Github: https://github.com/tstillz/cbr-intel_tester
In this blog post, I’m releasing another tool for Carbon Black Response called “CBR: Intel Tester”. This is a very simple script that takes a list of Carbon Black Response queries and a specified start time as arguments inside the config.json file. The script will then take each query and run a daily search in CBR starting from the specified start time until it reaches the day you executed the script. I usually set the start date to 30–45 days prior, but it all depends on your CBR setup for retention. The output of this script yields a file called metrics.csv, which is a pipe separated file, showing the following results:
- Date the query was run
- Total results for the query for the date it was run
- The query
- Title of the query
- Query description
- Query reference link
When you run the script, you will see some standard out, including the name of the query running, the date the query pulled data and the CBR query. Below shows two separate outputs during script execution.
Currently, the script is single threaded, so depending on the number of queries you have, the script may take a while. After completion, your output file should look like the following:
We can review this output file in its current form, but most of the time I create a bar chart for the query of interest or a pivot table to identify any potential anomalies. Let’s check out the bar chart first. I will use the example query provided in the Intel Tester GitHub project (see the config.json file for other examples) named jp_cert_spread_of_infection.
We can see that within our current Carbon Black Response instance, this query has a handful of results on some days while zero results on others. The second example, we take the results of all the queries and create a pivot table to see the results together.
The results vary depending on the queries you use, but simple questions like “How frequent is powershell used in my organization and on which days?” or “What days is this user account running the process evil.exe?” or “How often is a specific user account active based on process executions”. We won’t get into stacking the results, as that topic needs its own blog post ;).
I hope this script comes in use for those using Carbon Black Response. Happy Hunting!
Acknowledgements
Special thanks to Mike Scutt (@OMGAPT), Jason Garman and the CB team for all the help.
