logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

5.x Query Documents Via Curl (SSH/Terminal)

5.x Query Documents Via Curl (SSH/Terminal)

Version

Cb Response 5.x

Topic

How to query for process or binary solr documents from corresponding UI pages

Note: For 6.x check here: 6.x Query Documents Via Curl (SSH/Terminal)

Steps

Querying for a Process Document, Binary Document, and Common Errors

Process Document

  1. Gather Partial Process ID from UI
    1. Load Process Analysis page in the UI
    2. Pull the partial ID from the URL
      https://SERVERADDRESS/#analyze/PARTIALPROCESSID/SEGMENTID
      Example:

      https://192.168.111.129/#analyze/00000001-0000-0bb8-01d1-37c70078d47f/1

      Note: this is not the complete unique_id or id field that is stored in Solr
    3. Load Sensor Details page by selecting the link on the Process Analysis page:
      1. Pre 5.2
      2. 5.2
  2. Collect information from the Sensor Details Page
    1. Determine the node to SSH into. The Node Address and Node Hostname will tell you which system to connect.
      Example:
      192.168.111.5
      cb-minion-optest
    2. Determine the correct shard ID
      Example:
      1
  3. Construct the SOLR Query and Execute the Command
    1. Use the IP or Domain Name from the node address (example 192.168.111.5) and connect to the server via SSH.
    2. Replace the SHARD with Shard Id (collected in the previous) and PARTIALUNIQUEID with the Partial Unique Id (collected in the first step) in the curl command.
      1. Windows
        curl "http://127.0.0.1:8080/solr/SHARD/select?q=unique_id:PARTIALUNIQUEID*&wt=json&indent=true"
        Example:
        curl "http://127.0.0.1:8080/solr/1/select?q=unique_id:00000001-0000-0bb8-01d1-37c70078d47f*&wt=json&indent=true"
      2. MacOS/Linux
        curl "http://127.0.0.1:8080/solr/SHARD/select?q=id:%22PARTIALUNIQUEID%22&wt=json&indent=true"
        Example:
        curl "http://127.0.0.1:8080/solr/0/select?q=id:%22-7459131266113492148%22&wt=json&indent=true"
        Note: This is a URL Encoded Command. It includes “%22” (ASCII for quotes ") which are necessary when the number is negative

Binary Document

  1. Collect binary md5 from UI:
    https://SERVERADDRESS/#/binary/MD5HERE
  2. SSH into the master
  3. Query cbmodules core for the module metadata

    curl 'http://127.0.0.1:8080/solr/cbmodules/select?q=md5:MD5HERE&rows=5&indent=true'

Common Errors

The requested resource is not available

The incorrect server server or shard has been queried (eg shard 0 does not exist on this server) or an incorrect Shard Id is being used.

No results (numFound="0")

If you are not getting any documents returned verify you have the correct Shard Id. If the page is still accessible in the UI, the data still exists. If you are receiving a 404 error in the UI, the document has been purged or does not exist.

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
cmichaels
Creation Date:
‎01-24-2017
Views:
1566
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.