory list",
"object": "C:\\Program Files\\Google\\Chrome\\Application\\"
},
"create_time": "2021-04-08T11:07:57Z",
"finish_time": "2021-04-08T11:07:57.433Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "directory list", "path": "C:\\Program Files\\Google\\Chrome\\Application\\" }'Response
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "directory list",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "directory list",
"object": "C:\\Program Files\\Google\\Chrome\\Application\\"
},
"create_time": "2021-06-11T12:20:02Z",
"finish_time": "2021-06-11T12:20:02.085Z"
}Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# the full path of the directory, to check the content of
directory_path = 'C:\\Program Files\\Google\\Chrome\\Application\\'
# print the content of the directory
print(live_response.list_directory(directory_path))Result
[
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": ".",
"alternate_name": "",
"last_access_time": "2021-10-22T16:23:35Z",
"last_write_time": "2021-10-22T16:23:35Z",
"create_time": "2021-06-11T16:44:59Z",
},
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": "..",
"alternate_name": "",
"last_access_time": "2021-10-22T16:23:35Z",
"last_write_time": "2021-10-22T16:23:35Z",
"create_time": "2021-06-11T16:44:59Z",
},
{
"size": 2509656,
"attributes": ["ARCHIVE"],
"filename": "chrome.exe",
"alternate_name": "",
"last_access_time": "2021-10-07T21:13:06Z",
"last_write_time": "2021-10-07T02:00:42Z",
"create_time": "2021-06-11T16:44:59Z",
},
]
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
List all running processes on the remote device. To get the actual running processes, you need to make a Retrieve Command Status with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.process - READ
Request/Response Body - application/json
Request Body
{
"name": "process list"
}Response Body
{
"status": "<string>",
"values": [],
"id": integer,
"name": "<string>",
"result_code": integer,
"result_desc": "<string>",
"sub_keys": [],
"files": [],
"processes": [],
"input": {
"name": "string"
},
"create_time": "<string>",
"finish_time": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "process list"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "process list",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"processes": [],
"input": {
"name": "process list"
},
"create_time": "2021-06-13T13:45:58Z",
"finish_time": "2021-06-13T13:45:58.064Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "process list" }'Response
{
"status": "PENDING",
"values": [],
"id": 1,
"name": "process list",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"processes": [],
"input": {
"name": "process list"
},
"create_time": "2021-06-13T13:58:32Z",
"finish_time": "2021-06-13T13:58:32.296Z"
}Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# print all the running processes
print(live_response.list_processes())Result
[
{
"parent_create_time": 1634920906,
"parent_pid": 2712,
"process_cmdline": '"C:\\Program '
'Files\\Google\\Chrome\\Application\\chrome.exe" '
"--type=utility "
"--utility-sub-type=network.mojom.NetworkService "
"--field-trial-handle=1180,3277392572462062088,821093735683398366,131072 "
"--lang=en-US --service-sandbox-type=none "
"--mojo-platform-channel-handle=1536 /prefetch:8",
"process_create_time": 1634920.0,
"process_path": "c:\\program files\\google\\chrome\\application\\chrome.exe",
"process_pid": 5604,
"process_username": "NT AUTHORITY\\SYSTEM",
"sid": "S-1-5-18",
}
]
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Start a new process on the remote device. To get the newly created process PID or details like its status, make a Retrieve Command Status request with the id you receive from this call.
Note: Use the "process_details" object's "pid" and "return_code" from the response, to find out if the process has successfully started or not.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.process - EXECUTE
Request/Response Body - application/json
Request Body
{
"name": "create process",
"path": "<string>",
"output_file": "<string>",
"wait": boolean
}Response Body
{
"id": integer,
"input": {
"wait": boolean,
"name": "<string>",
"working_directory": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"process_details": {
"pid": integer,
"return_code": integer
}
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "create process",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
}Response Body
{
"status": "PENDING",
"values": [],
"process_details": {
"pid": 0,
"return_code": -1
},
"id": 13,
"name": "create process",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create process",
"object": ""
},
"create_time": "2021-06-13T19:14:22Z",
"finish_time": "2021-06-13T19:14:22.912Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "create process", "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" }'Response Body
{
"status": "PENDING",
"values": [],
"process_details": {
"pid": 0,
"return_code": -1
},
"id": 13,
"name": "create process",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create process",
"object": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
},
"create_time": "2021-06-13T19:14:22Z",
"finish_time": "2021-06-13T19:14:22.912Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.process - EXECUTE
org.liveresponse.file - READ, DELETE
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# Open Google Chrome on a Windows device. No output is returned.
live_response.create_process('C:\Program Files\Google\Chrome\Application\chrome.exe', wait_for_completion=False, wait_for_output=False)
# Open cmd.exe, ping a certain IP address and print the response
print(live_response.create_process(r'cmd.exe /c "ping 127.0.0.1"'))Result
b'\r\nPinging 127.0.0.1 with 32 bytes of data:\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\n\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),\r\nApproximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n'
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Terminate a running process by its PID. You can get the Process ID by calling the Issue Command call with process list in the request body.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.process - DELETE
Request/Response Body - application/json
Request Body
{
"name": "kill",
"pid": integer
}Response Body
{
"id": integer,
"input": {
"name": "<string>",
"object": integer
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "kill",
"pid": 9380
}Response Body
{
"status": "PENDING",
"values": [],
"id": 15,
"name": "kill",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "kill",
"object": 9380
},
"create_time": "2021-06-13T19:58:32Z",
"finish_time": "2021-06-13T19:58:32.468Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "kill", "pid": 9380 }'Response Body
{
"status": "PENDING",
"values": [],
"id": 15,
"name": "kill",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "kill",
"object": 9380
},
"create_time": "2021-06-13T19:58:32Z",
"finish_time": "2021-06-13T19:58:32.468Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.process - READ, DELETE
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to.
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# Get all running processes.
processes = live_response.list_processes()
# Filter for the process you want to terminate - in this case 'chrome.exe'. We are assuming there is only one 'chrome.exe' process running.
chrome_pid = None
for process in processes:
if 'chrome.exe' in process['process_path']:
chrome_pid = process['process_pid']
print('Process PID for chrome.exe is: ', chrome_pid)
# Use the kill command to terminate the process with the desired PID.
print('Terminate Process: ', live_response.kill_process(chrome_pid))Result
Process PID for chrome.exe is: 2712
Terminate Process: True
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Delete a file from the remote device. To check if the file was deleted successfuly, make a Retrieve Command Status request with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.file - DELETE
Request/Response Body - application/json
Request Body
{
"name": "delete file",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": <string>,
"status": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "delete file",
"path": "C:\\demo\\hello_world.txt"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 1,
"name": "delete file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "delete file",
"object": "C:\\demo\\hello_world.txt"
},
"create_time": "2021-06-13T18:12:42Z",
"finish_time": "2021-06-13T18:12:42.917Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "delete file", "path": "C:\\demo\\hello_world.txt" }'Response Body
{
"status": "PENDING",
"values": [],
"id": 1,
"name": "delete file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"create_time": "2021-06-13T18:17:28Z",
"input": {
"name": "delete file",
"object": "C:\\demo\\hello_world.txt"
},
"finish_time": "2021-06-13T18:17:28.805Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.process - READ, DELETE
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to.
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# The full path of the directory to view contents of in order to get a certain filename.
directory_path = 'C:\\demo\\'
print('Directory contents is: ', live_response.list_directory(directory_path))
