Live Response API

Overview

Live Response is a feature that’s available across all products on the Carbon Black Cloud. Live Response allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.

The Live Response API is asynchronous; calling an API to execute a command on the remote endpoint, for example, will return immediately with a command ID. You can then poll the API using the command ID until a result status is returned.

All Live Response API requests except Start Session and Get All Sessions require an active “session”. Requests, where session id is required, will return errors if one is not established or has timed out. A device with an active session will keep an open connection to the Carbon Black Cloud for as long as the session has not timed out or has not been closed with Close Session call. See the Session Management section for details on “sessions”.

The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.

If you use a previous version of the Live Response APIs, see this document for details of what has changed and how to migrate to v6.

Use Cases

Live Response provides Analysts with direct access to the endpoint during Alert Triage or Incident Response

  • Gather context:
    • Determine if a malicious process is still running
    • Get the content of a file or registry key
    • Upload, execute, and get the results of a forensic toolkit
  • Take action and remediate:
    • Kill a malicious process
    • Delete a malicious file

In addition to Incident Response, Live Response can be used for IT Operations use cases including:

  • Executing and retrieving memory dumps of poorly performing processes
  • Remotely manage endpoints through command line access

Requirements

  • At least one Carbon Black Cloud product
  • Device with Live Response enabled
  • All API calls require an API key with appropriate permissions see Authentication

Authentication

Use the following information for authentication, and see the Carbon Black Cloud Authentication Guide for full instructions.

  • Access Level: Before you create your API Key, you need to create a “Custom” Access Level for the “Session Management”, “File Management” and “Command Endpoint” categories
    • To use all functions of Live Response, allow the following permissions: Create, Read, Update, Delete, Execute, Update(or see each call below for individual requirements)
      • “org.liveresponse.session”, allow permission to CREATE, READ, UPDATE, DELETE
      • “org.liveresponse.file”, allow permission to CREATE, READ, DELETE
      • “org.liveresponse.process”, allow permission to READ, EXECUTE, DELETE
      • “org.liveresponse.registry”, allow permission to CREATE, READ, UPDATE, DELETE
      • “org.liveresponse.memdump”, allow permission to READ
  • API Key: When you create your API Key, use the Access Level Type of “Custom”, then select the Access Level you created.
  • Environment: use the URL of your Carbon Black Cloud console (this is the Dashboard URL).
  • API Route: appservices/v6/orgs/{org_key}/liveresponse
    • Note: when you insert your org_key, you must also remove the { } brackets.

Quick Start

Quick Start guides follow entire workflows for common scenarios on how you can use Live Response API.



This Quick Start guide follows a scenario for creating a folder on a remote endpoint and then uploading a file in it. The workflow steps are:

1. Start Session with a remote endpoint
2. Issue Command - create directory to create the directory on the remote endpoint
3. Retrieve Command Status to get the status of the issued command in step 2
4. Upload File to Carbon Black Cloud file must first be uploaded to Carbon Black Cloud before sending it to the endpoint
5. Issue Command - put file to send the file to the remote endpoint

1. Start Session

All interaction with endpoints must occur in the context of a session.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "device_id": 11412673
}

Response Body
{
    "current_working_directory": "C:\\Windows\\system32",
    "supported_commands": [
        "put file",
        "get file",
        "memdump",
        "create directory",
        "delete file",
        "directory list",
        "reg enum key",
        "reg query value",
        "reg create key",
        "reg delete key",
        "reg delete value",
        "reg set value",
        "process list",
        "kill",
        "create process"
    ],
    "drives": [
        "A:\\",
        "C:\\",
        "D:\\"
    ],
    "id": "1234567:11412673",
    "device_id": 11412673,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "ACTIVE",
    "current_command_index": 0,
    "create_time": "2021-10-27T09:45:02.191Z",
    "device_check_in_time": "2021-10-27T09:45:01.608Z"
}

2. Issue Command - create directory

The Issue Command call accepts a number of different body parameters depending on the command.
For a full list of the supported commands and their parameters, go to the Issue Command section.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "create directory",
  "path": "C:\\demo"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 5,
    "name": "create directory",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "create directory",
        "object": "C:\\demo"
    },
    "finish_time": "2021-10-27T10:45:54.904Z",
    "create_time": "2021-10-27T10:45:54Z"
}

3. Retrieve Command Status

Retrieve the results of Issue Command from the previous step by using its id.

Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/5

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
{
    "status": "COMPLETE",
    "values": [],
    "id": 5,
    "name": "create directory",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "create directory",
        "object": "C:\\demo"
    },
    "create_time": "2021-10-27T12:20:11Z",
    "finish_time": "2021-10-27T12:20:11Z"
}

4. Upload File to Carbon Black Cloud

To send file to an endpoint, first upload it to the Carbon Black Cloud.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"

Request Body
N/A

Response Body
{
  "id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
  "size": 1,
  "file_name": "example_file.txt",
  "size_fileed": 1,
  "upload_url": null
}

5. Issue Command - put file

Using the id from the previous step, send the file to the endpoint in the directory created in step 2.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123466789/ABCD123466"
Content-Type: "application/json"

Request Body
{
  "name": "put file",
  "path": "C:\\demo\\example_file.txt",
  "file_id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 0,
    "name": "put file",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "file_id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
        "name": "put file",
        "object": "C:\\demo\\example_file.txt"
    },
    "finish_time": "2021-10-27T09:43:07.809Z",
    "create_time": "2021-10-27T09:43:07Z"
}

This Quick Start guide follows a scenario for creating a process that writes output to a file and then terminates it. The workflow steps are:

1. Start Session with a remote endpoint
2. Issue Command - create process to run the process on the remote endpoint
3. Retrieve Command Status to get the status of the issued command in step 2
4. Issue Command - kill to terminate the created process using the pid from step 3

1. Start Session

All interaction with endpoints must occur in the context of a session.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "device_id": 11412673
}

Response Body
{
    "current_working_directory": "C:\\Windows\\system32",
    "supported_commands": [
        "put file",
        "get file",
        "memdump",
        "create directory",
        "delete file",
        "directory list",
        "reg enum key",
        "reg query value",
        "reg create key",
        "reg delete key",
        "reg delete value",
        "reg set value",
        "process list",
        "kill",
        "create process"
    ],
    "drives": [
        "A:\\",
        "C:\\",
        "D:\\"
    ],
    "id": "1234567:11412673",
    "device_id": 11412673,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "ACTIVE",
    "current_command_index": 0,
    "create_time": "2021-10-27T09:45:02.191Z",
    "device_check_in_time": "2021-10-27T09:45:01.608Z"
}

2. Issue Command - create process

This command will open cmd.exe, list the contents of the current directory and save it to a file. The Issue Command call accepts a number of different body parameters depending on the command.
For a full list of the supported commands and their parameters, go to the Issue Command section.

Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "create process",
  "path": "cmd.exe /c dir",
  "output_file": "C:\\demo\\output.txt",
  "wait": true
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "process_details": {
        "pid": 0,
        "return_code": -1
    },
    "id": 15,
    "name": "create process",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "wait": true,
        "name": "create process",
        "output_file": "C:\\demo\\output.txt",
        "object": "cmd.exe /c dir"
    },
    "create_time": "2021-10-29T13:47:07Z",
    "finish_time": "2021-10-29T13:47:07.732Z"
}

3. Retrieve Command Status

Retrieve the results of Issue Command from the previous step by using its id.

Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/15

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
{
    "status": "COMPLETE",
    "values": [],
    "process_details": {
        "pid": 3272,
        "return_code": 0
    },
    "id": 15,
    "name": "create process",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "wait": true,
        "name": "create process",
        "output_file": "C:\\demo\\output.txt",
        "object": "cmd.exe /c dir"
    },
    "create_time": "2021-10-29T13:47:07Z",
    "finish_time": "2021-10-29T13:47:08Z"
}

4. Issue Command - kill



Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"

Request Body
{
  "name": "kill",
  "pid": 3272
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 16,
    "name": "kill",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "kill",
        "object": 3272
    },
    "create_time": "2021-10-29T13:56:27Z",
    "finish_time": "2021-10-29T13:56:28.105Z"
}


API Calls

Session Management

All interaction with endpoints must occur in the context of a session. The correct flow is:

  1. Start Session using Start Session API call
  2. Perform required actions
  3. Close Session using Close Session API cal

Existing sessions can be found by their id with Get Session by ID or by returning a list of all available sessions with Get All Sessions. Each session will keep an open connection to the Carbon Black Cloud for as long as it is active. Sessions are kept alive for a certain timeout period and then terminated once it has expired. This period is 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call. Only one session per device can be active at a time, but it can be used by multiple callers.


Start Session

Creates a new Live Response session for the specific device. The returned session id is required by all other requests in this API except Get All Sessions. This session will be kept alive for a timeout period of 15 minutes unless Get Session by ID or Issue Command call is made which resets the timeout. The session can be closed before the timeout expires with the Close Session call.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session CREATE


Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions


Request Body - application/json

{
  "device_id": integer
}


Body Schema

Field Definition Data Type Values
device_id
REQUIRED 		Device id to start the session for Integer N/A


Response Status Codes

Code Description Content-Type Content
201 Successful Response application/json Example response below
400 Invalid Command or Input Validation Error application/json 
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "device_id": 11412673
}

Response Body
{
  "current_working_directory": "C:\\Windows\\system32",
  "supported_commands": [
    "put file",
    "get file",
    "memdump",
    "create directory",
    "delete file",
    "directory list",
    "reg enum key",
    "reg query value",
    "reg create key",
    "reg delete key",
    "reg delete value",
    "reg set value",
    "process list",
    "kill",
    "create process"
  ],
  "drives": [
    "A:\\",
    "C:\\",
    "D:\\"
  ],
  "id": "1234567:11412673",
  "device_id": 11412673,
  "check_in_timeout": 900,
  "session_timeout": 900,
  "status": "ACTIVE",
  "current_command_index": 0,
  "create_time": "2021-10-29T08:55:03.535Z",
  "device_check_in_time": "2021-10-29T08:54:49.868Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
  -X POST \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -H 'Content-Type: application/json' \
  -d '{"device_id": 11412673}'

Response Body
{
  "current_working_directory": "C:\\Windows\\system32",
  "supported_commands": [
    "put file",
    "get file",
    "memdump",
    "create directory",
    "delete file",
    "directory list",
    "reg enum key",
    "reg query value",
    "reg create key",
    "reg delete key",
    "reg delete value",
    "reg set value",
    "process list",
    "kill",
    "create process"
  ],
  "drives": [
    "A:\\",
    "C:\\",
    "D:\\"
  ],
  "id": "1234567:11412673",
  "device_id": 11412673,
  "check_in_timeout": 900,
  "session_timeout": 900,
  "status": "ACTIVE",
  "current_command_index": 0,
  "create_time": "2021-10-29T08:55:03.535Z",
  "device_check_in_time": "2021-10-29T08:54:49.868Z"
}

Get Session by ID

Retrieve Live Response session by id. This call will refresh the 15-minute timeout of the “session” created by Start Session request.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
{
  "current_working_directory": "C:\\Windows\\system32",
  "supported_commands": [
    "put file",
    "get file",
    "memdump",
    "create directory",
    "delete file",
    "directory list",
    "reg enum key",
    "reg query value",
    "reg create key",
    "reg delete key",
    "reg delete value",
    "reg set value",
    "process list",
    "kill",
    "create process"
  ],
  "drives": [
    "A:\\",
    "C:\\",
    "D:\\"
  ],
  "id": "1234567:11412673",
  "device_id": 11412673,
  "check_in_timeout": 900,
  "session_timeout": 900,
  "status": "ACTIVE",
  "current_command_index": 0,
  "create_time": "2021-10-29T09:02:53.277Z",
  "device_check_in_time": "2021-10-29T09:02:52.791Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673 \
  -X GET \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
{
  "current_working_directory": "C:\\Windows\\system32",
  "supported_commands": [
    "put file",
    "get file",
    "memdump",
    "create directory",
    "delete file",
    "directory list",
    "reg enum key",
    "reg query value",
    "reg create key",
    "reg delete key",
    "reg delete value",
    "reg set value",
    "process list",
    "kill",
    "create process"
  ],
  "drives": [
    "A:\\",
    "C:\\",
    "D:\\"
  ],
  "id": "1234567:11412673",
  "device_id": 11412673,
  "check_in_timeout": 900,
  "session_timeout": 900,
  "status": "ACTIVE",
  "current_command_index": 0,
  "create_time": "2021-10-29T09:02:53.277Z",
  "device_check_in_time": "2021-10-29T09:02:52.791Z"
}

