Live Response is a feature that’s available across all products on the Carbon Black Cloud. Live Response allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.
The Live Response API is asynchronous; calling an API to execute a command on the remote endpoint, for example, will return immediately with a command ID. You can then poll the API using the command ID until a result status is returned.
All Live Response API requests except Start Session and Get All Sessions require an active “session”. Requests, where session id is required, will return errors if one is not established or has timed out. A device with an active session will keep an open connection to the Carbon Black Cloud for as long as the session has not timed out or has not been closed with Close Session call. See the Session Management section for details on “sessions”.
The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
If you use a previous version of the Live Response APIs, see this document for details of what has changed and how to migrate to v6.
Live Response provides Analysts with direct access to the endpoint during Alert Triage or Incident Response
In addition to Incident Response, Live Response can be used for IT Operations use cases including:
Use the following information for authentication, and see the Carbon Black Cloud Authentication Guide for full instructions.
Create, Read, Update, Delete, Execute, Update
(or see each call below for individual requirements)
CREATE
, READ
, UPDATE
, DELETE
CREATE
, READ
, DELETE
READ
, EXECUTE
, DELETE
CREATE
, READ
, UPDATE
, DELETE
READ
appservices/v6/orgs/{org_key}/liveresponse
Quick Start guides follow entire workflows for common scenarios on how you can use Live Response API.
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"device_id": 11412673
}
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-27T09:45:02.191Z",
"device_check_in_time": "2021-10-27T09:45:01.608Z"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "create directory",
"path": "C:\\demo"
}
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"finish_time": "2021-10-27T10:45:54.904Z",
"create_time": "2021-10-27T10:45:54Z"
}
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/5
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
"status": "COMPLETE",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"create_time": "2021-10-27T12:20:11Z",
"finish_time": "2021-10-27T12:20:11Z"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"
N/A
{
"id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"size": 1,
"file_name": "example_file.txt",
"size_fileed": 1,
"upload_url": null
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123466789/ABCD123466"
Content-Type: "application/json"
{
"name": "put file",
"path": "C:\\demo\\example_file.txt",
"file_id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba"
}
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "put file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"file_id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"finish_time": "2021-10-27T09:43:07.809Z",
"create_time": "2021-10-27T09:43:07Z"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"device_id": 11412673
}
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-27T09:45:02.191Z",
"device_check_in_time": "2021-10-27T09:45:01.608Z"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "create process",
"path": "cmd.exe /c dir",
"output_file": "C:\\demo\\output.txt",
"wait": true
}
{
"status": "PENDING",
"values": [],
"process_details": {
"pid": 0,
"return_code": -1
},
"id": 15,
"name": "create process",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"wait": true,
"name": "create process",
"output_file": "C:\\demo\\output.txt",
"object": "cmd.exe /c dir"
},
"create_time": "2021-10-29T13:47:07Z",
"finish_time": "2021-10-29T13:47:07.732Z"
}
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/15
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
"status": "COMPLETE",
"values": [],
"process_details": {
"pid": 3272,
"return_code": 0
},
"id": 15,
"name": "create process",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"wait": true,
"name": "create process",
"output_file": "C:\\demo\\output.txt",
"object": "cmd.exe /c dir"
},
"create_time": "2021-10-29T13:47:07Z",
"finish_time": "2021-10-29T13:47:08Z"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"
{
"name": "kill",
"pid": 3272
}
{
"status": "PENDING",
"values": [],
"id": 16,
"name": "kill",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "kill",
"object": 3272
},
"create_time": "2021-10-29T13:56:27Z",
"finish_time": "2021-10-29T13:56:28.105Z"
}
All interaction with endpoints must occur in the context of a session. The correct flow is:
Existing sessions can be found by their id with Get Session by ID or by returning a list of all available sessions with Get All Sessions. Each session will keep an open connection to the Carbon Black Cloud for as long as it is active. Sessions are kept alive for a certain timeout period and then terminated once it has expired. This period is 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call. Only one session per device can be active at a time, but it can be used by multiple callers.