# Send the delete command with the full path to the file.
live_response.delete_file("C:\\demo\\hello_world.txt")Result
Directory contents is: [
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": ".",
"alternate_name": "",
"create_time": "2021-10-25T11:38:23Z",
"last_access_time": "2021-10-25T12:31:00Z",
"last_write_time": "2021-10-25T12:31:00Z",
},
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": "..",
"alternate_name": "",
"create_time": "2021-10-25T11:38:23Z",
"last_access_time": "2021-10-25T12:31:00Z",
"last_write_time": "2021-10-25T12:31:00Z",
},
{
"size": 42,
"attributes": ["ARCHIVE"],
"filename": "hello_world.txt",
"alternate_name": "HELLO_~1.TXT",
"create_time": "2021-10-25T12:31:00Z",
"last_access_time": "2021-10-25T12:31:00Z",
"last_write_time": "2021-10-25T11:34:55Z",
},
]
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Retrieve contents of the specified file on the remote machine - this call is part of a sequence. Use the file_id you receive from the response body of this call to get the actual file content with the Get File Content call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.file - READ
Request/Response Body - application/json
Request Body
{
"name": "get file",
"path": "<string>",
"offset": integer,
"count": integer
}Response Body
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": <string>,
"status": "<string>",
"file_details": {
"file_id": "<string>",
"offset": integer,
"count": integer
}
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"Request Body
{
"name": "get file",
"path": "C:\\demo\\hello_world.txt"
}Response Body
{
"status": "PENDING",
"values": [],
"file_details": {
"offset": 0,
"count": 0,
"file_id": "01957fa2-7091-48fc-bc6a-03ca63cf3e45"
},
"id": 0,
"name": "get file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "get file",
"object": "C:\\demo\\hello_world.txt"
},
"finish_time": "2021-10-27T08:14:00.352Z",
"create_time": "2021-10-27T08:14:00Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "get file", "path": "C:\\demo\\hello_world.txt" }'Response Body
{
"status": "PENDING",
"values": [],
"file_details": {
"offset": 0,
"count": 0,
"file_id": "c1353fa1-e1b9-4ad6-aa80-ef113363ee3c"
},
"id": 1,
"name": "get file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "get file",
"object": "C:\\demo\\hello_world.txt"
},
"finish_time": "2021-10-27T08:28:19.277Z",
"create_time": "2021-10-27T08:28:19Z"
}Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# get the file content and save it in a variable
file_content = live_response.get_file('C:\\demo\\hello_world.txt')
# save the content in a file or print it, like in this example
print('Content:\n', file_content)Result
Content:
b'Hello\r\nHello\r\nHello\r\nHello\r\nHello\r\nHello\r\n'
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Upload file to specified directory/folder - this call is the second part of a sequence. Use the id you receive from the response body of the Upload File to Carbon Black Cloud call as file_id for this one.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.file - CREATE
Request/Response Body - application/json
Request Body
{
"name": "put file",
"path": "<string>",
"file_id": "<string>"
}Response Body
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"file_details": {
"file_id": "<string>",
"offset": integer,
"count": integer
}
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123466789/ABCD123466"
Content-Type: "application/json"Request Body
{
"name": "put file",
"path": "C:\\demo\\example_file.txt",
"file_id": "78e0eac9-9c47-406e-a822-077b5aeeb367"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "put file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"file_id": "78e0eac9-9c47-406e-a822-077b5aeeb367",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"finish_time": "2021-10-27T09:43:07.809Z",
"create_time": "2021-10-27T09:43:07Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123466789/ABCD123466' \
-d '{ "name": "process list" }'Response Body
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.file - CREATE, READ
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# first part of put_file() payload is the content, and the second it the location to save it to
live_response.put_file('Hello!', 'C:\\demo\\example_file.txt')
# to make sure the file and content are successfully created, run the get_file command
print(live_response.get_file('C:\\demo\\example_file.txt'))Result
b'Hello!'
