Accessing Carbon Black Response via The Command Line

Accessing Carbon Black Response via The Command Line

Carbon Black Response is our preferred tool for performing live analysis of activity occurring on hosts on a network. As well as a fully functional web interface for analysis, Carbon Black Response also provides a comprehensive API that can be leveraged to automate anything that can be achieved with the web interface, as well as building completely new tools.

By Russell Hole

17 Nov 2017

This blog post details one such tool developed by our Response team, which aims to provide a feature-rich interface for quickly performing searches and retrieving the information you’re interested in. This tool has been used internally for the past couple of months on live response jobs and incidents with a lot of success. Now that it has been thoroughly tested by our team, we are planning to release the source code publically so other users of Carbon Black Response can also benefit.

Why was CbRCLI developed?

Context has found that the web interface provided with Carbon Black Response is very useful when you have identified suspicious behavior and want to investigate the associated processes or binaries in detail. This method of investigation is very effective when looking at a small quantity of events, however it can become time consuming to look at large amounts of data. To improve the efficiency of some analysis tasks, Context analysts often move to using the API to pull back data in bulk so that it can be processed programmatically before being displayed to the analyst. CbRCLI was developed to consolidate most of the functionality of these scripts into a consistent and easy-to-use tool that requires no coding ability to extract valuable data. Since the internal release of version 1.0 of CbRCLI, our analysts have worked hard to add features and fix bugs to make it a fully featured analysis tool, which can now perform almost all the same functionality as the web interface. That said, is designed to work alongside the web interface, rather than replace it, and provides various commands for integration between the two analysis interfaces.

A command line tool? Isn’t that just for nerds?

Hopefully not! Context has worked hard to make this tool accessible to people of all technical capabilities and backgrounds. While anybody familiar with command line applications will be able to pick up and use the tool effectively from the start, built in help, suggestions and autocompletion functionality should allow people of all technical abilities to quickly learn how to use it.

Can I see it in action?

The recording below will give an idea of what can be achieved using CbRCLI. As a short demo it only gives a basic overview of some of the functionality, but should give an idea of the workflows involved in using the tool as well as what can be achieved using it. More thorough documentation as well as examples can be found on the project’s github page.

Ok, I’m convinced. How can I try it out?

Head over to our github page to grab the tool. The readme displayed on this page will provide you with installation instructions as well as documentation on the main features as well as example commands. If you have any feedback or feature/bug reports please create an issue on the github page.

If you have a question for us or require any further information, please get in touch.

Contact Us

About Russell Hole

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor