Live Response API


Overview

Live Response is a feature that’s available across all products on the Carbon Black Cloud. Live Response allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.

The Live Response API is asynchronous; calling an API to execute a command on the remote endpoint, for example, will return immediately with a command ID. You can then poll the API using the command ID until a result status is returned.

All Live Response API requests except Start Session and Get All Sessions require an active “session”. Requests, where session id is required, will return errors if one is not established or has timed out. A device with an active session will keep an open connection to the Carbon Black Cloud for as long as the session has not timed out or has not been closed with Close Session call. See the Session Management section for details on “sessions”.

If you use a previous version of the Live Response APIs, see this document for details of what has changed and how to migrate to v6

Note: There is a known issue that the enumerated values for the status field on the following API requests handled by the /commands endpoint are returned in lower case. In a near term release this will be fixed to be upper case. We recommend you use case-insensitive matching on the returned values of the status field. Further information is available here.

  • Get Commands List
  • Issue Command
  • Retrieve Command Status
  • Cancel Command

Use Cases

Live Response provides Analysts with direct access to the endpoint during Alert Triage or Incident Response

  • Gather context:
    • Determine if a malicious process is still running
    • Get the content of a file or registry key
    • Upload, execute, and get the results of a forensic toolkit
  • Take action and remediate:
    • Kill a malicious process
    • Delete a malicious file

In addition to Incident Response, Live Response can be used for IT Operations use cases including:

  • Executing and retrieving memory dumps of poorly performing processes
  • Remotely manage endpoints through command line access

Requirements

  • At least one Carbon Black Cloud product
  • Device with Live Response enabled
  • All API calls require an API key with appropriate permissions see Authentication

Authentication

  • Access Level: Before you create your API Key, you need to create a “Custom” Access Level:

    • For the category Session Management:
      Allow full permissions for each notation or see each call below for individual requirements.

      • “org.liveresponse.session”, allow permission to CREATE, READ, UPDATE, DELETE
    • For the category File Management:
      Allow full permissions for each notation or see each call below for individual requirements.

      • “org.liveresponse.file”, allow permission to CREATE, READ, DELETE
    • For the category Command Endpoint:
      Allow full permissions for each notation or see each call below for individual requirements.

      • “org.liveresponse.session”, allow permission to READ
      • “org.liveresponse.process”, allow permission to READ, EXECUTE, DELETE
      • “org.liveresponse.file”, allow permission to READ, CREATE, DELETE
      • “org.liveresponse.registry”, allow permission to CREATE, READ, UPDATE, DELETE
      • “org.liveresponse.memdump”, allow permission to READ

Quick Start

Use the Start Session and Issue Command calls to send the directory list command to an endpoint. Then use the Retrieve Command Status call to get the results of the command requested in Issue Command.


1. Start Session

To send commands to an endpoint, first establish a “session” with a device. A device with an active session will keep an open connection to the Carbon Black Cloud for as long as the session has not timed out or has not been closed with Close Session call. All Live Response requests except Start Session and Get All Sessions require a valid session id.
For more details on "sessions", go to the Session Management section.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"

Request Body
{
  "device_id": 8612331
}

Response Body
{
    "id": "1923756:8612331",
    "device_id": 8612331,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "PENDING",
    "current_command_index": 0,
    "create_time": "2021-04-07T17:49:58.792Z",
    "device_check_in_time": "2021-04-07T17:49:58.793Z"
}

2. Issue Command - directory list

The Issue Command request accepts a number of different body parameters depending on the requested command.
For a full list of the supported commands and their parameters, go to the Issue Command section.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"

Request Body
{
  "name": "directory list",
  "path": "c:\\Windows\\"
}

Response Body
{
    "values": [],
    "id": 4,
    "name": "directory list",
    "result_code": 0,
    "result_desc": "",
    "status": "PENDING",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "directory list",
        "object": "c:\\Windows\\"
    },
    "create_time": "2021-04-08T11:07:57Z",
    "finish_time": "2021-04-08T11:07:57.433Z"
}

3. Retrieve Command Status

Retrieve the results of the command requested in Issue Command with the Retrieve Command Status call.

Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/4

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
{
  "values": [],
  "id": 4,
  "name": "directory list",
  "result_code": 0,
  "result_type": "WinHresult",
  "result_desc": "",
  "status": "COMPLETE",
  "sub_keys": [],
  "files": [
    {
      "size": 11264,
      "attributes": [
        "ARCHIVE"
      ],
      "filename": "write.exe",
      "alternate_name": "",
      "create_time": "2018-09-15T07:12:55Z",
      "last_access_time": "2018-09-15T07:12:55Z",
      "last_write_time": "2018-09-15T07:12:55Z"
    }
  ],
  "input": {
    "name": "directory list",
    "object": "c:\\Windows\\"
  },
  "create_time": "2021-04-08T11:07:57Z",
  "finish_time": "2021-04-08T11:07:57Z"
}

API Calls

Session Management

All interaction with endpoints must occur in the context of a session. The correct flow is:

  1. Start Session using Start Session API call
  2. Perform required actions
  3. Close Session using Close Session API call

Existing sessions can be found by their id with Get Session by ID or by returning a list of all available sessions with Get All Sessions. Each session will keep an open connection to the Carbon Black Cloud for as long as it is active. Sessions are kept alive for a certain timeout period and then terminated once it has expired. This period is 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call. Only one session per device can be active at a time, but it can be used by multiple callers.


Start Session

Creates a new Live Response session for the specific device. The returned session id is required by all other requests in this API except Get All Sessions. This session will be kept alive for a timeout period of 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session CREATE


Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions


Request Body - application/json

{
  "device_id": integer
}


Body Schema

Field Definition Data Type Values
device_id
REQUIRED
Device id to start the session for Integer N/A


Response Status Codes

Code Description Content-Type Content
201 Successful Response application/json Example response below
400 Invalid Command or Input Validation Error application/json
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"

Request Body
{
  "device_id": 8612331
}

Response Body
{
    "id": "1923756:8612331",
    "device_id": 8612331,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "PENDING",
    "current_command_index": 0,
    "create_time": "2021-04-07T17:49:58.792Z",
    "device_check_in_time": "2021-04-07T17:49:58.793Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
  -X POST \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
  -H Content-Type=application/json \
  -d device_id=8612331
      

Response Body
{
    "id": "1923756:8612331",
    "device_id": 8612331,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "PENDING",
    "current_command_index": 0,
    "create_time": "2021-04-07T17:49:58.792Z",
    "device_check_in_time": "2021-04-07T17:49:58.793Z"
}

Get Session by ID

Retrieve Live Response session by id. This call will refresh the 15-minute timeout of the “session” created by Start Session request.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
{
    "current_working_directory": "C:\\Windows\\system32",
    "supported_commands": [
        "put file",
        "get file",
        "memdump",
        "create directory",
        "delete file",
        "directory list",
        "reg enum key",
        "reg query value",
        "reg create key",
        "reg delete key",
        "reg delete value",
        "reg set value",
        "process list",
        "kill",
        "create process"
    ],
    "drives": [
        "A:\\",
        "C:\\",
        "D:\\"
    ],
    "id": "1923756:8612331",
    "device_id": 8612331,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "ACTIVE",
    "current_command_index": 0,
    "create_time": "2021-04-07T18:01:28.690Z",
    "device_check_in_time": "2021-04-07T18:01:22.672Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331 \
  -X GET \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
      

Response Body
{
    "current_working_directory": "C:\\Windows\\system32",
    "supported_commands": [
        "put file",
        "get file",
        "memdump",
        "create directory",
        "delete file",
        "directory list",
        "reg enum key",
        "reg query value",
        "reg create key",
        "reg delete key",
        "reg delete value",
        "reg set value",
        "process list",
        "kill",
        "create process"
    ],
    "drives": [
        "A:\\",
        "C:\\",
        "D:\\"
    ],
    "id": "1923756:8612331",
    "device_id": 8612331,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "ACTIVE",
    "current_command_index": 0,
    "create_time": "2021-04-07T18:01:28.690Z",
    "device_check_in_time": "2021-04-07T18:01:22.672Z"
}

