Cb Response - Sensor Details
Log In or Register to download the BES file, and more.

2 Votes

Description

This analysis returns details of the Carbon Black Response Sensor including:

  • Version
  • Install Date
  • Service State
  • Config/Profile Name
  • Backend Server
  • Sensor ID
  • Collect Configuration

Property Details

ID2998400
StatusProduction - Fully Tested and Ready for Production
TitleCb Response - Sensor Details
DomainBESC
KeywordsIBM BigFix & Carbon Black Integration Content
Added by on 9/16/2016 11:50:46 AM
Last Modified by on 9/16/2016 11:50:46 AM
Counters 10004 Views / 195 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 2 ratings. ** Log In or Register to add your rating.

Properties

Version
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then (version of service whose (display name of it = "Carbon Black Sensor") as string | "n/a") else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (version of package "cbsensor" of rpm as string | "n/a") else "n/a"
Install Date
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then ((value "InstallDate" of keys whose (value "DisplayName" of it = "Carbon Black Sensor") of key "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of registry as string) | "n/a") else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then ((year of it as string & (if month of it as integer < 10 then "0" & month of it as integer as string else month of it as integer as string) & (if day_of_month of it as integer < 10 then "0" & day_of_month of it as string else day_of_month of it as string)) of date (local time zone) of modification time of folder "/opt/cbsensor") else "n/a"
Service State
Period Every Report
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then (state of service whose (display name of it = "Carbon Black Sensor") | "n/a") else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (if exists process "cbdaemon" then "Running" else "n/a") else "n/a"
Config Name
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then (percent decode (value "ConfigName" of key "HKLM\Software\CarbonBlack\config" of native registry as string | "n/a")) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (percent decode (key "ConfigName" of file "/var/lib/cb/sensorsettings.ini" | "n/a")) else "n/a"
Backend Server
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then (percent decode (value "SensorBackendServer" of key "HKLM\Software\CarbonBlack\config" of native registry as string | "n/a")) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (percent decode (key "SensorBackendServer" of file "/var/lib/cb/sensorsettings.ini" | "n/a")) else "n/a"
Sensor ID
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then (hexadecimal integer (lasts 8 of (value "SensorID" of key "HKLM\Software\CarbonBlack\config" of native registry as integer as hexadecimal | 0 as hexadecimal)) | 0) else 0
Collect Configuration
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (windows of operating system) then ((name of it, it as string) of values whose (name of it starts with "Collect") of keys "HKLM\Software\CarbonBlack\config" of native registry) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (((preceding texts of firsts "=" of it) as string, (following texts of firsts "=" of it) as string) of lines whose (it as string starts with "Collect") of files "/var/lib/cb/sensorsettings.ini") else ("n/a","n/a")

Relevance

Used in 77 fixlets and 6 analyses   * Results in a true/false
Show indented relevance
version of client >= "9.0"
Used in 4 fixlets and 1 analsis   * Results in a true/false
Show indented relevance
(windows of operating system) OR (exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))
Used in 1 analsis   * Results in a true/false
Show indented relevance
if (windows of operating system) then (exists keys whose (value "DisplayName" of it = "Carbon Black Sensor") of key "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of registry) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (exists package "cbsensor" of rpm) else false

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!