Get All Sessions

Get all Live Response sessions.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
204 Successful Response with empty response body when no active sessions present N/A N/A
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
[
  {
    "current_working_directory": "C:\\Windows\\system32",
    "supported_commands": [
      "put file",
      "get file",
      "memdump",
      "create directory",
      "delete file",
      "directory list",
      "reg enum key",
      "reg query value",
      "reg create key",
      "reg delete key",
      "reg delete value",
      "reg set value",
      "process list",
      "kill",
      "create process"
    ],
    "drives": [
      "A:\\",
      "C:\\",
      "D:\\"
    ],
    "id": "1234567:11412673",
    "device_id": 11412673,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "ACTIVE",
    "current_command_index": 0,
    "create_time": "2021-10-29T09:06:59.186Z",
    "device_check_in_time": "2021-10-29T09:06:54.293Z"
  }
]

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions \
  -X GET \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
[
  {
    "current_working_directory": "C:\\Windows\\system32",
    "supported_commands": [
      "put file",
      "get file",
      "memdump",
      "create directory",
      "delete file",
      "directory list",
      "reg enum key",
      "reg query value",
      "reg create key",
      "reg delete key",
      "reg delete value",
      "reg set value",
      "process list",
      "kill",
      "create process"
    ],
    "drives": [
      "A:\\",
      "C:\\",
      "D:\\"
    ],
    "id": "1234567:11412673",
    "device_id": 11412673,
    "check_in_timeout": 900,
    "session_timeout": 900,
    "status": "ACTIVE",
    "current_command_index": 0,
    "create_time": "2021-10-29T09:06:59.186Z",
    "device_check_in_time": "2021-10-29T09:06:54.293Z"
  }
]

Close Session

Close Live Response session before the session’s 15 minute timeout.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session DELETE

Request

DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}

Response

Code Description Content-Type Content
204 N/A N/A
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
400 Invalid Command or Input Validation Error application/json 
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
No Content

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673 \
  -X DELETE \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
No Content

Disable Live Response

Permanently disables the Live Response feature in the sensor of the requested device(s).

Note: This action cannot be undone. You must reinstall the sensor to restore Live Response.


RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse DELETE

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/kill

Request Body - application/json

[ integer ]

Body Schema

Field Definition Data Type Values
N/A Array of device ids to disable Live Response Array [ integer ]

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
404 Org Not Found or Sensor Not Found or File Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
[ 11412673 ]

Response Body
{
  "id": "1234567:11412673",
  "device_id": 11412673,
  "create_time": 1502467167,
  "session_timeout": 900,
  "device_check_in_time": "2020-10-01T14:17:21.668Z",
  "check_in_timeout": 900,
  "status": "PENDING",
  "current_command_index": 0,
  "hostname": null,
  "address": "string",
  "os_version": null,
  "current_working_directory": "C:\\",
  "supported_commands": [
    "process list"
  ],
  "drives": [
    "C:\\"
  ]
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/kill \
  -X POST \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'
  -H 'Content-Type: application/json' \
  -d '[11412673]'

Response Body
{
  "id": "1234567:11412673",
  "device_id": 11412673,
  "create_time": 1502467167,
  "session_timeout": 900,
  "device_check_in_time": "2020-10-01T14:17:21.668Z",
  "check_in_timeout": 900,
  "status": "PENDING",
  "current_command_index": 0,
  "hostname": null,
  "address": "string",
  "os_version": null,
  "current_working_directory": "C:\\",
  "supported_commands": [
    "process list"
  ],
  "drives": [
    "C:\\"
  ]
}

File Management

Manage Carbon Black Cloud files associated with a Live Response session.

To upload a file to an endpoint, it must first be uploaded to the Carbon Black Cloud with a specific session. Then the file can be uploaded and managed on one or more endpoints with the Issue Command API call.


Get All Files Metadata

Gets all Carbon Black Cloud files metadata associated with the Live Response session. Returns File objects associated with the session, but not the content of those files. Retrieve file content with the Get File Content call.

There is no defined limit to file size. No issues have been encountered with files over 1GB.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
[
  {
    "id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
    "size": 6,
    "file_name": "example_file.txt",
    "size_fileed": 0,
    "upload_url": null
  }
]

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files \
  -X GET \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
[
  {
    "id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
    "size": 6,
    "file_name": "example_file.txt",
    "size_fileed": 0,
    "upload_url": null
  }
]

Get File Metadata

Retrieve a particular File object by id for a session.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
{
  "id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
  "size": 6,
  "file_name": "example_file.txt",
  "size_fileed": 0,
  "upload_url": null
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea \
  -X GET \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
{
  "id": "dcf728ab-7611-48ff-9e7f-501730a46eea",
  "size": 6,
  "file_name": "example_file.txt",
  "size_fileed": 0,
  "upload_url": null
}

Get File Content

Return the raw contents of the specified file.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}/content

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request 
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0/content

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
<string>

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea/content \
  -X GET \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -o file_to_download_to.txt \
  -L

Response Body
file_to_download_to.txt

Upload File to Carbon Black Cloud

Upload local file to Carbon Black Cloud through the Live Response session. A timeout may occur when uploading very large files. More information on the timeout period for a session is included in the Session Management section.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file CREATE

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files

Request Body - multipart/form-data

fileName

Response

Code Description Content-Type Content
201 Successful Response application/json Example response below
400 Empty File Error application/json 
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "multipart/form-data"

Response Body
{
  "id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
  "size": 0,
  "file_name": "example_file.txt",
  "size_fileed": 0,
  "upload_url": null
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files \
  -X POST \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -H 'Content-Type: multipart/form-data' \
  -F 'file=@example_file.txt'

Response Body
{
  "id": "bbddcb70-c476-42d7-888f-aa4d6e09d1ba",
  "size": 0,
  "file_name": "example_file.txt",
  "size_fileed": 0,
  "upload_url": null
}

Delete File

Delete a file and its contents from Carbon Black Cloud for a Live Response session.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.file DELETE

