Use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface.

Tip: You can also use the Live Response API. It is asynchronous; calling an API to execute a command on the remote endpoint, for example, will return immediately with a command ID. You can then poll the API using the command ID until a result status is returned.

Enable or disable Live Response

To use Live Response, users must be assigned a role with Live Response permissions in the Carbon Black Cloud. Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned a policy with Live Response enabled.

To enable or disable Live Response by policy

  1. Click Enforce, then Policies.
  2. Select a policy group.
  3. In the Sensor tab, select or deselect the Enable Live Response checkbox as applicable, then click Save.

To disable Live Response by endpoint

  1. Click Endpoints and select the sensors.
  2. Click Take Action, then Disable Live Response, and confirm the action.
Note:

You can also disable Live Response during a command line sensor installation by using the DISABLE_LIVE_RESPONSE option.

Initiate a Live Response session

When you activate Live Response, you create and attach to a session. Up to 100 sessions can be running simultaneously, and multiple users can be attached to the same session. Each session is limited to 250 commands.

Live Response can be used on devices in bypass mode or quarantine.

To initiate a Live Response session

  1. Click Endpoints and select the sensor. You can also initiate a Live Response session on the Alerts, Alert Triage, and Investigate pages.
  2. In the Actions column at the end of the row, click the Live Response Live Response icon >_ icon >_ to start a Live Response session.
  3. Click in the command window area and type the help command to view a list of available commands or use the Live Response commands reference. Type help commandname to get help about a specific command.
Note:

If more than one user submits a command through the session at approximately the same time, each command must finish executing before the next one can begin. One user can undo or otherwise modify what another user is doing.

Live Response command window status indicator

The command window is color-coded to denote a particular status and message.

  • Green: The sensor is connected and a session is established. The host name for the endpoint displays.

  • Yellow: The CB backend is waiting for the sensor to check in, or no endpoint is connected because no session is attached.

  • Red: A session cannot be established with the sensor because the endpoint is offline, the sensor is disabled, or the sensor version does not support Live Response.

End a Live Response session

You can leave or terminate a Live Response session.

  • Click End my session to leave your session. Other users attached to the session will remain until the session is terminated.

  • Enter command detach to leave your session. Other users attached to the session will remain until the session is terminated.

  • Enter command detach -q to terminate the session. Any other users attached to the session will also be detached.

Note: By default, sessions timeout after 15 minutes of inactivity. The following events cause a session timeout:
  • If a sensor does not check-in with the backend for 15 minutes, the sensor will timeout.
  • If there is 15 minutes of inactivity in the sensor user interface, the session will timeout.

Live Response activity logging

Live Response activity is logged on accessed sensors and the Carbon Black Cloud backend. Commands executed during a session for any accessed sensors are logged in the cblr.log file, located in the sensor installation folder on the endpoint.