Creates a new Live Response session for the specific device. The returned session id is required by all other requests in this API except Get All Sessions. This session will be kept alive for a timeout period of 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.session |
CREATE |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions
Request Body - application/json
{
"device_id": integer
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
device_id
REQUIRED |
Device id to start the session for | Integer | N/A |
Response Status Codes
Code | Description | Content-Type | Content |
---|---|---|---|
201 | Successful Response | application/json | Example response below |
400 | Invalid Command or Input Validation Error | application/json |
|
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"device_id": 11412673
}
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T08:55:03.535Z",
"device_check_in_time": "2021-10-29T08:54:49.868Z"
}
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"device_id": 11412673}'
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T08:55:03.535Z",
"device_check_in_time": "2021-10-29T08:54:49.868Z"
}
Retrieve Live Response session by id. This call will refresh the 15-minute timeout of the “session” created by Start Session request.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.session |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Response | application/json | Example response below |
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:02:53.277Z",
"device_check_in_time": "2021-10-29T09:02:52.791Z"
}
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673 \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:02:53.277Z",
"device_check_in_time": "2021-10-29T09:02:52.791Z"
}
Get all Live Response sessions.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.session |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Response | application/json | Example response below |
204 | Successful Response with empty response body when no active sessions present | N/A | N/A |
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
[
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:06:59.186Z",
"device_check_in_time": "2021-10-29T09:06:54.293Z"
}
]
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
[
{
"current_working_directory": "C:\\Windows\\system32",
"supported_commands": [
"put file",
"get file",
"memdump",
"create directory",
"delete file",
"directory list",
"reg enum key",
"reg query value",
"reg create key",
"reg delete key",
"reg delete value",
"reg set value",
"process list",
"kill",
"create process"
],
"drives": [
"A:\\",
"C:\\",
"D:\\"
],
"id": "1234567:11412673",
"device_id": 11412673,
"check_in_timeout": 900,
"session_timeout": 900,
"status": "ACTIVE",
"current_command_index": 0,
"create_time": "2021-10-29T09:06:59.186Z",
"device_check_in_time": "2021-10-29T09:06:54.293Z"
}
]
Close Live Response session before the session’s 15 minute timeout.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.session |
DELETE |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
204 | N/A | N/A | |
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
400 | Invalid Command or Input Validation Error | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
No Content
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673 \
-X DELETE \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
No Content
Permanently disables the Live Response feature in the sensor of the requested device(s).
Note: This action cannot be undone. You must reinstall the sensor to restore Live Response.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse |
DELETE |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/kill
Request Body - application/json
[ integer ]
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
N/A | Array of device ids to disable Live Response | Array | [ integer ] |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Response | application/json | Example response below |
404 | Org Not Found or Sensor Not Found or File Not Found | application/json |
|
Example
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
[ 11412673 ]
{
"id": "1234567:11412673",
"device_id": 11412673,
"create_time": 1502467167,
"session_timeout": 900,
"device_check_in_time": "2020-10-01T14:17:21.668Z",
"check_in_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"hostname": null,
"address": "string",
"os_version": null,
"current_working_directory": "C:\\",
"supported_commands": [
"process list"
],
"drives": [
"C:\\"
]
}
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
-H 'Content-Type: application/json' \
-d '[11412673]'
{
"id": "1234567:11412673",
"device_id": 11412673,
"create_time": 1502467167,
"session_timeout": 900,
"device_check_in_time": "2020-10-01T14:17:21.668Z",
"check_in_timeout": 900,
"status": "PENDING",
"current_command_index": 0,
"hostname": null,
"address": "string",
"os_version": null,
"current_working_directory": "C:\\",
"supported_commands": [
"process list"
],
"drives": [
"C:\\"
]
}
Manage Carbon Black Cloud files associated with a Live Response session.
To upload a file to an endpoint, it must first be uploaded to the Carbon Black Cloud with a specific session. Then the file can be uploaded and managed on one or more endpoints with the Issue Command API call.
Gets all Carbon Black Cloud files metadata associated with the Live Response session. Returns File objects associated with the session, but not the content of those files. Retrieve file content with the Get File Content call.
There is no defined limit to file size. No issues have been encountered with files over 1GB.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.file |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Response | application/json | Example response below |
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
[
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
]
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
[
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
]
Retrieve a particular File object by id for a session.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.file |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Response | application/json | Example response below |
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
{
"id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
"size": 6,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
Return the raw contents of the specified file.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.file |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}/content
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Response | application/json | Example response below |
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0/content
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
<string>
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea/content \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-o file_to_download_to.txt \
-L
file_to_download_to.txt
Upload local file to Carbon Black Cloud through the Live Response session. A timeout may occur when uploading very large files. More information on the timeout period for a session is included in the Session Management section.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.file |
CREATE |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files
Request Body - multipart/form-data
fileName
Response
Code | Description | Content-Type | Content |
---|---|---|---|
201 | Successful Response | application/json | Example response below |
400 | Empty File Error | application/json |
|
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"
{
"id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"size": 0,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: multipart/form-data' \
-F 'file=@example_file.txt'
{
"id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
"size": 0,
"file_name": "example_file.txt",
"size_fileed": 0,
"upload_url": null
}
Delete a file and its contents from Carbon Black Cloud for a Live Response session.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.file |
DELETE |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
204 | Successful deleted the file | NA | N/A |
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
No Content
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea \
-X DELETE \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
No Content
Retrieve all Live Response commands issued in the specific session.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ |
org.liveresponse.file |
READ |
org.liveresponse.registry |
READ |
org.liveresponse.memdump |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Response | application/json | Example response below |
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
[
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}
]
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
[
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}
]
Send a Live Response command to the sensor. The Issue Command call may accept any one of the Command objects described below in its request body. One command object per call can be used.
This call is the second step of a workflow. The complete workflow is:
id
and different meta information about the command, but not the actual command response.id
from Issue Command response to get the actual command response.Note: This call will refresh the 15-minute timeout of the “session” created by Start Session call.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ, EXECUTE, DELETE |
org.liveresponse.registry |
CREATE, READ, UPDATE, DELETE |
org.liveresponse.file |
CREATE, READ, DELETE |
org.liveresponse.memdump |
READ |
Request
POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands
Request Body - application/json
Click on any of the commands below to view its details or explore the example code snippets.
List the contents of a directory/folder on the remote device. To get the actual content of the directory, you need to make a Retrieve Command Status with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.file - READ
{
"name": "directory list",
"path": "<string>"
}
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"files": [
{
"size": integer,
"attributes": [
"<string>"
],
"filename": "<string>",
"alternate_name": "<string>",
"last_write_time": "<string>",
"create_time": "<string>",
"last_access_time": "<string>"
}
]
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "directory list",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\"
}
{
"values": [],
"id": 4,
"name": "directory list",
"result_code": 0,
"result_desc": "",
"status": "PENDING",
"sub_keys": [],
"files": [],
"input": {
"name": "directory list",
"object": "C:\\Program Files\\Google\\Chrome\\Application\\"
},
"create_time": "2021-04-08T11:07:57Z",
"finish_time": "2021-04-08T11:07:57.433Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "directory list", "path": "C:\\Program Files\\Google\\Chrome\\Application\\" }'
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "directory list",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "directory list",
"object": "C:\\Program Files\\Google\\Chrome\\Application\\"
},
"create_time": "2021-06-11T12:20:02Z",