Request

DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}

Response

Code Description Content-Type Content
204 Successful deleted the file NA N/A
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/bdbd44f3-b9c8-445f-9a7a-51a0541624e0

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
No Content

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/files/dcf728ab-7611-48ff-9e7f-501730a46eea \
  -X DELETE \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
No Content

Command Endpoint

Get Commands List

Retrieve all Live Response commands issued in the specific session.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ
org.liveresponse.process READ
org.liveresponse.file READ
org.liveresponse.registry READ
org.liveresponse.memdump READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands

Response

Code Description Content-Type Content
200 Successful Response application/json Example response below
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
[
  {
    "status": "COMPLETE",
    "values": [],
    "id": 1,
    "name": "put file",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
      "chunkNumber": 0,
      "file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
      "name": "put file",
      "object": "C:\\demo\\example_file.txt"
    },
    "create_time": "2021-10-29T09:34:33Z",
    "finish_time": "2021-10-29T09:34:34Z"
  }
]

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X GET \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
[
  {
    "status": "COMPLETE",
    "values": [],
    "id": 1,
    "name": "put file",
    "result_code": 0,
    "result_type": "WinHresult",
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
      "chunkNumber": 0,
      "file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
      "name": "put file",
      "object": "C:\\demo\\example_file.txt"
    },
    "create_time": "2021-10-29T09:34:33Z",
    "finish_time": "2021-10-29T09:34:34Z"
  }
]

Issue Command

Send a Live Response command to the sensor. The Issue Command call may accept any one of the Command objects described below in its request body. One command object per call can be used.

This call is the second step of a workflow. The complete workflow is:

  1. Start Session or use an already existing one for the specific device.
  2. Issue Command to send a command to the device. This call returns id and different meta information about the command, but not the actual command response.
  3. Retrieve Command Status with the id from Issue Command response to get the actual command response.

Note: This call will refresh the 15-minute timeout of the “session” created by Start Session call.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ
org.liveresponse.process READ, EXECUTE, DELETE
org.liveresponse.registry CREATE, READ, UPDATE, DELETE
org.liveresponse.file CREATE, READ, DELETE
org.liveresponse.memdump READ

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands


Request Body - application/json

Click on any of the commands below to view its details or explore the example code snippets.

Description

List the contents of a directory/folder on the remote device. To get the actual content of the directory, you need to make a Retrieve Command Status with the id you receive from this call.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.


RBAC Permissions Required

org.liveresponse.file - READ


Request/Response Body - application/json
Request Body 
{
  "name": "directory list",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "files": [
    {
      "size": integer,
      "attributes": [
        "<string>"
      ],
      "filename": "<string>",
      "alternate_name": "<string>",
      "last_write_time": "<string>",
      "create_time": "<string>",
      "last_access_time": "<string>"
    }
  ]
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "directory list",
  "path": "C:\\Program Files\\Google\\Chrome\\Application\\"
}

Response Body
{
  "values": [],
  "id": 4,
  "name": "directory list",
  "result_code": 0,
  "result_desc": "",
  "status": "PENDING",
  "sub_keys": [],
  "files": [],
  "input": {
      "name": "directory list",
      "object": "C:\\Program Files\\Google\\Chrome\\Application\\"
  },
  "create_time": "2021-04-08T11:07:57Z",
  "finish_time": "2021-04-08T11:07:57.433Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -d '{ "name": "directory list", "path": "C:\\Program Files\\Google\\Chrome\\Application\\" }'

Response
{
  "status": "PENDING",
  "values": [],
  "id": 0,
  "name": "directory list",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "name": "directory list",
    "object": "C:\\Program Files\\Google\\Chrome\\Application\\"
  },
  "create_time": "2021-06-11T12:20:02Z",
  "finish_time": "2021-06-11T12:20:02.085Z"
}

Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# the full path of the directory, to check the content of
directory_path = 'C:\\Program Files\\Google\\Chrome\\Application\\'

# print the content of the directory
print(live_response.list_directory(directory_path))

Result
[
    {
        "size": 0,
        "attributes": ["DIRECTORY"],
        "filename": ".",
        "alternate_name": "",
        "last_access_time": "2021-10-22T16:23:35Z",
        "last_write_time": "2021-10-22T16:23:35Z",
        "create_time": "2021-06-11T16:44:59Z",
    },
    {
        "size": 0,
        "attributes": ["DIRECTORY"],
        "filename": "..",
        "alternate_name": "",
        "last_access_time": "2021-10-22T16:23:35Z",
        "last_write_time": "2021-10-22T16:23:35Z",
        "create_time": "2021-06-11T16:44:59Z",
    },
    {
        "size": 2509656,
        "attributes": ["ARCHIVE"],
        "filename": "chrome.exe",
        "alternate_name": "",
        "last_access_time": "2021-10-07T21:13:06Z",
        "last_write_time": "2021-10-07T02:00:42Z",
        "create_time": "2021-06-11T16:44:59Z",
    },
]
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

List all running processes on the remote device. To get the actual running processes, you need to make a Retrieve Command Status with the id you receive from this call.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.process - READ


Request/Response Body - application/json
Request Body 
{
  "name": "process list"
}
Response Body 
{
  "status": "<string>",
  "values": [],
  "id": integer,
  "name": "<string>",
  "result_code": integer,
  "result_desc": "<string>",
  "sub_keys": [],
  "files": [],
  "processes": [],
  "input": {
      "name": "string"
  },
  "create_time": "<string>",
  "finish_time": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "process list"
}

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 0,
  "name": "process list",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "processes": [],
  "input": {
      "name": "process list"
  },
  "create_time": "2021-06-13T13:45:58Z",
  "finish_time": "2021-06-13T13:45:58.064Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -d '{ "name": "process list" }'

Response
{
  "status": "PENDING",
  "values": [],
  "id": 1,
  "name": "process list",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "processes": [],
  "input": {
    "name": "process list"
  },
  "create_time": "2021-06-13T13:58:32Z",
  "finish_time": "2021-06-13T13:58:32.296Z"
}

Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# print all the running processes
print(live_response.list_processes())

Result
[
    {
        "parent_create_time": 1634920906,
        "parent_pid": 2712,
        "process_cmdline": '"C:\\Program '
        'Files\\Google\\Chrome\\Application\\chrome.exe" '
        "--type=utility "
        "--utility-sub-type=network.mojom.NetworkService "
        "--field-trial-handle=1180,3277392572462062088,821093735683398366,131072 "
        "--lang=en-US --service-sandbox-type=none "
        "--mojo-platform-channel-handle=1536 /prefetch:8",
        "process_create_time": 1634920.0,
        "process_path": "c:\\program files\\google\\chrome\\application\\chrome.exe",
        "process_pid": 5604,
        "process_username": "NT AUTHORITY\\SYSTEM",
        "sid": "S-1-5-18",
    }
]
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Start a new process on the remote device. To get the newly created process PID or details like its status, make a Retrieve Command Status request with the id you receive from this call.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.process - EXECUTE


Request/Response Body - application/json
Request Body 
{
  "name": "create process",
  "path": "<string>",
  "output_file": "<string>",
  "wait": boolean
}
Response Body 
{
  "id": integer,
  "input": {
    "wait": boolean,
    "name": "<string>",
    "working_directory": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "process_details": {
    "pid": integer,
    "return_code": integer
  }
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "create process",
  "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
}

Response Body
{
  "status": "PENDING",
  "values": [],
  "process_details": {
      "pid": 0,
      "return_code": -1
  },
  "id": 13,
  "name": "create process",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
      "name": "create process",
      "object": ""
  },
  "create_time": "2021-06-13T19:14:22Z",
  "finish_time": "2021-06-13T19:14:22.912Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -d '{ "name": "create process", "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" }'

Response Body
{
  "status": "PENDING",
  "values": [],
  "process_details": {
      "pid": 0,
      "return_code": -1
  },
  "id": 13,
  "name": "create process",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
      "name": "create process",
      "object": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
  },
  "create_time": "2021-06-13T19:14:22Z",
  "finish_time": "2021-06-13T19:14:22.912Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.process - EXECUTE
org.liveresponse.file - READ, DELETE


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# Open Google Chrome on a Windows device. No output is returned.
live_response.create_process('C:\Program Files\Google\Chrome\Application\chrome.exe', wait_for_completion=False, wait_for_output=False)

# Open cmd.exe, ping a certain IP address and print the response
print(live_response.create_process(r'cmd.exe /c "ping 127.0.0.1"'))

Result
b'\r\nPinging 127.0.0.1 with 32 bytes of data:\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\nReply from 127.0.0.1: bytes=32 time<1ms TTL=128\r\n\r\nPing statistics for 127.0.0.1:\r\n    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),\r\nApproximate round trip times in milli-seconds:\r\n    Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n'
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Terminate a running process by its PID. You can get the Process ID by calling the Issue Command call with process list in the request body.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.process - DELETE


Request/Response Body - application/json
Request Body 
{
  "name": "kill",
  "pid": integer
}
Response Body 
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": integer
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "kill",
  "pid": 9380
}

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 15,
  "name": "kill",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
      "name": "kill",
      "object": 9380
  },
  "create_time": "2021-06-13T19:58:32Z",
  "finish_time": "2021-06-13T19:58:32.468Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-d '{ "name": "kill", "pid": 9380 }'

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 15,
  "name": "kill",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
      "name": "kill",
      "object": 9380
  },
  "create_time": "2021-06-13T19:58:32Z",
  "finish_time": "2021-06-13T19:58:32.468Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.process - READ, DELETE


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to.
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# Get all running processes.
processes = live_response.list_processes()

# Filter for the process you want to terminate - in this case 'chrome.exe'. We are assuming there is only one 'chrome.exe' process running.
chrome_pid = None
for process in processes:
    if 'chrome.exe' in process['process_path']:
        chrome_pid = process['process_pid']
        print('Process PID for chrome.exe is: ', chrome_pid)

# Use the kill command to terminate the process with the desired PID.
print('Terminate Process: ', live_response.kill_process(chrome_pid))

Result
Process PID for chrome.exe is: 2712
Terminate Process: True
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Delete a file from the remote device. To check if the file was deleted successfuly, make a Retrieve Command Status request with the id you receive from this call.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.file - DELETE


Request/Response Body - application/json
Request Body 
{
  "name": "delete file",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": <string>,
  "status": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "delete file",
  "path": "C:\\demo\\hello_world.txt"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 1,
    "name": "delete file",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "delete file",
        "object": "C:\\demo\\hello_world.txt"
    },
    "create_time": "2021-06-13T18:12:42Z",
    "finish_time": "2021-06-13T18:12:42.917Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -d '{ "name": "delete file", "path": "C:\\demo\\hello_world.txt" }'

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 1,
  "name": "delete file",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "create_time": "2021-06-13T18:17:28Z",
  "input": {
    "name": "delete file",
    "object": "C:\\demo\\hello_world.txt"
  },
  "finish_time": "2021-06-13T18:17:28.805Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.process - READ, DELETE


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to.
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# The full path of the directory to view contents of in order to get a certain filename.
directory_path = 'C:\\demo\\'
print('Directory contents is: ', live_response.list_directory(directory_path))

# Send the delete command with the full path to the file.
live_response.delete_file("C:\\demo\\hello_world.txt")

Result
Directory contents is: [
    {
        "size": 0,
        "attributes": ["DIRECTORY"],
        "filename": ".",
        "alternate_name": "",
        "create_time": "2021-10-25T11:38:23Z",
        "last_access_time": "2021-10-25T12:31:00Z",
        "last_write_time": "2021-10-25T12:31:00Z",
    },
    {
        "size": 0,
        "attributes": ["DIRECTORY"],
        "filename": "..",
        "alternate_name": "",
        "create_time": "2021-10-25T11:38:23Z",
        "last_access_time": "2021-10-25T12:31:00Z",
        "last_write_time": "2021-10-25T12:31:00Z",
    },
    {
        "size": 42,
        "attributes": ["ARCHIVE"],
        "filename": "hello_world.txt",
        "alternate_name": "HELLO_~1.TXT",
        "create_time": "2021-10-25T12:31:00Z",
        "last_access_time": "2021-10-25T12:31:00Z",
        "last_write_time": "2021-10-25T11:34:55Z",
    },
]
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Retrieve contents of the specified file on the remote machine - this call is part of a sequence. Use the file_id you receive from the response body of this call to get the actual file content with the Get File Content call.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.file - READ