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Create a directory on the remote device.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.file - CREATE
Request/Response Body - application/json
Request Body
{
"name": "create directory",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"name": "create directory",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123476789/ABCD123476"
Content-Type: "application/json"Request Body
{
"name": "create directory",
"path": "C:\\demo"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"finish_time": "2021-10-27T10:45:54.904Z",
"create_time": "2021-10-27T10:45:54Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123476789/ABCD123476' \
-d '{ "name": "create directory", "path": "C:\demo" }'Response Body
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"finish_time": "2021-10-27T10:45:54.904Z",
"create_time": "2021-10-27T10:45:54Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.file - CREATE, READ
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# provide full path to the directory to create
live_response.create_directory('C:\\demo')
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Create a new registry key on the remote endpoint.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.registry - CREATE
Request/Response Body - application/json
Request Body
{
"name": "reg create key",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123486789/ABCD123486"
Content-Type: "application/json"Request Body
{
"name": "reg create key",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "reg create key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg create key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:06:32Z",
"finish_time": "2021-11-01T10:06:32.340Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"name": "reg create key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'Response Body
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "reg create key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg create key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:06:32Z",
"finish_time": "2021-11-01T10:06:32.340Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.registry - CREATE, READ
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# create the registry key
live_response.create_registry_key('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Delete an existing registry key
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.registry - DELETE
Request/Response Body - application/json
Request Body
{
"name": "reg delete key",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123496789/ABCD123496"
Content-Type: "application/json"Request Body
{
"name": "reg delete key",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "reg delete key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:36:55Z",
"finish_time": "2021-11-01T10:36:55.736Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"name": "reg delete key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'Response Body
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "reg delete key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:36:55Z",
"finish_time": "2021-11-01T10:36:55.736Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.registry - READ, DELETE
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# delete the registry key
live_response.delete_registry_key('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Return the subkeys of the specified registry key.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.registry - READ
Request/Response Body - application/json
Request Body
{
"name": "reg enum key",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"values": [
{
"registry_type": "<string>",
"registry_name": "<string>",
"registry_data": "<string>"
}
]
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123506789/ABCD123506"
Content-Type: "application/json"Request Body
{
"name": "reg enum key",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 2,
"name": "reg enum key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg enum key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:26:04Z",
"finish_time": "2021-11-01T11:26:04.548Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"name": "reg enum key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'Response Body
{
"status": "PENDING",
"values": [],
"id": 2,
"name": "reg enum key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg enum key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:26:04Z",
"finish_time": "2021-11-01T11:26:04.548Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.registry - FIXME
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.list_registry_values('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')Result
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Return the data in the specified registry value
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.registry - READ
Request/Response Body - application/json
Request Body
{
"name": "reg query value",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"values": [
{
"registry_type": "<string>",
"registry_name": "<string>",
"registry_data": "<string>"
}
]
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123516789/ABCD123516"
Content-Type: "application/json"Request Body
{
"name": "reg query value",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}Response Body
{
"status": "PENDING",
"values": [],
"id": 6,
"name": "reg query value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg query value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:37:52Z",
"finish_time": "2021-11-01T11:37:52.660Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123516789/ABCD123516' \
-d '{ "name": "reg query value", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example" }'Response Body
{
"status": "PENDING",
"values": [],
"id": 6,
"name": "reg query value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg query value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:37:52Z",
"finish_time": "2021-11-01T11:37:52.660Z"
}Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.get_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')Result
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Update the data in the specified registry value
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.registry - UPDATE
Request/Response Body - application/json
Request Body
{
"name": "reg set value",
"path": "<string>",
"value_data": "<string>",
"value_type": "<string>"
}Response Body
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123526789/ABCD123526"
Content-Type: "application/json"Request Body
{
"name": "reg set value",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"value_data": "check_val",
"value_type": "pbREG_NONE"
}Response Body
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg set value",
"registry_data": null
},
"values": [],
"id": 9,
"name": "reg set value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"value_type": "REG_NONE",
"name": "reg set value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:45:43Z",
"finish_time": "2021-11-01T11:45:43.159Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123526789/ABCD123526' \
-d '{ "name": "reg set value", "value_data": "check_val", "value_type": "pbREG_NONE" }'Response Body
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg set value",
"registry_data": null
},
"values": [],
"id": 9,
"name": "reg set value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"value_type": "REG_NONE",
"name": "reg set value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:45:43Z",
"finish_time": "2021-11-01T11:45:43.159Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.registry - READ, UPDATE
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.set_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example', 1)
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Delete the specified registry value
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.registry - DELETE
Request/Response Body - application/json
Request Body
{
"name": "reg delete value",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123536789/ABCD123536"
Content-Type: "application/json"Request Body
{
"name": "reg delete value",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}Response Body
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg delete value",
"registry_data": null
},
"values": [],
"id": 15,
"name": "reg delete value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:53:07Z",
"finish_time": "2021-11-01T11:53:07.469Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123536789/ABCD123536' \
-d '{ "name": "reg delete value", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example" }'Response Body
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg delete value",
"registry_data": null
},
"values": [],
"id": 15,
"name": "reg delete value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:53:07Z",
"finish_time": "2021-11-01T11:53:07.469Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.registry - READ, DELETE
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.delete_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Description
RBAC Permissions Required
Request/Response Body - application/json
Examples
As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Dump the kernel memory of the remote device into a specified file. The path parameter indicates where on the remote device the file will be created. The API call will automatically create the file if it does not exist.
