Use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface.
Enable or disable Live Response
To use Live Response, users must be assigned a role with Live Response permissions in the Carbon Black Cloud. Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned a policy with Live Response enabled.
To enable or disable Live Response by policy
- Click Enforce, then Policies.
- Select a policy group.
- In the Sensor tab, select or deselect the Enable Live Response checkbox as applicable, then click Save.
To disable Live Response by endpoint
- Click Endpoints and select the sensors.
- Click Take Action, then Disable Live Response, and confirm the action.
You can also disable Live Response during a command line sensor installation by using the DISABLE_LIVE_RESPONSE
option.
Initiate a Live Response session
When you activate Live Response, you create and attach to a session. Up to 100 sessions can be running simultaneously, and multiple users can be attached to the same session. Each session is limited to 250 commands.
Live Response can be used on devices in bypass mode or quarantine.
To initiate a Live Response session
- Click Endpoints and select the sensor. You can also initiate a Live Response session on the Alerts, Alert Triage, and Investigate pages.
- In the Actions column at the end of the row, click the Live Response icon >_ to start a Live Response session.
- Click in the command window area and type the
help
command to view a list of available commands or use the Live Response commands reference. Typehelp commandname
to get help about a specific command.
If more than one user submits a command through the session at approximately the same time, each command must finish executing before the next one can begin. One user can undo or otherwise modify what another user is doing.
Live Response command window status indicator
The command window is color-coded to denote a particular status and message.
-
Green: The sensor is connected and a session is established. The host name for the endpoint displays.
-
Yellow: The CB backend is waiting for the sensor to check in, or no endpoint is connected because no session is attached.
-
Red: A session cannot be established with the sensor because the endpoint is offline, the sensor is disabled, or the sensor version does not support Live Response.
End a Live Response session
You can leave or terminate a Live Response session.
-
Click End my session to leave your session. Other users attached to the session will remain until the session is terminated.
-
Enter command
detach
to leave your session. Other users attached to the session will remain until the session is terminated. -
Enter command
detach -q
to terminate the session. Any other users attached to the session will also be detached.
- If a sensor does not check-in with the backend for 15 minutes, the sensor will timeout.
- If there is 15 minutes of inactivity in the sensor user interface, the session will timeout.
Live Response activity logging
Live Response activity is logged on accessed sensors and the Carbon Black Cloud backend. Commands executed during a session for any accessed sensors are logged in the cblr.log
file, located in the sensor installation folder on the endpoint.