ContextIS Introduces CbRCLI to Access Cb Response via the Command Line for Faster, More Efficient In

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

When you think of incident response, there are two key factors. The incident itself, and the need to respond quickly and effectively. You need to have an incident response toolkit that contains everything you need to be able to perform investigations and forensic analysis with speed, accuracy and above all, ease.

Nobody wants to be struggling with a script that constantly needs to be changed. No analyst wants to suffer separate, disparate tools, each with its own quirks and limitations. Without the capability to integrate tools and functions, and unify the output in a single view, your incident response process will become a longer, more laborious, and more timely exercise with you likely missing some valid artifacts or data.

Today, we would like to focus on one of Carbon Black’s partners – ContextIS, who is not only a frequent end-user of Cb Response for their breach investigations, but also very active in the developer community, providing custom scripts, detections and valuable feedback.

Today, we are highlighting a tool ContextIS has developed in-house, and is making widely available to the entire Cb Community – Cb Response Command Line Interface (CbRCLI).  ContextIS is making the source code to this tool available on their GitHub and actively welcoming contributions. Their repository is located here https://github.com/ctxis

CbRCLI is a tool which ContextIS incident responders have developed and refined over a number of investigations, primarily born out of two use cases:

1) Script re-use and reconfiguration on the fly

2) API access for other 3rd party tools that ContextIS utilise in their investigations.

CbRCLI is just that – a text-based interface for Cb Response. In environments where systems may be locked down (or should your incident responders prefer a more Linux command shell type interface) then CbRCLI would be the best way forward.

CbRCLI (currently) allows for the following:

– Autocomplete of input and options

– Searching across Processes, Binary and Sensor information

– Choosing which columns to view in a dataset

– Allowing for on-the-fly Regex filters to be applied to columns

– Suppression of duplicate results

– Saving of Search Query and dataset filters

– Text and formatting options

– Specify a search timeframe

– Export of Results to a Tab Separated File

– Summary of data frequency (Most & least common values)

– Extended information on any result in a fieldset

– List of all file modifications or network connections for a query result. (Colour coded for Write/Delete)

– Ability to visualise the full process tree via a web browser using a quick launch based on row number

– Directly open a LiveResponse shell to the endpoint

If you would like to see CbRCLI in action check out this video

Otherwise check them out on our Developer Relationship Showcase located here

Or on ContextIS Github Repo at https://github.com/ctxis

Read the news release here.

The post ContextIS Introduces CbRCLI to Access Cb Response via the Command Line for Faster, More Efficient Incident Response appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
157 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel