Skip to content
/ cbr-timeliner Public

Quick script to build host or investigation timelines using Carbon Black Response

12 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tstillz/cbr-timeliner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
config.json
config.json
 
 
main.py
main.py
 
 

Repository files navigation

Timeline Builder for Carbon Black Response

This tool is a quick script written to export tagged items within a specific Carbon Black Response investigation into timelines. These timelines can be ingested by the SOC/IR team for further analysis.

Writeup on this tool can be foud here: https://blog.stillztech.com/2018/09/carbon-black-response-timeliner.html

Outputs all tagged events into a timeline (two export methods):

  • All events per your investigation
  • Only events for the hostname specified
Usage

Update config.json with your CBR URL, CBR API token and your investigation ID.

Running the script

python3 main.py

Output

  1. Hostname Specific _childproc.csv crossprocess.csv _filemod.csv _modload.csv _regmod.csv _timeline.csv -> All Events combined for a single host

  2. All items in investigation all_items_childproc.csv all_items_crossprocess.csv all_items_filemod.csv all_items_modload.csv all_items_regmod.csv all_items_timeline.csv -> All Events combined for all tagged items in your investigation

About

Quick script to build host or investigation timelines using Carbon Black Response

Resources

Readme
Activity

Stars

12 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages