Use Live Response to perform remote investigations, contain ongoing attacks, and remediate threats using a command line interface.
Enable or disable Live Response
To use Live Response, users must be assigned a role with Live Response permissions in the Carbon Black Cloud. Live Response is available on endpoints running a version 3.0 or later sensor and which have been assigned a policy with Live Response enabled.
To enable or disable Live Response by policy
- Click Enforce, then Policies.
- Select a policy group.
- In the Sensor tab, select or deselect the Enable Live Response checkbox as applicable, then click Save.
To disable Live Response by endpoint
- Click Endpoints and select the sensors.
- Click Take Action, then Disable Live Response, and confirm the action.
You can also disable Live Response during a command line sensor installation by using the
Initiate a Live Response session
When you activate Live Response, you create and attach to a session. Up to 100 sessions can be running simultaneously, and multiple users can be attached to the same session. Each session is limited to 250 commands.
Live Response can be used on devices in bypass mode or quarantine.
To initiate a Live Response session
- Click Endpoints and select the sensor. You can also initiate a Live Response session on the Alerts, Alert Triage, and Investigate pages.
- In the Take Action column, click the >_ to start a Live Response session. On other pages, click the Take Action button to select the start a Live Response session option.
- Click in the command window area and type the
helpcommand to view a list of available commands or use the Live Response commands reference. Type
help commandnameto get help about a specific command.
If more than one user submits a command through the session at approximately the same time, each command must finish executing before the next one can begin. One user can undo or otherwise modify what another user is doing.
Live Response command window status indicator
The command window is color-coded to denote a particular status and message.
Green: The sensor is connected and a session is established. The host name for the endpoint displays.
Yellow: The CB backend is waiting for the sensor to check in, or no endpoint is connected because no session is attached.
Red: A session cannot be established with the sensor because the endpoint is offline, the sensor is disabled, or the sensor version does not support Live Response.
End a Live Response session
You can leave or terminate a Live Response session.
Click End my session to leave your session. Other users attached to the session will remain until the session is terminated.
detachto leave your session. Other users attached to the session will remain until the session is terminated.
detach -qto terminate the session. Any other users attached to the session will also be detached.
- If a sensor does not check-in with the backend for 15 minutes, the sensor will timeout.
- If there is 15 minutes of inactivity in the sensor user interface, the session will timeout.
Live Response activity logging
Live Response activity is logged on accessed sensors and the Carbon Black Cloud backend. Commands executed during a session for any accessed sensors are logged in the
cblr.log file, located in the sensor installation folder on the endpoint.