"finish_time": "2021-06-11T12:20:02.085Z"
}
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# the full path of the directory, to check the content of
directory_path = 'C:\\Program Files\\Google\\Chrome\\Application\\'
# print the content of the directory
print(live_response.list_directory(directory_path))
[
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": ".",
"alternate_name": "",
"last_access_time": "2021-10-22T16:23:35Z",
"last_write_time": "2021-10-22T16:23:35Z",
"create_time": "2021-06-11T16:44:59Z",
},
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": "..",
"alternate_name": "",
"last_access_time": "2021-10-22T16:23:35Z",
"last_write_time": "2021-10-22T16:23:35Z",
"create_time": "2021-06-11T16:44:59Z",
},
{
"size": 2509656,
"attributes": ["ARCHIVE"],
"filename": "chrome.exe",
"alternate_name": "",
"last_access_time": "2021-10-07T21:13:06Z",
"last_write_time": "2021-10-07T02:00:42Z",
"create_time": "2021-06-11T16:44:59Z",
},
]
List all running processes on the remote device. To get the actual running processes, you need to make a Retrieve Command Status with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.process - READ
{
"name": "process list"
}
{
"status": "<string>",
"values": [],
"id": integer,
"name": "<string>",
"result_code": integer,
"result_desc": "<string>",
"sub_keys": [],
"files": [],
"processes": [],
"input": {
"name": "string"
},
"create_time": "<string>",
"finish_time": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "process list"
}
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "process list",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"processes": [],
"input": {
"name": "process list"
},
"create_time": "2021-06-13T13:45:58Z",
"finish_time": "2021-06-13T13:45:58.064Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "process list" }'
{
"status": "PENDING",
"values": [],
"id": 1,
"name": "process list",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"processes": [],
"input": {
"name": "process list"
},
"create_time": "2021-06-13T13:58:32Z",
"finish_time": "2021-06-13T13:58:32.296Z"
}
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# print all the running processes
print(live_response.list_processes())
[
{
"parent_create_time": 1634920906,
"parent_pid": 2712,
"process_cmdline": '"C:\\Program '
'Files\\Google\\Chrome\\Application\\chrome.exe" '
"--type=utility "
"--utility-sub-type=network.mojom.NetworkService "
"--field-trial-handle=1180,3277392572462062088,821093735683398366,131072 "
"--lang=en-US --service-sandbox-type=none "
"--mojo-platform-channel-handle=1536 /prefetch:8",
"process_create_time": 1634920.0,
"process_path": "c:\\program files\\google\\chrome\\application\\chrome.exe",
"process_pid": 5604,
"process_username": "NT AUTHORITY\\SYSTEM",
"sid": "S-1-5-18",
}
]
Start a new process on the remote device. To get the newly created process PID or details like its status, make a Retrieve Command Status request with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.process - EXECUTE
{
"name": "create process",
"path": "<string>",
"output_file": "<string>",
"wait": boolean
}
{
"id": integer,
"input": {
"wait": boolean,
"name": "<string>",
"working_directory": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"process_details": {
"pid": integer,
"return_code": integer
}
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "create process",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
}
{
"status": "PENDING",
"values": [],
"process_details": {
"pid": 0,
"return_code": -1
},
"id": 13,
"name": "create process",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create process",
"object": ""
},
"create_time": "2021-06-13T19:14:22Z",
"finish_time": "2021-06-13T19:14:22.912Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "create process", "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" }'
{
"status": "PENDING",
"values": [],
"process_details": {
"pid": 0,
"return_code": -1
},
"id": 13,
"name": "create process",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create process",
"object": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
},
"create_time": "2021-06-13T19:14:22Z",
"finish_time": "2021-06-13T19:14:22.912Z"
}
org.liveresponse.process - EXECUTE
org.liveresponse.file - READ, DELETE
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# Open Google Chrome on a Windows device. No output is returned.
live_response.create_process('C:\Program Files\Google\Chrome\Application\chrome.exe', wait_for_completion=False, wait_for_output=False)
# Open cmd.exe, ping a certain IP address and print the response
print(live_response.create_process(r'cmd.exe /c "ping 127.0.0.1"'))
b'\r\nPinging 127.0.0.1 with 32 bytes of data:\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\n\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),\r\nApproximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n'
Terminate a running process by its PID. You can get the Process ID by calling the Issue Command call with process list in the request body.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.process - DELETE
{
"name": "kill",
"pid": integer
}
{
"id": integer,
"input": {
"name": "<string>",
"object": integer
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "kill",
"pid": 9380
}
{
"status": "PENDING",
"values": [],
"id": 15,
"name": "kill",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "kill",
"object": 9380
},
"create_time": "2021-06-13T19:58:32Z",
"finish_time": "2021-06-13T19:58:32.468Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "kill", "pid": 9380 }'
{
"status": "PENDING",
"values": [],
"id": 15,
"name": "kill",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "kill",
"object": 9380
},
"create_time": "2021-06-13T19:58:32Z",
"finish_time": "2021-06-13T19:58:32.468Z"
}
org.liveresponse.process - READ, DELETE
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to.
