How to get raw process documents via Curl (Clustered)
Article ID: 291490
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Query a clustered EDR server environment for raw process document information.
Environment
- EDR Server: 6.x and above (Formerly CB Response)
- Clustered server environment
Resolution
See Additional Information section for standalone server environments
- Log into the EDR web console.
- Perform a process search and click a resulting process to bring you to the Process Analysis page.
- In the Process Analysis page grab the Unique ID (highlighted in red) from the browser URL
https://<server>/#/analyze/00000007-0000-24c8-01d4-6cab54141c72/1540927207635?cb.legacy_5x_mode=false - Log into the master server via ssh/terminal and run the following command, replacing the <uniqueid> and <Node_*_IP> with the IP/FQDN's of the minion nodes depending on how many are in your environment.
curl 'http://localhost:8080/solr/reader/select?shards=<Node_1_IP>:8080/solr/reader,<Node_2_IP>:8080/solr/reader&q=id:<uniqueid>*&rows=0'
- View the "numFound" and enter a value greater than in the &rows= section of the next command.
response":{"numFound":29,"start":0,"maxScore":1.0,"docs":[ - Run the following command, in the example numFound came back as 29, so 40 is used to give a buffer as the rows=
curl 'http://localhost:8080/solr/reader/select?shards=<Node_1_IP>:8080/solr/reader,<Node_2_IP>:8080/solr/reader&q=id:<uniqueid>*&wt=json&indent=true&rows=40&debug=track&sort=last_server_update%20asc' >> <uniqueid>.json && /usr/share/cb/cbpost <uniqueid>.json
Additional Information
- Common Errors:
- "The requested resource is not available": Curl command was run on the incorrect server/node.
- "numFound=0": Incorrect or missing unique id, incorrect server/node or md5 hash is lowercase.
- Process documents resulting from this process may provide limited results. Alternative method:
Feedback
Yes
No
Powered by
