-
Notifications
You must be signed in to change notification settings - Fork 1
DeviceQueries
Sean McFeely edited this page Apr 5, 2021
·
1 revision
An interface to query PSC devices. Notice there is functionality to quarantine resulting devices. To prevent analysts from accidentally quarantining hundreds or thousands of devices at once, mass quarantine is limited to ten devices. Let me know if you want this changed into a warning or made configurable.
The search implementation is well done by Carbon Black, much better than with their Response product. If you do not know what field to use, you can probably do a wide open search and find what you're looking for. For example, you can search for a user's email address.
$ cbinterface device -h
usage: cbinterface device [-h] [-nw] [-ad] [-q] [-uq] device_query
positional arguments:
device_query the device query you'd like to execute. 'FIELDS' for
help.
optional arguments:
-h, --help show this help message and exit
-nw, --no-warnings Don't warn before printing large query results
-ad, --all-details Print all available process info (all fields).
-q, --quarantine Quarantine the devices returned by the query.
-uq, --un_quarantine UN-Quarantine the devices returned by the query.
Query for a specific device name:
$ cbinterface device name:yhp2bg
2021-03-12 15:08:45 analysis cbinterface.psc.cli[9766] INFO searching psc:default environment for device query: name:yhp2bg...
2021-03-12 15:08:45 analysis cbinterface.psc.device[9766] INFO got 1 device results.
------------------------- PSC DEVICE RESULTS -------------------------
-------------------------------------------------------------------------------
AD Group ID: 27098
Current Policy Name: Default General Policy
Deployment Type: ENDPOINT
Device ID: 37100999
Device Name: YHP2BG
Device MAC address: 080027aca351
Device OS: WINDOWS
Device OS Version: Windows 10 x64
Device Owner ID: 5599374
Device Owner Email: NeoLite6
Device Owner Name: None, None
Device Quarantined: False
Device Registration Time: 2021-02-17 14:41:50.580000-0500
Last Checkin Time: 2021-03-12 09:41:00.693000-0500
↳ Elapsed Time: 5:27:48.312221 - likely offline 💤
Last Reported Event Time: 2021-03-12 09:37:18.099000-0500
Last External IP: 174.87.68.13
Last Internal IP: 10.0.2.15
Last Location: OFFSITE
Last Logged In User: YHP2BG\NeoLite6
Sensor status: REGISTERED
Sensor Version: 3.6.0.1979
Wide open query for a device associated to this IP address.
$ cbinterface device 174.87.68.13
2021-03-12 15:09:46 analysis cbinterface.psc.cli[9950] INFO searching psc:default environment for device query: 174.87.68.13...
2021-03-12 15:09:46 analysis cbinterface.psc.device[9950] INFO No field specification passed. Use 'FIELDS' for help.
2021-03-12 15:09:50 analysis cbinterface.psc.device[9950] INFO got 3 device results.
------------------------- PSC DEVICE RESULTS -------------------------
-------------------------------------------------------------------------------
AD Group ID: 27098
Current Policy Name: Default General Policy
Deployment Type: ENDPOINT
Device ID: 37100999
Device Name: YHP2BG
Device MAC address: 080027aca351
Device OS: WINDOWS
Device OS Version: Windows 10 x64
Device Owner ID: 5599374
Device Owner Email: NeoLite6
Device Owner Name: None, None
Device Quarantined: False
Device Registration Time: 2021-02-17 14:41:50.580000-0500
Last Checkin Time: 2021-03-12 09:41:00.693000-0500
↳ Elapsed Time: 5:28:49.527549 - likely offline 💤
Last Reported Event Time: 2021-03-12 09:37:18.099000-0500
Last External IP: 174.87.68.13
Last Internal IP: 10.0.2.15
Last Location: OFFSITE
Last Logged In User: YHP2BG\NeoLite6
Sensor status: REGISTERED
Sensor Version: 3.6.0.1979
<ommited more results>
I didn't find device search field documentation. Please point me to it if you know where it's at. It appears the device search fields map to the PSC Device model, although, this is not perfect. Some fields do not work. For convenience, you can get a list of these fields like this:
$ cbinterface device FIELDS
2021-03-12 15:11:09 analysis cbinterface.psc.cli[10229] INFO searching psc:default environment for device query: FIELDS...
Device model fields:
osVersion
activationCode
organizationId
deviceId
deviceSessionId
deviceOwnerId
deviceGuid
email
assignedToId
assignedToName
deviceType
firstName
lastName
middleName
createTime
policyId
policyName
quarantined
targetPriorityType
lastVirusActivityTime
firstVirusActivityTime
activationCodeExpiryTime
organizationName
sensorVersion
registeredTime
lastContact
lastReportedTime
windowsPlatform
vdiBaseDevice
avStatus
deregisteredTime
sensorStates
messages
rootedBySensor
rootedBySensorTime
lastInternalIpAddress
lastExternalIpAddress
lastLocation
avUpdateServers
passiveMode
lastResetTime
lastShutdownTime
scanStatus
scanLastActionTime
scanLastCompleteTime
linuxKernelVersion
avEngine
avLastScanTime
rootedByAnalytics
rootedByAnalyticsTime
testId
avMaster
uninstalledTime
name
status
- Home
- Configuration & Setup
-
Functionality
- CB Product Independent
- CBC/CB PSC Only
- CB Response Only
-
How-To & Examples
- Remediating Malware Infection
- Live Response
- Collect a File
- Kill a Process
- Collecting Browsing History
- Remediation Script
- Delete a File
- Containing Device
- Close LR Session
- Download Binary from CBC UBS
- Creating Playbooks
- Response to PSC Migration
- Search for Alerts on host
- Tune a Query based PSC Watchlist