Request/Response Body - application/json
Request Body 
{
  "name": "get file",
  "path": "<string>",
  "offset": integer,
  "count": integer
}
Response Body 
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": <string>,
  "status": "<string>",
  "file_details": {
    "file_id": "<string>",
    "offset": integer,
    "count": integer
  }
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body
{
  "name": "get file",
  "path": "C:\\demo\\hello_world.txt"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "file_details": {
        "offset": 0,
        "count": 0,
        "file_id": "01957fa2-7091-48fc-bc6a-03ca63cf3e45"
    },
    "id": 0,
    "name": "get file",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "get file",
        "object": "C:\\demo\\hello_world.txt"
    },
    "finish_time": "2021-10-27T08:14:00.352Z",
    "create_time": "2021-10-27T08:14:00Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -d '{ "name": "get file", "path": "C:\\demo\\hello_world.txt" }'

Response Body
{
  "status": "PENDING",
  "values": [],
  "file_details": {
    "offset": 0,
    "count": 0,
    "file_id": "c1353fa1-e1b9-4ad6-aa80-ef113363ee3c"
  },
  "id": 1,
  "name": "get file",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "name": "get file",
    "object": "C:\\demo\\hello_world.txt"
  },
  "finish_time": "2021-10-27T08:28:19.277Z",
  "create_time": "2021-10-27T08:28:19Z"
}

Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# get the file content and save it in a variable
file_content = live_response.get_file('C:\\demo\\hello_world.txt')

# save the content in a file or print it, like in this example
print('Content:\n', file_content)

Result
Content:
 b'Hello\r\nHello\r\nHello\r\nHello\r\nHello\r\nHello\r\n'
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Upload file to specified directory/folder - this call is the second part of a sequence. Use the id you receive from the response body of the Upload File to Carbon Black Cloud call as file_id for this one.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.file - CREATE


Request/Response Body - application/json
Request Body 
{
  "name": "put file",
  "path": "<string>",
  "file_id": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "file_details": {
    "file_id": "<string>",
    "offset": integer,
    "count": integer
  }
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123466789/ABCD123466"
Content-Type: "application/json"

Request Body
{
  "name": "put file",
  "path": "C:\\demo\\example_file.txt",
  "file_id": "78e0eac9-9c47-406e-a822-077b5aeeb367"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 0,
    "name": "put file",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "file_id": "78e0eac9-9c47-406e-a822-077b5aeeb367",
        "name": "put file",
        "object": "C:\\demo\\example_file.txt"
    },
    "finish_time": "2021-10-27T09:43:07.809Z",
    "create_time": "2021-10-27T09:43:07Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123466789/ABCD123466' \
  -d '{ "name": "process list" }'

Response Body

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.file - CREATE, READ


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# first part of put_file() payload is the content, and the second it the location to save it to
live_response.put_file('Hello!', 'C:\\demo\\example_file.txt')

# to make sure the file and content are successfully created, run the get_file command
print(live_response.get_file('C:\\demo\\example_file.txt'))

Result
b'Hello!'
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Create a directory on the remote device.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.file - CREATE


Request/Response Body - application/json
Request Body 
{
  "name": "create directory",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "name": "create directory",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123476789/ABCD123476"
Content-Type: "application/json"

Request Body
{
  "name": "create directory",
  "path": "C:\\demo"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 5,
    "name": "create directory",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "create directory",
        "object": "C:\\demo"
    },
    "finish_time": "2021-10-27T10:45:54.904Z",
    "create_time": "2021-10-27T10:45:54Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123476789/ABCD123476' \
  -d '{ "name": "create directory", "path": "C:\demo" }'

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 5,
    "name": "create directory",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "create directory",
        "object": "C:\\demo"
    },
    "finish_time": "2021-10-27T10:45:54.904Z",
    "create_time": "2021-10-27T10:45:54Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.file - CREATE, READ


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# provide full path to the directory to create
live_response.create_directory('C:\\demo')
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Create a new registry key on the remote endpoint.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.registry - CREATE


Request/Response Body - application/json
Request Body 
{
  "name": "reg create key",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123486789/ABCD123486"
Content-Type: "application/json"

Request Body
{
  "name": "reg create key",
  "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 0,
  "name": "reg create key",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "hive": "pbHKEY_LOCAL_MACHINE",
    "name": "reg create key",
    "key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
    "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
  },
  "create_time": "2021-11-01T10:06:32Z",
  "finish_time": "2021-11-01T10:06:32.340Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -H 'Content-Type: application/json' \
  -d '{"name": "reg create key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 0,
  "name": "reg create key",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "hive": "pbHKEY_LOCAL_MACHINE",
    "name": "reg create key",
    "key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
    "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
  },
  "create_time": "2021-11-01T10:06:32Z",
  "finish_time": "2021-11-01T10:06:32.340Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.registry - CREATE, READ


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# create the registry key
live_response.create_registry_key('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Delete an existing registry key

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.registry - DELETE


Request/Response Body - application/json
Request Body 
{
  "name": "reg delete key",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123496789/ABCD123496"
Content-Type: "application/json"

Request Body
{
  "name": "reg delete key",
  "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 5,
    "name": "reg delete key",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "hive": "pbHKEY_LOCAL_MACHINE",
        "name": "reg delete key",
        "key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
        "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
    },
    "create_time": "2021-11-01T10:36:55Z",
    "finish_time": "2021-11-01T10:36:55.736Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -H 'Content-Type: application/json' \
  -d '{"name": "reg delete key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 5,
  "name": "reg delete key",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "hive": "pbHKEY_LOCAL_MACHINE",
    "name": "reg delete key",
    "key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
    "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
  },
  "create_time": "2021-11-01T10:36:55Z",
  "finish_time": "2021-11-01T10:36:55.736Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.registry - READ, DELETE


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# delete the registry key
live_response.delete_registry_key('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Return the subkeys of the specified registry key.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.registry - READ


Request/Response Body - application/json
Request Body 
{
  "name": "reg enum key",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "values": [
    {
      "registry_type": "<string>",
      "registry_name": "<string>",
      "registry_data": "<string>"
    }
  ]
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123506789/ABCD123506"
Content-Type: "application/json"