Get All Sessions

Get all Live Response sessions.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
204 Successful Response with empty response body when no active sessions present N/A N/A
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
[
    {
        "current_working_directory": "C:\\Windows\\system32",
        "supported_commands": [
            "put file",
            "get file",
            "memdump",
            "create directory",
            "delete file",
            "directory list",
            "reg enum key",
            "reg query value",
            "reg create key",
            "reg delete key",
            "reg delete value",
            "reg set value",
            "process list",
            "kill",
            "create process"
        ],
        "drives": [
            "A:\\",
            "C:\\",
            "D:\\"
        ],
        "id": "1923756:8612331",
        "device_id": 8612331,
        "check_in_timeout": 900,
        "session_timeout": 900,
        "status": "ACTIVE",
        "current_command_index": 0,
        "create_time": "2021-04-07T18:05:04.821Z",
        "device_check_in_time": "2021-04-07T18:04:55.117Z"
    }
]

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
  -X GET \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
      

Response Body
[
    {
        "current_working_directory": "C:\\Windows\\system32",
        "supported_commands": [
            "put file",
            "get file",
            "memdump",
            "create directory",
            "delete file",
            "directory list",
            "reg enum key",
            "reg query value",
            "reg create key",
            "reg delete key",
            "reg delete value",
            "reg set value",
            "process list",
            "kill",
            "create process"
        ],
        "drives": [
            "A:\\",
            "C:\\",
            "D:\\"
        ],
        "id": "1923756:8612331",
        "device_id": 8612331,
        "check_in_timeout": 900,
        "session_timeout": 900,
        "status": "ACTIVE",
        "current_command_index": 0,
        "create_time": "2021-04-07T18:05:04.821Z",
        "device_check_in_time": "2021-04-07T18:04:55.117Z"
    }
]

Close Session

Close Live Response session before the session’s 15 minute timeout.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session DELETE

Request

DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}

Response

Code Description Content-Type Content
204 N/A N/A
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
400 Invalid Command or Input Validation Error application/json
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
No Content

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331 \
  -X DELETE \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
      

Response Body
No Content

Disable Live Response

Permanently disables the Live Response feature in the sensor of the requested device(s).

Note: This action cannot be undone. You must reinstall the sensor to restore Live Response.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse DELETE

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/kill

Request Body - application/json

[ integer ]

Body Schema

Field Definition Data Type Values
N/A Array of device ids to disable Live Response Array [ integer ]

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
404 Org Not Found or Sensor Not Found or File Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"

Request Body
[
  8612331
]

Response Body
{
  "id": "1923756:8612331",
  "device_id": 8612331,
  "create_time": 1502467167,
  "session_timeout": 900,
  "device_check_in_time": "2020-10-01T14:17:21.668Z",
  "check_in_timeout": 900,
  "status": "PENDING",
  "current_command_index": 0,
  "hostname": null,
  "address": "string",
  "os_version": null,
  "current_working_directory": "C:\\",
  "supported_commands": [
    "process list"
  ],
  "drives": [
    "C:\\"
  ]
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill \
  -X POST \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
  -H Content-Type=application/json \
  -d FIXME add array here
      

Response Body
{
  "id": "1923756:8612331",
  "device_id": 8612331,
  "create_time": 1502467167,
  "session_timeout": 900,
  "device_check_in_time": "2020-10-01T14:17:21.668Z",
  "check_in_timeout": 900,
  "status": "PENDING",
  "current_command_index": 0,
  "hostname": null,
  "address": "string",
  "os_version": null,
  "current_working_directory": "C:\\",
  "supported_commands": [
    "process list"
  ],
  "drives": [
    "C:\\"
  ]
}

File Management

Manage Carbon Black Cloud files associated with a Live Response session.

To upload a file to an endpoint, it must first be uploaded to the Carbon Black Cloud with a specific session. Then the file can be uploaded and managed on one or more endpoints with the Issue Command API call.


Get All Files Metadata

Gets all Carbon Black Cloud files metadata associated with the Live Response session. Returns File objects associated with the session, but not the content of those files. Retrieve file content with the Get File Content call.

