Carbon Black Response

This app supports executing various endpoint-based investigative and containment actions on Carbon Black Response

Supported Actions

• test connectivity: Validate the asset configuration by attempting to connect. This action runs a quick query on the device to check the connection and credentials
• hunt file: Hunt for a binary file on the network by querying for the MD5 hash of it on the Carbon Black Response device. This utilizes Carbon Black Response's binary search feature to look for files on the hard drives of endpoints
• create alert: Create an alert/watchlist
• update alerts: Update or resolve an alert
• run query: Run a search query on the device
• list alerts: List all the alerts/watchlists configured on the device
• list endpoints: List all the endpoints/sensors configured on the device
• quarantine device: Quarantine the endpoint
• unquarantine device: Unquarantine the endpoint
• sync events: Force a sensor to sync all queued events to the server
• get system info: Get information about an endpoint
• list processes: List the running processes on a machine
• terminate process: Kill running processes on a machine
• get file: Download a file from Carbon Black Response and add it to the vault
• put file: Upload file to a Windows hostname
• run command: Issue a Carbon Black Response command by providing the command name and the command's parameters as the 'data'
• execute program: Execute a process
• memory dump: Memory dump for a specified path
• reset session: Tell the server to reset the sensor "sensor_wait_timeout"
• get file info: Get info about a file from Carbon Black Response
• block hash: Add a hash to the Carbon Black Response blacklist
• unblock hash: Unblock the hash
• list connections: List all of the connections from a given process name, PID, or Carbon Black process ID
• on poll: Ingests unresolved alerts into Phantom
• get license: Gets the license information of the device