Request Body
{
  "name": "reg enum key",
  "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 2,
  "name": "reg enum key",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "hive": "pbHKEY_LOCAL_MACHINE",
    "name": "reg enum key",
    "key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
    "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
  },
  "create_time": "2021-11-01T11:26:04Z",
  "finish_time": "2021-11-01T11:26:04.548Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456' \
  -H 'Content-Type: application/json' \
  -d '{"name": "reg enum key", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"}'

Response Body
{
  "status": "PENDING",
  "values": [],
  "id": 2,
  "name": "reg enum key",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "hive": "pbHKEY_LOCAL_MACHINE",
    "name": "reg enum key",
    "key": "SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
    "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
  },
  "create_time": "2021-11-01T11:26:04Z",
  "finish_time": "2021-11-01T11:26:04.548Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.registry - FIXME


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

live_response.list_registry_values('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')

Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Return the data in the specified registry value

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.registry - READ


Request/Response Body - application/json
Request Body 
{
  "name": "reg query value",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "name": "<string>",
    "key": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "values": [
    {
      "registry_type": "<string>",
      "registry_name": "<string>",
      "registry_data": "<string>"
    }
  ]
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123516789/ABCD123516"
Content-Type: "application/json"

Request Body
{
  "name": "reg query value",
  "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 6,
    "name": "reg query value",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "hive": "pbHKEY_LOCAL_MACHINE",
        "name": "reg query value",
        "key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
        "value_name": "Example",
        "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
    },
    "create_time": "2021-11-01T11:37:52Z",
    "finish_time": "2021-11-01T11:37:52.660Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123516789/ABCD123516' \
-d '{ "name": "reg query value", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example" }'

Response Body
{
    "status": "PENDING",
    "values": [],
    "id": 6,
    "name": "reg query value",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "hive": "pbHKEY_LOCAL_MACHINE",
        "name": "reg query value",
        "key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
        "value_name": "Example",
        "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
    },
    "create_time": "2021-11-01T11:37:52Z",
    "finish_time": "2021-11-01T11:37:52.660Z"
}

Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

live_response.get_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')

Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Update the data in the specified registry value

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.



RBAC Permissions Required

org.liveresponse.registry - UPDATE


Request/Response Body - application/json
Request Body 
{
  "name": "reg set value",
  "path": "<string>",
  "value_data": "<string>",
  "value_type": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "value_type": "<string>",
    "name": "<string>",
    "value_data": "<string>",
    "overwrite": boolean,
    "key": "<string>",
    "value_name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123526789/ABCD123526"
Content-Type: "application/json"

Request Body
{
  "name": "reg set value",
  "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example",
  "value_data": "check_val",
  "value_type": "pbREG_NONE"
}

Response Body
{
    "status": "PENDING",
    "value": {
        "registry_type": null,
        "registry_name": "reg set value",
        "registry_data": null
    },
    "values": [],
    "id": 9,
    "name": "reg set value",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "hive": "pbHKEY_LOCAL_MACHINE",
        "value_type": "REG_NONE",
        "name": "reg set value",
        "key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
        "value_name": "Example",
        "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
    },
    "create_time": "2021-11-01T11:45:43Z",
    "finish_time": "2021-11-01T11:45:43.159Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
-X POST \
-H 'Content-Type: application/json' \
-H 'X-Auth-Token: ABCDEFGHIJKLMNO123526789/ABCD123526' \
-d '{ "name": "reg set value", "value_data": "check_val", "value_type": "pbREG_NONE" }'

Response Body
{
    "status": "PENDING",
    "value": {
        "registry_type": null,
        "registry_name": "reg set value",
        "registry_data": null
    },
    "values": [],
    "id": 9,
    "name": "reg set value",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "hive": "pbHKEY_LOCAL_MACHINE",
        "value_type": "REG_NONE",
        "name": "reg set value",
        "key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
        "value_name": "Example",
        "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
    },
    "create_time": "2021-11-01T11:45:43Z",
    "finish_time": "2021-11-01T11:45:43.159Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.registry - READ, UPDATE


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

live_response.set_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example', 1)
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Delete the specified registry value

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.


RBAC Permissions Required

org.liveresponse.registry - DELETE


Request/Response Body - application/json
Request Body 
{
  "name": "reg delete value",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "value_type": "<string>",
    "name": "<string>",
    "value_data": "<string>",
    "overwrite": boolean,
    "key": "<string>",
    "value_name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>"
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123536789/ABCD123536"
Content-Type: "application/json"

Request Body
{
  "name": "reg delete value",
  "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
}

Response Body
{
    "status": "PENDING",
    "value": {
        "registry_type": null,
        "registry_name": "reg delete value",
        "registry_data": null
    },
    "values": [],
    "id": 15,
    "name": "reg delete value",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "hive": "pbHKEY_LOCAL_MACHINE",
        "name": "reg delete value",
        "key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
        "value_name": "Example",
        "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
    },
    "create_time": "2021-11-01T11:53:07Z",
    "finish_time": "2021-11-01T11:53:07.469Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123536789/ABCD123536' \
  -d '{ "name": "reg delete value", "path": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example" }'

Response Body
{
    "status": "PENDING",
    "value": {
        "registry_type": null,
        "registry_name": "reg delete value",
        "registry_data": null
    },
    "values": [],
    "id": 15,
    "name": "reg delete value",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "hive": "pbHKEY_LOCAL_MACHINE",
        "name": "reg delete value",
        "key": "SYSTEM\\CurrentControlSet\\services\\ACPI",
        "value_name": "Example",
        "object": "HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example"
    },
    "create_time": "2021-11-01T11:53:07Z",
    "finish_time": "2021-11-01T11:53:07.469Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.registry - READ, DELETE


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

live_response.delete_registry_value('HKLM\\SYSTEM\\CurrentControlSet\\services\\ACPI\\Example')
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
Description

Dump the kernel memory of the remote device into a specified file. The path parameter indicates where on the remote device the file will be created. The API call will automatically create the file if it does not exist.

To get the details like the status or result code of the memdump, you need to make a Retrieve Command Status with the id you receive from this call.

Note: The CBC Python SDK provides easy integration for Live Response and your future or existing codebase. View the examples below, or click here to review its full technical specification and capabilities.