There is no defined limit to file size. No issues have been encountered with files over 1GB.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
[
  {
    "id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
    "file_name": "test.txt",
    "size": 25600,
    "size_uploaded": 25600
  }
]

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files \
  -X GET \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
      

Response Body
[
  {
    "id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
    "file_name": "test.txt",
    "size": 25600,
    "size_uploaded": 25600
  }
]

Get File Metadata

Retrieve a particular File object by id for a session.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
{
  "id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
  "file_name": "test.txt",
  "size": 25600,
  "size_uploaded": 25600
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0 \
  -X GET \
  -H X-Auth-Token=ABCD1234/DEFG1234 \

Response Body
{
  "id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
  "file_name": "test.txt",
  "size": 25600,
  "size_uploaded": 25600
}

Get File Content

Return the raw contents of the specified file.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}/content

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0/content

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
<string>

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0/content \
  -X GET \
  -H X-Auth-Token=ABCD1234/DEFG1234 \

      

Response Body
<string>

Upload File to Carbon Black Cloud

Upload local file to Carbon Black Cloud through the Live Response session. A timeout may occur when uploading very large files. More information on the timeout period for a session is included in the Session Management section.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file CREATE

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files

Request Body - multipart/form-data

fileName

Response

Code Description Content-Type Content
201 Successful Response application/json Example response below
400 Empty File Error application/json
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "multipart/form-data"

Request Body

Response Body
{
  "id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
  "file_name": "test.txt",
  "size": 6,
  "size_uploaded": 0
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files \
  -X POST \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
  -H Content-Type=multipart/form-data \
  -F file=@/tmp/test.txt
      

Response Body
{
  "id": "bdbd44f3-b9c8-445f-9a7a-51a0541624e0",
  "file_name": "test.txt",
  "size": 6,
  "size_uploaded": 0
}

Delete File

Delete a file and its contents from Carbon Black Cloud for a Live Response session.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file DELETE

Request

DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}

Response

Code Description Content-Type Content
204 Successful deleted the file NA N/A
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"
Response Body
No Content

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0 \
  -X DELETE \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
      

Response Body
No Content

Command Endpoint


Get Commands List

Retrieve all Live Response commands issued in the specific session.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ
org.liveresponse.process READ
org.liveresponse.file READ
org.liveresponse.registry READ
org.liveresponse.memdump READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
[
  {
    "values": [],
    "id": 10,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "COMPLETE",
    "sub_keys": [],
    "files": [
      {
        "size": 11264,
        "attributes": [
          "ARCHIVE"
        ],
        "filename": "write.exe",
        "alternate_name": "",
        "create_time": "2018-09-15T07:12:55Z",
        "last_access_time": "2018-09-15T07:12:55Z",
        "last_write_time": "2018-09-15T07:12:55Z"
      }
    ],
    "input": {
      "name": "directory list",
      "object": "c:\\Windows\\"
    },
    "create_time": "2021-04-07T19:43:35Z",
    "finish_time": "2021-04-07T19:43:35Z"
  },
  {
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "CANCELLED",
    "sub_keys": [],
    "files": [
      {
        "size": 0,
        "attributes": [
          "DIRECTORY",
          "NOT_CONTENT_INDEXED"
        ],
        "filename": "System32",
        "alternate_name": "",
        "create_time": "2018-09-15T06:09:26Z",
        "last_access_time": "2021-01-28T21:15:28Z",
        "last_write_time": "2021-01-28T21:15:28Z"
      }
    ],
    "input": {
      "name": "directory list",
      "object": "C:\\Windows\\system32"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08Z"
  }
]

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands \
  -X GET \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
      

Response Body
[
  {
    "values": [],
    "id": 10,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "COMPLETE",
    "sub_keys": [],
    "files": [
      {
        "size": 11264,
        "attributes": [
          "ARCHIVE"
        ],
        "filename": "write.exe",
        "alternate_name": "",
        "create_time": "2018-09-15T07:12:55Z",
        "last_access_time": "2018-09-15T07:12:55Z",
        "last_write_time": "2018-09-15T07:12:55Z"
      }
    ],
    "input": {
      "name": "directory list",
      "object": "c:\\Windows\\"
    },
    "create_time": "2021-04-07T19:43:35Z",
    "finish_time": "2021-04-07T19:43:35Z"
  },
  {
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "CANCELLED",
    "sub_keys": [],
    "files": [
      {
        "size": 0,
        "attributes": [
          "DIRECTORY",
          "NOT_CONTENT_INDEXED"
        ],
        "filename": "System32",
        "alternate_name": "",
        "create_time": "2018-09-15T06:09:26Z",
        "last_access_time": "2021-01-28T21:15:28Z",
        "last_write_time": "2021-01-28T21:15:28Z"
      }
    ],
    "input": {
      "name": "directory list",
      "object": "C:\\Windows\\system32"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08Z"
  }
]

