Cb Response - Sensor Details
2 Votes |
Description
This analysis returns details of the Carbon Black Response Sensor including:
- Version
- Install Date
- Service State
- Config/Profile Name
- Backend Server
- Sensor ID
- Collect Configuration
Property Details
2998400 | |
Production - Fully Tested and Ready for Production | |
Cb Response - Sensor Details | |
BESC | |
IBM BigFix & Carbon Black Integration Content | |
CarbonBlack on 9/16/2016 11:50:46 AM | |
CarbonBlack on 9/16/2016 11:50:46 AM | |
10004 Views / 195 Downloads | |
* Average over 2 ratings. ** Log In or Register to add your rating. |
Properties
Version
Period
1 hour
* Results in a true/false |
if (windows of operating system) then (version of service whose (display name of it = "Carbon Black Sensor") as string | "n/a") else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (version of package "cbsensor" of rpm as string | "n/a") else "n/a"
Install Date
Period
1 hour
* Results in a true/false |
if (windows of operating system) then ((value "InstallDate" of keys whose (value "DisplayName" of it = "Carbon Black Sensor") of key "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of registry as string) | "n/a") else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then ((year of it as string & (if month of it as integer < 10 then "0" & month of it as integer as string else month of it as integer as string) & (if day_of_month of it as integer < 10 then "0" & day_of_month of it as string else day_of_month of it as string)) of date (local time zone) of modification time of folder "/opt/cbsensor") else "n/a"
Service State
Period
Every Report
* Results in a true/false |
if (windows of operating system) then (state of service whose (display name of it = "Carbon Black Sensor") | "n/a") else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (if exists process "cbdaemon" then "Running" else "n/a") else "n/a"
Config Name
Period
1 hour
* Results in a true/false |
if (windows of operating system) then (percent decode (value "ConfigName" of key "HKLM\Software\CarbonBlack\config" of native registry as string | "n/a")) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (percent decode (key "ConfigName" of file "/var/lib/cb/sensorsettings.ini" | "n/a")) else "n/a"
Backend Server
Period
1 hour
* Results in a true/false |
if (windows of operating system) then (percent decode (value "SensorBackendServer" of key "HKLM\Software\CarbonBlack\config" of native registry as string | "n/a")) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (percent decode (key "SensorBackendServer" of file "/var/lib/cb/sensorsettings.ini" | "n/a")) else "n/a"
Sensor ID
Period
1 hour
* Results in a true/false |
if (windows of operating system) then (hexadecimal integer (lasts 8 of (value "SensorID" of key "HKLM\Software\CarbonBlack\config" of native registry as integer as hexadecimal | 0 as hexadecimal)) | 0) else 0
Collect Configuration
Period
1 hour
* Results in a true/false |
if (windows of operating system) then ((name of it, it as string) of values whose (name of it starts with "Collect") of keys "HKLM\Software\CarbonBlack\config" of native registry) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (((preceding texts of firsts "=" of it) as string, (following texts of firsts "=" of it) as string) of lines whose (it as string starts with "Collect") of files "/var/lib/cb/sensorsettings.ini") else ("n/a","n/a")
Relevance
version of client >= "9.0"
(windows of operating system) OR (exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))
Used in 1 analsis | * Results in a true/false |
if (windows of operating system) then (exists keys whose (value "DisplayName" of it = "Carbon Black Sensor") of key "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of registry) else if ((exists match (regex "Linux CentOS (6|7)") of name of operating system) OR ((name of operating system starts with "Linux Red Hat") AND (exists file "/etc/redhat-release" whose (exists line whose (exists match (regex "Red Hat Enterprise Linux (Client|Server|Workstation) release 6|7") of it) of it) AND NOT exists file "/etc/vmware-release" whose (exists line whose (it contains "VMware ESX") of it) AND NOT exists file "/etc/enterprise-release" whose (exists line whose (it contains "Enterprise Linux Enterprise Linux") of it)))) then (exists package "cbsensor" of rpm) else false
Sharing
Social Media: |