Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Export Sensors report's "Status" field does not include "Quarantined" and other states.

Carbon Black Cloud: Export Sensors report's "Status" field does not include "Quarantined" and other states.

Environment

  • Carbon Black Cloud Console: All versions
  • Carbon Black Cloud Sensors: All versions

Question

Can a sensors' csv export report list sensors' quarantined states?

Answer

No. The csv report will only list active, inactive and deregistered status.
This is feature request "FR-002903" 
"To be able to list the endpoints by export fields including these states in the sensors report GUI:

• Quarantine status
• Active status
• Sensor out of date
• Pending Update


 

Additional Notes

As a workaround one can generate a list of all sensors in certain statuses. This is not a complete list of all device properties but only a partial
list of properties one sees in a bulk / CSV download. For example this curl command to v6 Devices API:
curl -v -H X-Auth-Token:ANPKVHDL4Z4ET9G734LUAXXX/8A8LU3WXXX -H Content-Type:application/json -s -k -X GET "https://defense-prod05.conferdeploy.net/appservices/v6/orgs/7QZF88ZP/devices/_search/download?status=QUARANTINE
returns these record fields:
name,email,firstName,lastName,middleName,targetValue,status,registeredTime,deregisteredTime,lastContactTime,lastInternalIpAddress,lastExternalIpAddress,deviceType,policyName,windowsPlatform,osVersion,sensorVersion,avEngine,virtualMachine,virtualizationProvider,subDeploymentType,macAddress,avVdfVersion,deviceId,groupName
"Win11",Win11\admin,"","","",MEDIUM,REGISTERED,2022-02-10-163931,"",2022-02-10-202316,192.168.1.2,10.10.1.2,WINDOWS,"Standard","",Windows 11 x64,3.8.0.398,4.15.1.560-ave.8.3.64.88:avpack.8.5.2.32:vdf.8.19.6.206:apc.2.10.1.7:vdfdate.20220210,true,"VMW_WS","",000c29e6c5b5,8.19.6.206,RedSox,77854781
Note the "status=" option will accept these values:
status=ACTIVE
status=INACTIVE
status=SENSOR_OUTOFDATE
status=BYPASS
status=QUARANTINE

To confirm the query is working, one can generate a COMPLETE list of device properties for a particular device with this curl command:
curl -v -H X-Auth-Token:ANPKVHDL4Z4ET9G7XXXXXXXX/XXXXXXXXXX -H Content-Type:application/json -s -k -X GET "https://defense-prod05.conferdeploy.net/appservices/v6/orgs/7QZF88ZP/devices/77854781 <- device ID here



 

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎03-14-2022
Views:
105
Contributors