Issue Command

Send a Live Response command to the sensor. This call will refresh the 15-minute timeout of the “session” created by Start Session request.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ
org.liveresponse.process READ, EXECUTE, DELETE
org.liveresponse.registry CREATE, READ, UPDATE, DELETE
org.liveresponse.file CREATE, READ, DELETE
org.liveresponse.memdump READ

Supported Commands and RBAC Permissions Required

Command Command Definition Permission (.notation name) and Operations
directory list List contents of directory/folder org.liveresponse.file - READ
process list List all running processes org.liveresponse.process - READ
create process Start a new process org.liveresponse.process - EXECUTE
kill Terminate a running process org.liveresponse.process - DELETE
delete file Delete File from endpoint org.liveresponse.file - DELETE
get file Start the sequence to download a file org.liveresponse.file - READ
put file Upload file to specified directory/folder org.liveresponse.file - CREATE
create directory Create Directory org.liveresponse.file - CREATE
reg create key Create a new registry key org.liveresponse.registry - CREATE
reg delete key Delete an existing registry key org.liveresponse.registry - DELETE
reg enum key Return the subkeys of the specified registry key org.liveresponse.registry - READ
reg query value Return the data in the specified registry value org.liveresponse.registry - READ
reg set value Update the data in the specified registry value org.liveresponse.registry - UPDATE
reg delete value Delete the specified registry value org.liveresponse.registry - DELETE
memdump Dump kernel memory on the endpoint org.liveresponse.memdump - READ

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands


Request and Response Body - application/json

The Issue Command call may accept any one of the request objects described below. One command object per call can be used.
Details on each of the command request and response parameters can be found in the Schemas section.



directory list
Request Body
{
  "name": "directory list",
  "path": "<string>"
}
Response Body
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "files": [
    {
      "size": integer,
      "attributes": [
        "<string>"
      ],
      "filename": "<string>",
      "alternate_name": "<string>",
      "last_write_time": "<string>",
      "create_time": "<string>",
      "last_access_time": "<string>"
    }
  ]
}

process list
Request Body
{
  "name": "process list"
}
              
Response Body
{
  "id": integer,
  "input": {
    "name": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "processes": [
    {
      "process_pid": integer,
      "process_path": "<string>",
      "process_cmdline": "<string>",
      "sid": "<string>",
      "process_username": "<string>",
      "parent_pid": integer,
      "parent_create_time": "<string>",
      "process_create_time": "<string>"
    }
  ]
}
              

create process
Request Body
{
  "name": "create process",
  "path": "<string>",
  "output_file": "<string>",
  "wait": boolean
}
              
Response Body
{
  "id": integer,
  "input": {
    "wait": boolean,
    "name": "<string>",
    "working_directory": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "process_details": {
    "pid": integer,
    "return_code": integer
  }
}
              

kill
Request Body
{
  "name": "kill",
  "pid": integer
}
              
Response Body
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": integer
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}
              

delete file
Request Body
{
  "name": "delete file",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": <string>,
  "status": "<string>"
}
              

get file
Request Body
{
  "name": "get file",
  "path": "<string>",
  "offset": integer,
  "count": integer
}
              
Response Body
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": <string>,
  "status": "<string>",
  "file_details": {
    "file_id": "<string>",
    "offset": integer,
    "count": integer
  }
}
              

put file
Request Body
{
  "name": "put file",
  "path": "<string>",
  "file_id": integer
}
              