To get the details like the status or result code of the memdump, you need to make a Retrieve Command Status with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
RBAC Permissions Required
org.liveresponse.memdump - READ
Request/Response Body - application/json
Request Body
{
"name": "memdump",
"path": "<string>"
}Response Body
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"mem_dump": {
"percentdone": integer,
"return_code": integer
}
}Examples
Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commandsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123546789/ABCD123546"
Content-Type: "application/json"Request Body
{
"name": "memdump",
"path": "C:\\demo\\memdup.txt"
}Response Body
{
"status": "PENDING",
"values": [],
"mem_dump": {
"compressing": false,
"complete": false,
"dumping": false,
"return_code": 0,
"percentdone": 0
},
"id": 1,
"name": "memdump",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "memdump",
"object": "C:\\demo\\memdup.txt"
},
"create_time": "2021-06-13T20:26:30Z",
"finish_time": "2021-06-13T20:26:30.367Z"
}Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123546789/ABCD123546' \
-d '{ "name": "memdump", "path": "c:\\demo\\memdup.txt" }'Response Body
{
"status": "PENDING",
"values": [],
"mem_dump": {
"compressing": false,
"complete": false,
"dumping": false,
"return_code": 0,
"percentdone": 0
},
"id": 1,
"name": "memdump",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "memdump",
"object": "C:\\demo\\memdup.txt"
},
"create_time": "2021-06-13T20:26:30Z",
"finish_time": "2021-06-13T20:26:30.367Z"
}As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.
RBAC Permissions Required
org.liveresponse.memdump - READ
org.liveresponse.file - READ, DELETE
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# run the memdump command and save the content in a specified file
memdump = live_response.start_memdump("C:\\demo\\memdump.txt")Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successful Response | application/json | Example response below |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled or Too Many Commands | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Retrieve Command Status
Retrieve the results of the command requested in Issue Command call.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ |
org.liveresponse.registry |
READ |
org.liveresponse.file |
READ |
org.liveresponse.memdump |
READ |
For the environments where identity is managed in VMware Cloud Services use the following permissions:
| Permission (.notation name) | Operation(s) |
|---|---|
_API.Live.Response:org.Liveresponse.Session |
READ |
_API.Live.Response:org.Liveresponse.Process |
READ |
_API.Live.Response:org.Liveresponse.Registry |
READ |
_API.Live.Response:org.Liveresponse.File |
READ |
_API.Live.Response:org.Liveresponse.Memdump |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}
Query Parameters
| Field | Required |
|---|---|
wait |
No |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | application/json | Example response below | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found or Command Not Found | application/json | |
Example
Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/1Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}
Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/1 \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}Cancel Command
Cancel Live Response Command if the status is PENDING.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.liveresponse.process |
DELETE |
org.liveresponse.registry |
DELETE |
org.liveresponse.file |
DELETE |
org.liveresponse.memdump |
READ |
For the environments where identity is managed in VMware Cloud Services use the following permissions:
| Permission (.notation name) | Operation(s) |
|---|---|
_API.Live.Response:org.Liveresponse.Process |
DELETE |
_API.Live.Response:org.Liveresponse.Registry |
DELETE |
_API.Live.Response:org.Liveresponse.File |
DELETE |
_API.Live.Response:org.Liveresponse.Memdump |
READ |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | application/json | Example response below | |
| 400 | Invalid Command or Input Validation Error | application/json | |
| 401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json | |
| 403 | Live Response Not Enabled | application/json | |
| 404 | Org Not Found or Sensor Not Found | application/json | |
Example
Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/10Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"Response Body
{
"status": "CANCELLED",
"values": [],
"id": 10,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 1,
"file_id": "32b33455-7450-4858-898c-51e1f17aca12",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T11:48:10Z",
"finish_time": "2021-10-29T11:48:14Z"
}Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/10 \
-X DELETE \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'Response Body
{
"status": "CANCELLED",
"values": [],
"id": 10,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 1,
"file_id": "32b33455-7450-4858-898c-51e1f17aca12",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T11:48:10Z",
"finish_time": "2021-10-29T11:48:14Z"
}Fields
You can find field definitions and more details for all request and response fields here.