RBAC Permissions Required

org.liveresponse.memdump - READ


Request/Response Body - application/json
Request Body 
{
  "name": "memdump",
  "path": "<string>"
}
Response Body 
{
  "id": integer,
  "input": {
    "hive": "<string>",
    "value_type": "<string>",
    "name": "<string>",
    "value_data": "<string>",
    "overwrite": boolean,
    "key": "<string>",
    "value_name": "<string>",
    "object": "<string>"
  },
  "name": "<string>",
  "create_time": "<string>",
  "finish_time": "<string>",
  "result_code": integer,
  "result_type": "<string>",
  "result_desc": "<string>",
  "status": "<string>",
  "mem_dump": {
    "percentdone": integer,
    "return_code": integer
  }
}

Examples


Request
POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123546789/ABCD123546"
Content-Type: "application/json"

Request Body
{
  "name": "memdump",
  "path": "C:\\demo\\memdup.txt"
}

Response Body
{
  "status": "PENDING",
  "values": [],
  "mem_dump": {
      "compressing": false,
      "complete": false,
      "dumping": false,
      "return_code": 0,
      "percentdone": 0
  },
  "id": 1,
  "name": "memdump",
  "result_code": 0,
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
      "name": "memdump",
      "object": "C:\\demo\\memdup.txt"
  },
  "create_time": "2021-06-13T20:26:30Z",
  "finish_time": "2021-06-13T20:26:30.367Z"
}

Request
curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands \
  -X POST \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123546789/ABCD123546' \
  -d '{ "name": "memdump", "path": "c:\\demo\\memdup.txt" }'

Response Body
{
    "status": "PENDING",
    "values": [],
    "mem_dump": {
        "compressing": false,
        "complete": false,
        "dumping": false,
        "return_code": 0,
        "percentdone": 0
    },
    "id": 1,
    "name": "memdump",
    "result_code": 0,
    "result_desc": "",
    "sub_keys": [],
    "files": [],
    "input": {
        "name": "memdump",
        "object": "C:\\demo\\memdup.txt"
    },
    "create_time": "2021-06-13T20:26:30Z",
    "finish_time": "2021-06-13T20:26:30.367Z"
}

As the CBC SDK wraps more than one API call in its functionality, it needs additional RBAC permissions.


RBAC Permissions Required

org.liveresponse.memdump - READ
org.liveresponse.file - READ, DELETE


Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.platform import Device

# id of device to connect and issue commands to
device_id = 11412673

# profile='default' refers to the CBC credentials stored in a file.
cb = CBCloudAPI(profile='default')
live_response = cb.select(Device, device_id).lr_session()

# run the memdump command and save the content in a specified file
memdump = live_response.start_memdump("C:\\demo\\memdump.txt")
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.



Response

Code Description Content-Type Content
201 Successful Response application/json Example response below
400 Invalid Command or Input Validation Error application/json 
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled or Too Many Commands application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Retrieve Command Status

Retrieve the results of the command requested in Issue Command call.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.session READ
org.liveresponse.process READ
org.liveresponse.registry READ
org.liveresponse.file READ
org.liveresponse.memdump READ

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}

Query Parameters

Field Required
wait No

Response

Code Description Content-Type Content
200 application/json Example response below
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
  }
404 Org Not Found or Sensor Not Found or Command Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/1

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
{
  "status": "COMPLETE",
  "values": [],
  "id": 1,
  "name": "put file",
  "result_code": 0,
  "result_type": "WinHresult",
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "chunkNumber": 0,
    "file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
    "name": "put file",
    "object": "C:\\demo\\example_file.txt"
  },
  "create_time": "2021-10-29T09:34:33Z",
  "finish_time": "2021-10-29T09:34:34Z"
}

Request 
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/1 \
  -X GET \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
{
  "status": "COMPLETE",
  "values": [],
  "id": 1,
  "name": "put file",
  "result_code": 0,
  "result_type": "WinHresult",
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "chunkNumber": 0,
    "file_id": "3e19efd2-da72-440a-a5bb-12eed3e77cb7",
    "name": "put file",
    "object": "C:\\demo\\example_file.txt"
  },
  "create_time": "2021-10-29T09:34:33Z",
  "finish_time": "2021-10-29T09:34:34Z"
}

Cancel Command

Cancel Live Response Command if the status is PENDING.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.liveresponse.process DELETE
org.liveresponse.registry DELETE
org.liveresponse.file DELETE
org.liveresponse.memdump READ

Request

DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id}

Response

Code Description Content-Type Content
200 application/json Example response below
400 Invalid Command or Input Validation Error application/json 
{
  "success": false,
  "message": "string",
  "error_code": "BadRequest"
}
401 Not Authorized. API_KEY or CONNECTOR_ID are invalid application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Unauthorized"
}
403 Live Response Not Enabled application/json 
{
  "success": false,
  "message": "string",
  "error_code": "Forbidden"
}
404 Org Not Found or Sensor Not Found application/json 
{
  "success": false,
  "message": "string",
  "error_code": "NotFound"
}

Example


Request
DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/10

Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"

Response Body
{
  "status": "CANCELLED",
  "values": [],
  "id": 10,
  "name": "put file",
  "result_code": 0,
  "result_type": "WinHresult",
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "chunkNumber": 1,
    "file_id": "32b33455-7450-4858-898c-51e1f17aca12",
    "name": "put file",
    "object": "C:\\demo\\example_file.txt"
  },
  "create_time": "2021-10-29T11:48:10Z",
  "finish_time": "2021-10-29T11:48:14Z"
}

Request
$ curl https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/liveresponse/sessions/1234567:11412673/commands/10 \
  -X DELETE \
  -H 'X-Auth-Token: ABCDEFGHIJKLMNO123456789/ABCD123456'

Response Body
{
  "status": "CANCELLED",
  "values": [],
  "id": 10,
  "name": "put file",
  "result_code": 0,
  "result_type": "WinHresult",
  "result_desc": "",
  "sub_keys": [],
  "files": [],
  "input": {
    "chunkNumber": 1,
    "file_id": "32b33455-7450-4858-898c-51e1f17aca12",
    "name": "put file",
    "object": "C:\\demo\\example_file.txt"
  },
  "create_time": "2021-10-29T11:48:10Z",
  "finish_time": "2021-10-29T11:48:14Z"
}

Fields

You can find field definitions and more details for all request and response fields here.

Last modified on November 1, 2021