Response Body
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "file_details": {
    "file_id": "<string>",
    "offset": integer,
    "count": integer
  }
}
              

create directory
Request Body
{
  "name": "create directory",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "name": "create directory",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}
              

reg create key
Request Body
{
  "name": "reg create key",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}
              

reg delete key
Request Body
{
  "name": "reg delete key",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>"
}
              

reg enum key
Request Body
{
  "name": "reg enum key",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "values": [
    {
      "registry_type": "<string>",
      "registry_name": "<string>",
      "registry_data": "<string>"
    }
  ]
}
              

reg query value
Request Body
{
  "name": "reg query value",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "values": [
    {
      "registry_type": "<string>",
      "registry_name": "<string>",
      "registry_data": "<string>"
    }
  ]
}
              

reg set value
Request Body
{
  "name": "reg set value",
  "path": "<string>",
  "value_data": "<string>",
  "value_type": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "value_type": "<string>",
    "name": "<string>",
    "value_data": "<string>",
    "overwrite": boolean,
    "key": "<string>",
    "value_name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>"
}
              

reg delete value
Request Body
{
  "name": "reg delete value",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "value_type": "<string>",
    "name": "<string>",
    "value_data": "<string>",
    "overwrite": boolean,
    "key": "<string>",
    "value_name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}
              

memdump
Request Body
{
  "name": "memdump",
  "path": "<string>"
}
              
Response Body
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "value_type": "<string>",
    "name": "<string>",
    "value_data": "<string>",
    "overwrite": boolean,
    "key": "<string>",
    "value_name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "mem_dump": {
    "percentdone": integer,
    "return_code": integer
  }
}
              

Response

Code Description Content-Type Content
201 Successful Response application/json Example response below
400 Invalid Command or Input Validation Error application/json
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled or Too Many Commands application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"
Content-Type: "application/json"

Request Body
{
  "name": "directory list",
  "path": "C:\\Temp"
}

Response Body
{
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_desc": "",
    "status": "PENDING",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "directory list",
        "object": "C:\\Temp"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08.650Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands \
  -X POST \
  -H X-Auth-Token=ABCD1234/DEFG1234 \
  -H Content-Type=application/json \
  -d name=directory list \
  -d path=C:\\Temp
      

Response Body
{
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_desc": "",
    "status": "PENDING",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "directory list",
        "object": "C:\\Temp"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08.650Z"
}

Retrieve Command Status

Retrieve the results of the command requested in Issue Command call.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ
org.liveresponse.process READ
org.liveresponse.registry READ
org.liveresponse.file READ
org.liveresponse.memdump READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}

Query Parameters

Field Required
wait No

Response

Code Description Content-Type Content
200 application/json Example response below
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
  }
404 Org Not Found or Sensor Not Found or Command Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
{
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "COMPLETE",
    "sub_keys": [],
    "files": [
        {
            "size": 0,
            "attributes": [
                "DIRECTORY"
            ],
            "filename": ".",
            "alternate_name": "",
            "create_time": "2018-09-15T06:09:26Z",
            "last_access_time": "2021-01-28T21:15:28Z",
            "last_write_time": "2021-01-28T21:15:28Z"
        },
        {
            "size": 0,
            "attributes": [
                "DIRECTORY"
            ],
            "filename": "..",
            "alternate_name": "",
            "last_access_time": "2021-05-06T18:20:28Z",
            "last_write_time": "2021-04-13T15:42:03Z",
            "create_time": "2018-09-15T06:09:26Z",
        },
        {
            "size": 69666,
            "attributes": [
                "ARCHIVE"
            ],
            "filename": "test.jpg",
            "alternate_name": "TEST1.JPG",
            "last_access_time": "2021-04-13T15:42:03Z",
            "last_write_time": "2021-04-13T15:42:03Z",
            "create_time": "2021-04-13T15:42:03Z"
        }
    ],
    "input": {
        "name": "directory list",
        "object": "C:\\Temp"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11 \
  -X GET \
  -H X-Auth-Token=ABCD1234/DEFG1234 \