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# Get all running processes.
processes = live_response.list_processes()
# Filter for the process you want to terminate - in this case 'chrome.exe'. We are assuming there is only one 'chrome.exe' process running.
chrome_pid = None
for process in processes:
if 'chrome.exe' in process['process_path']:
chrome_pid = process['process_pid']
print('Process PID for chrome.exe is: ', chrome_pid)
# Use the kill command to terminate the process with the desired PID.
print('Terminate Process: ', live_response.kill_process(chrome_pid))
Process PID for chrome.exe is: 2712
Terminate Process: True
Delete a file from the remote device. To check if the file was deleted successfuly, make a Retrieve Command Status request with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.file - DELETE
{
"name": "delete file",
"path": "<string>"
}
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": <string>,
"status": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "delete file",
"path": "C:\\demo\\hello_world.txt"
}
{
"status": "PENDING",
"values": [],
"id": 1,
"name": "delete file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "delete file",
"object": "C:\\demo\\hello_world.txt"
},
"create_time": "2021-06-13T18:12:42Z",
"finish_time": "2021-06-13T18:12:42.917Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "delete file", "path": "C:\\demo\\hello_world.txt" }'
{
"status": "PENDING",
"values": [],
"id": 1,
"name": "delete file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"create_time": "2021-06-13T18:17:28Z",
"input": {
"name": "delete file",
"object": "C:\\demo\\hello_world.txt"
},
"finish_time": "2021-06-13T18:17:28.805Z"
}
org.liveresponse.process - READ, DELETE
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to.
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# The full path of the directory to view contents of in order to get a certain filename.
directory_path = 'C:\\demo\\'
print('Directory contents is: ', live_response.list_directory(directory_path))
# Send the delete command with the full path to the file.
live_response.delete_file("C:\\demo\\hello_world.txt")
Directory contents is: [
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": ".",
"alternate_name": "",
"create_time": "2021-10-25T11:38:23Z",
"last_access_time": "2021-10-25T12:31:00Z",
"last_write_time": "2021-10-25T12:31:00Z",
},
{
"size": 0,
"attributes": ["DIRECTORY"],
"filename": "..",
"alternate_name": "",
"create_time": "2021-10-25T11:38:23Z",
"last_access_time": "2021-10-25T12:31:00Z",
"last_write_time": "2021-10-25T12:31:00Z",
},
{
"size": 42,
"attributes": ["ARCHIVE"],
"filename": "hello_world.txt",
"alternate_name": "HELLO_~1.TXT",
"create_time": "2021-10-25T12:31:00Z",
"last_access_time": "2021-10-25T12:31:00Z",
"last_write_time": "2021-10-25T11:34:55Z",
},
]
Retrieve contents of the specified file on the remote machine - this call is part of a sequence. Use the file_id you receive from the response body of this call to get the actual file content with the Get File Content call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.file - READ
{
"name": "get file",
"path": "<string>",
"offset": integer,
"count": integer
}
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": <string>,
"status": "<string>",
"file_details": {
"file_id": "<string>",
"offset": integer,
"count": integer
}
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
"name": "get file",
"path": "C:\\demo\\hello_world.txt"
}
{
"status": "PENDING",
"values": [],
"file_details": {
"offset": 0,
"count": 0,
"file_id": "01957fa2-7091-48fc-bc6a-03ca63cf3e45"
},
"id": 0,
"name": "get file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "get file",
"object": "C:\\demo\\hello_world.txt"
},
"finish_time": "2021-10-27T08:14:00.352Z",
"create_time": "2021-10-27T08:14:00Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "get file", "path": "C:\\demo\\hello_world.txt" }'
{
"status": "PENDING",
"values": [],
"file_details": {
"offset": 0,
"count": 0,
"file_id": "c1353fa1-e1b9-4ad6-aa80-ef113363ee3c"
},
"id": 1,
"name": "get file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "get file",
"object": "C:\\demo\\hello_world.txt"
},
"finish_time": "2021-10-27T08:28:19.277Z",
"create_time": "2021-10-27T08:28:19Z"
}
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# get the file content and save it in a variable
file_content = live_response.get_file('C:\\demo\\hello_world.txt')
# save the content in a file or print it, like in this example
print('Content:\n', file_content)
Content:
b'Hello\r\nHello\r\nHello\r\nHello\r\nHello\r\nHello\r\n'
Upload file to specified directory/folder - this call is the second part of a sequence. Use the id you receive from the response body of the Upload File to Carbon Black Cloud call as file_id for this one.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.file - CREATE
{
"name": "put file",
"path": "<string>",
"file_id": "<string>"
}
{
"id": integer,
"input": {
"name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"file_details": {
