Live Response Detached Session Management Mode

You can enter Live Response without a specific session. In this mode, you can take certain actions that do not require access to an endpoint.

Actions include viewing active sessions or examining files that have been uploaded to the server as a result of a session. You can attach to (join) an existing session or create a new one.

Some commands in detached mode are accessible by users who do not have Global Administrator privileges, but most are not, and attempting to use them returns an error message in the command window.

To open a Live Response command window without a session, click Go Live on the navigation bar. The Live Response page appears. In this mode, the prompt in the command window shows [Live Response]# without the name of an endpoint.

The following table shows the available commands in Live Response Management Mode.


Command	Description
archive [id]	Obtain an archive (gzip tarball) of all the session data for the session whose ID is provided.
argparse	Test how Live Response parses CLI arguments. This command helps determine whether there are any interpretation issues.
attach [id]	Attach to the session whose ID is provided. The `session` command can be used to find the ID of an existing session or create a new one. A session must be in active or pending state to be attached.
clear	Clear the console screen. You can also use the `cls` command for this purpose.
files -s [id]	Perform actions over cache-stored files for the session whose ID is provided.
help	Show the commands available in this mode with a brief description of each.
help command	Show the description of the specified command with additional details (such as options) if available. For example: `help dir`
sensor [options]	List sensors that this Carbon Black EDR server manages. Options: -i `[1.2.3.4]` – Return all sensors with specified IP address. -n `[host_str]` – Return all sensors with matching host name. -a – Return all sensors. Searches are case-sensitive substring searches for both host name and IP address. You must use an option with this command. If both `-n` and `-i` are specified, only `-i` is used.
session	Manage Live Response sessions. With no argument, lists all open sessions and their ID numbers, which can be used with the `attach` command. Options: session new `[id]` – Create a new session for the sensor whose ID number is provided. You must provide a sensor ID, not a session ID. session list`[-v]` – List existing sessions. If the `-v` option is included, closed sessions are included. This option (without `-v` ) is the default when no additional arguments are used. close `[id]` – Close the session whose ID is provided.