Response Body
{
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "COMPLETE",
    "sub_keys": [],
    "files": [
        {
            "size": 0,
            "attributes": [
                "DIRECTORY"
            ],
            "filename": ".",
            "alternate_name": "",
            "create_time": "2018-09-15T06:09:26Z",
            "last_access_time": "2021-01-28T21:15:28Z",
            "last_write_time": "2021-01-28T21:15:28Z"
        },
        {
            "size": 0,
            "attributes": [
                "DIRECTORY"
            ],
            "filename": "..",
            "alternate_name": "",
            "last_access_time": "2021-05-06T18:20:28Z",
            "last_write_time": "2021-04-13T15:42:03Z",
            "create_time": "2018-09-15T06:09:26Z",
        },
        {
            "size": 69666,
            "attributes": [
                "ARCHIVE"
            ],
            "filename": "test.jpg",
            "alternate_name": "TEST1.JPG",
            "last_access_time": "2021-04-13T15:42:03Z",
            "last_write_time": "2021-04-13T15:42:03Z",
            "create_time": "2021-04-13T15:42:03Z"
        }
    ],
    "input": {
        "name": "directory list",
        "object": "C:\\Temp"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08Z"
}

Cancel Command

Cancel Live Response Command if the status is PENDING.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.process DELETE
org.liveresponse.registry DELETE
org.liveresponse.file DELETE
org.liveresponse.memdump READ

Request

DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}

Response

Code Description Content-Type Content
200 application/json Example response below
400 Invalid Command or Input Validation Error application/json
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11

Request Headers
X-AUTH-TOKEN: "ABCD1234/DEFG12354"

Response Body
{
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "CANCELLED",
    "sub_keys": [],
    "files": [
        {
            "size": 0,
            "attributes": [
                "DIRECTORY",
                "NOT_CONTENT_INDEXED"
            ],
            "filename": "System32",
            "alternate_name": "",
            "create_time": "2018-09-15T06:09:26Z",
            "last_access_time": "2021-01-28T21:15:28Z",
            "last_write_time": "2021-01-28T21:15:28Z"
        }
    ],
    "input": {
        "name": "directory list",
        "object": "C:\\Windows\\system32"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1923756:8612331/commands/11 \
  -X DELETE \
  -H X-Auth-Token=ABCD1234/DEFG1234 \

Response Body
{
    "values": [],
    "id": 11,
    "name": "directory list",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "status": "CANCELLED",
    "sub_keys": [],
    "files": [
        {
            "size": 0,
            "attributes": [
                "DIRECTORY",
                "NOT_CONTENT_INDEXED"
            ],
            "filename": "System32",
            "alternate_name": "",
            "create_time": "2018-09-15T06:09:26Z",
            "last_access_time": "2021-01-28T21:15:28Z",
            "last_write_time": "2021-01-28T21:15:28Z"
        }
    ],
    "input": {
        "name": "directory list",
        "object": "C:\\Windows\\system32"
    },
    "create_time": "2021-04-07T19:44:08Z",
    "finish_time": "2021-04-07T19:44:08Z"
}

Schemas

Command Body

directory list

Field Definition Data Type Values
name
REQUIRED
Command being issued String directory list
path
REQUIRED
Full path to the directory on the remote device String N/A

process list

Field Definition Data Type Values
name
REQUIRED
Command being issued String process list

create process

Field Definition Data Type Values
name
REQUIRED
Command being issued String create process
path
REQUIRED
The path and command line of the executable on the remote device String N/A
output_file
REQUIRED
Full path to existing file where process output should be redirected String N/A
wait
REQUIRED
Wait or not for the process for complete Boolean N/A

kill

Field Definition Data Type Values
name
REQUIRED
Command being issued String kill
pid
REQUIRED
PID of the process to kill Integer N/A

delete file

Field Definition Data Type Values
name
REQUIRED
Command being issued String delete file
path
REQUIRED
Full path to the local file on the remote device String N/A

get file

Field Definition Data Type Values
name
REQUIRED
Command being issued String get file
path
REQUIRED
Full path to the file on the remote device String N/A
offset
REQUIRED
Offset from the start of the file Integer N/A
get_count
REQUIRED
Number of bytes to read Integer N/A

put file

Field Definition Data Type Values
name
REQUIRED
Command being issued String put file
path
REQUIRED
Full path to the file on the remote device String N/A
file_id
REQUIRED
File id retrieved from the Upload File to Carbon Black Cloud API call String N/A

create directory

Field Definition Data Type Values
name
REQUIRED
Command being issued String create directory
path
REQUIRED
Full path of the directory to be created on the remote device String N/A

reg create key

Field Definition Data Type Values
name
REQUIRED
Command being issued String reg create key
path
REQUIRED
Full path to the key in the registry on the remote device String N/A