"file_id": "<string>",
"offset": integer,
"count": integer
}
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123466789/ABCD123466"
Content-Type: "application/json"
{
"name": "put file",
"path": "C:\\demo\\example_file.txt",
"file_id": "78e0eac9-9c47-406e-a822-077b5aeeb367"
}
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "put file",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"file_id": "78e0eac9-9c47-406e-a822-077b5aeeb367",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"finish_time": "2021-10-27T09:43:07.809Z",
"create_time": "2021-10-27T09:43:07Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123466789/ABCD123466' \
-d '{ "name": "process list" }'
org.liveresponse.file - CREATE, READ
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# first part of put_file() payload is the content, and the second it the location to save it to
live_response.put_file('Hello!', 'C:\\demo\\example_file.txt')
# to make sure the file and content are successfully created, run the get_file command
print(live_response.get_file('C:\\demo\\example_file.txt'))
b'Hello!'
Create a directory on the remote device.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.file - CREATE
{
"name": "create directory",
"path": "<string>"
}
{
"id": integer,
"input": {
"name": "create directory",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123476789/ABCD123476"
Content-Type: "application/json"
{
"name": "create directory",
"path": "C:\\demo"
}
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"finish_time": "2021-10-27T10:45:54.904Z",
"create_time": "2021-10-27T10:45:54Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123476789/ABCD123476' \
-d '{ "name": "create directory", "path": "C:\demo" }'
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "create directory",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "create directory",
"object": "C:\\demo"
},
"finish_time": "2021-10-27T10:45:54.904Z",
"create_time": "2021-10-27T10:45:54Z"
}
org.liveresponse.file - CREATE, READ
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# provide full path to the directory to create
live_response.create_directory('C:\\demo')
Create a new registry key on the remote endpoint.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.registry - CREATE
{
"name": "reg create key",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123486789/ABCD123486"
Content-Type: "application/json"
{
"name": "reg create key",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "reg create key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg create key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:06:32Z",
"finish_time": "2021-11-01T10:06:32.340Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"name": "reg create key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'
{
"status": "PENDING",
"values": [],
"id": 0,
"name": "reg create key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg create key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:06:32Z",
"finish_time": "2021-11-01T10:06:32.340Z"
}
org.liveresponse.registry - CREATE, READ
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# create the registry key
live_response.create_registry_key('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Delete an existing registry key
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.registry - DELETE
{
"name": "reg delete key",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123496789/ABCD123496"
Content-Type: "application/json"
{
"name": "reg delete key",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "reg delete key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:36:55Z",
"finish_time": "2021-11-01T10:36:55.736Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"name": "reg delete key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'
{
"status": "PENDING",
"values": [],
"id": 5,
"name": "reg delete key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T10:36:55Z",
"finish_time": "2021-11-01T10:36:55.736Z"
}
org.liveresponse.registry - READ, DELETE
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# delete the registry key
live_response.delete_registry_key('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Return the subkeys of the specified registry key.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.registry - READ
{
"name": "reg enum key",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"values": [
{
"registry_type": "<string>",
"registry_name": "<string>",
"registry_data": "<string>"
}
]
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123506789/ABCD123506"
Content-Type: "application/json"
{
"name": "reg enum key",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}
{
"status": "PENDING",
"values": [],
"id": 2,
"name": "reg enum key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg enum key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:26:04Z",
"finish_time": "2021-11-01T11:26:04.548Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"name": "reg enum key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'
{
"status": "PENDING",
"values": [],
"id": 2,
"name": "reg enum key",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg enum key",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:26:04Z",
"finish_time": "2021-11-01T11:26:04.548Z"
}
org.liveresponse.registry - FIXME
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.list_registry_values('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Return the data in the specified registry value
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.registry - READ
{
"name": "reg query value",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"name": "<string>",
"key": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"values": [
{
"registry_type": "<string>",
"registry_name": "<string>",
"registry_data": "<string>"
}
]
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123516789/ABCD123516"
Content-Type: "application/json"
{
"name": "reg query value",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}
{
"status": "PENDING",
"values": [],
"id": 6,
"name": "reg query value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg query value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:37:52Z",
"finish_time": "2021-11-01T11:37:52.660Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123516789/ABCD123516' \
-d '{ "name": "reg query value", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example" }'
{
"status": "PENDING",
"values": [],
"id": 6,
"name": "reg query value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg query value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:37:52Z",
"finish_time": "2021-11-01T11:37:52.660Z"
}
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.get_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Update the data in the specified registry value
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.registry - UPDATE
{
"name": "reg set value",
"path": "<string>",
"value_data": "<string>",
"value_type": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123526789/ABCD123526"
Content-Type: "application/json"
{
"name": "reg set value",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
"value_data": "check_val",
"value_type": "pbREG_NONE"
}
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg set value",
"registry_data": null
},
"values": [],
"id": 9,
"name": "reg set value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"value_type": "REG_NONE",
"name": "reg set value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:45:43Z",
"finish_time": "2021-11-01T11:45:43.159Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123526789/ABCD123526' \
-d '{ "name": "reg set value", "value_data": "check_val", "value_type": "pbREG_NONE" }'
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg set value",
"registry_data": null
},
"values": [],
"id": 9,
"name": "reg set value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"value_type": "REG_NONE",
"name": "reg set value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:45:43Z",
"finish_time": "2021-11-01T11:45:43.159Z"
}
org.liveresponse.registry - READ, UPDATE
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.set_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example', 1)
Delete the specified registry value
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.registry - DELETE
{
"name": "reg delete value",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>"
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123536789/ABCD123536"
Content-Type: "application/json"
{
"name": "reg delete value",
"path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg delete value",
"registry_data": null
},
"values": [],
"id": 15,
"name": "reg delete value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:53:07Z",
"finish_time": "2021-11-01T11:53:07.469Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123536789/ABCD123536' \
-d '{ "name": "reg delete value", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example" }'
{
"status": "PENDING",
"value": {
"registry_type": null,
"registry_name": "reg delete value",
"registry_data": null
},
"values": [],
"id": 15,
"name": "reg delete value",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"hive": "pbHKEY_LOCAL_MACHINE",
"name": "reg delete value",
"key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
"value_name": "Example",
"object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
},
"create_time": "2021-11-01T11:53:07Z",
"finish_time": "2021-11-01T11:53:07.469Z"
}
org.liveresponse.registry - READ, DELETE
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
live_response.delete_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
Dump the kernel memory of the remote device into a specified file. The path parameter indicates where on the remote device the file will be created. The API call will automatically create the file if it does not exist.
To get the details like the status or result code of the memdump, you need to make a Retrieve Command Status with the id you receive from this call.
Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.
org.liveresponse.memdump - READ
{
"name": "memdump",
"path": "<string>"
}
{
"id": integer,
"input": {
"hive": "<string>",
"value_type": "<string>",
"name": "<string>",
"value_data": "<string>",
"overwrite": boolean,
"key": "<string>",
"value_name": "<string>",
"object": "<string>"
},
"name": "<string>",
"create_time": "<string>",
"finish_time": "<string>",
"result_code": integer,
"result_type": "<string>",
"result_desc": "<string>",
"status": "<string>",
"mem_dump": {
"percentdone": integer,
"return_code": integer
}
}
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123546789/ABCD123546"
Content-Type: "application/json"
{
"name": "memdump",
"path": "C:\\demo\\memdup.txt"
}
{
"status": "PENDING",
"values": [],
"mem_dump": {
"compressing": false,
"complete": false,
"dumping": false,
"return_code": 0,
"percentdone": 0
},
"id": 1,
"name": "memdump",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "memdump",
"object": "C:\\demo\\memdup.txt"
},
"create_time": "2021-06-13T20:26:30Z",
"finish_time": "2021-06-13T20:26:30.367Z"
}
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123546789/ABCD123546' \
-d '{ "name": "memdump", "path": "c:\\demo\\memdup.txt" }'
{
"status": "PENDING",
"values": [],
"mem_dump": {
"compressing": false,
"complete": false,
"dumping": false,
"return_code": 0,
"percentdone": 0
},
"id": 1,
"name": "memdump",
"result_code": 0,
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"name": "memdump",
"object": "C:\\demo\\memdup.txt"
},
"create_time": "2021-06-13T20:26:30Z",
"finish_time": "2021-06-13T20:26:30.367Z"
}
org.liveresponse.memdump - READ
org.liveresponse.file - READ, DELETE
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device
# id of device to connect and issue commands to
device_id = 11412673
# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()
# run the memdump command and save the content in a specified file
memdump = live_response.start_memdump("C:\\demo\\memdump.txt")
Response
Code | Description | Content-Type | Content |
---|---|---|---|
201 | Successful Response | application/json | Example response below |
400 | Invalid Command or Input Validation Error | application/json |
|
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled or Too Many Commands | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Retrieve the results of the command requested in Issue Command call.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.session |
READ |
org.liveresponse.process |
READ |
org.liveresponse.registry |
READ |
org.liveresponse.file |
READ |
org.liveresponse.memdump |
READ |
Request
GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}
Query Parameters
Field | Required |
---|---|
wait |
No |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | application/json | Example response below | |
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found or Command Not Found | application/json |
|
Example
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/1
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/1 \
-X GET \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
{
"status": "COMPLETE",
"values": [],
"id": 1,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 0,
"file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T09:34:33Z",
"finish_time": "2021-10-29T09:34:34Z"
}
Cancel Live Response Command if the status is PENDING
.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.liveresponse.process |
DELETE |
org.liveresponse.registry |
DELETE |
org.liveresponse.file |
DELETE |
org.liveresponse.memdump |
READ |
Request
DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | application/json | Example response below | |
400 | Invalid Command or Input Validation Error | application/json |
|
401 | Not Authorized. API_KEY or CONNECTOR_ID are invalid | application/json |
|
403 | Live Response Not Enabled | application/json |
|
404 | Org Not Found or Sensor Not Found | application/json |
|
Example
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/10
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
"status": "CANCELLED",
"values": [],
"id": 10,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 1,
"file_id": "32b33455-7450-4858-898c-51e1f17aca12",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T11:48:10Z",
"finish_time": "2021-10-29T11:48:14Z"
}
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/10 \
-X DELETE \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
{
"status": "CANCELLED",
"values": [],
"id": 10,
"name": "put file",
"result_code": 0,
"result_type": "WinHresult",
"result_desc": "",
"sub_keys": [],
"files": [],
"input": {
"chunkNumber": 1,
"file_id": "32b33455-7450-4858-898c-51e1f17aca12",
"name": "put file",
"object": "C:\\demo\\example_file.txt"
},
"create_time": "2021-10-29T11:48:10Z",
"finish_time": "2021-10-29T11:48:14Z"
}
You can find field definitions and more details for all request and response fields here.