reg delete key

Field Definition Data Type Values
name
REQUIRED
Command being issued String reg delete key
path
REQUIRED
Full path to the key in the registry on the remote device String N/A

reg enum key

Field Definition Data Type Values
name
REQUIRED
Command being issued String reg enum key
path
REQUIRED
Full path to the key in the registry on the remote device String N/A

reg query value

Field Definition Data Type Values
name
REQUIRED
Command being issued String reg query value
path
REQUIRED
Full path to the value in the registry on the remote device String N/A

reg set value

Field Definition Data Type Values
name
REQUIRED
Command being issued String reg set value
path
REQUIRED
Full path to the value in the registry on the remote device String N/A
value_data
REQUIRED
Value of the new registry value String N/A
value_type
REQUIRED
Type of the new registry value String pbREG_NONE, pbREG_SZ, pbREG_EXPAND_SZ, pbREG_BINARY, pbREG_DWORD, pbREG_DWORD_BIG_ENDIAN, pbREG_MULTI_SZ, pbREG_QWORD

reg delete value

Field Definition Data Type Values
name
REQUIRED
Command being issued String reg delete value
path
REQUIRED
Full path to the value in the registry on the remote device String N/A

memdump

Field Definition Data Type Values
name
REQUIRED
Command being issued String memdump
path
REQUIRED
Full path to file on the remote device where the memory will be dumped. If the file exists, its content will be overwritten, else the file will be created String N/A

Generic Command Response

Field Definition Data Type Values
id
REQUIRED
Id of issued command Integer N/A
input
REQUIRED
Command input containing more information based on the command submitted Object Command Response Schemas
name
REQUIRED
Command being issued as it was submitted by the create command request String Supported: directory list, process list, create process, kill, delete file, get file, put file, create directory, reg create key, reg delete key, reg enum key, reg query value, reg set value, reg delete value
create_time
REQUIRED
ISO 8601 String N/A
finish_time
REQUIRED
ISO 8601 String N/A
result_code
REQUIRED
Set to zero for successful execution, non-zero for errors Integer default: 0
result_desc
REQUIRED
Result Description String N/A
status
REQUIRED
Issued command status String Supported: PENDING, RUNNING, COMPLETE, ERROR,CANCELLED
CommandObject Response body for the specific issued command Object Command Response Schemas

Command Response

directory list

Field Definition Data Type Values
files List of file objects within specified directory Array files Schema

process list

Field Definition Data Type Values
processes List of process objects Array processes Schema

create process

Field Definition Data Type Values
process_details Details of listed process Object process_details Schema

get file

Field Definition Data Type Values
file_details Object containing file details Object file_details Schema

reg enum key

Field Definition Data Type Values
sub_keys Sub keys String N/A
values Values Array values Schema

reg query value

Field Definition Data Type Values
value Query value Object value Schema

memdump

Field Definition Data Type Values
mem_dump Details of issued memdump Object mem_dump Schema

Miscellaneous

files

Field Definition Data Type Values
filename File name String N/A
attributes File attributes Array N/A
last_access_time Last time file was accessed String N/A
last_write_time Last time file was modified String N/A
alternate_name File alternate name String N/A
create_time File create time String N/A

processes

Field Definition Data Type Values
process_pid Process id Integer N/A
process_cmdline Process command line String N/A
parent_pid Process id of parent process Integer N/A
process_username Process username String N/A
process_path Process path String N/A
process_create_time Process create time String N/A
sid Security id String N/A

process_details

Field Definition Data Type Values
pid Process id Integer N/A
return_code Return code Integer N/A

file_details

Field Definition Data Type Values
file_id File id retrieved from the Upload File to Carbon Black Cloud API call String N/A
offset Offset from the start of the file Integer N/A
count Number of bytes to read Integer N/A

values

Field Definition Data Type Values
registry_type Registry type String N/A
registry_name Registry name String N/A
registry_data Registry data String N/A

value

Field Definition Data Type Values
registry_type Registry type String N/A
registry_name Registry name String N/A
registry_data Registry data String N/A

mem_dump

Field Definition Data Type Values
percentdone Percent done of memdump Integer N/A
return_code Return code Integer N/A
Last modified on May 25, 2021