This script is use to export related CB events into CSV file that related to specific ProcessGUID that currently investigating. It also can be use to quickly build timeline of event that been observed/detected by Carbon Black EDR.
Required Python modules (via Pip):
- Change url - https://<CB_Console_URL>/api/investigate/v2/orgs/<ORG_Key>/events/ with your CB Console URL
- Make sure you put your ORG_KEY aswell
- Run :
python CB_Timeliner_v0.5.py
- Enter your CB API Key & CB ProcessGUID
- Result will be same on script location - result_< ProcessGUID >.csv
Output example:
How to get ProcessGUID in Carbon Black Cloud Console:
-
Go to "Take Action" -> under "More Actions", select "Share process tree":
-
ProcessGUID of interest is highlighted in blue as example below:
- v0.1 (04 Nov 2022): First version of the script.
- v0.2 (05 Nov 2022): Add user input, jq via subprocess & stuff.
- v0.3 (07 Nov 2022): Include more event_type (filemod & regmod)
- v0.4 (08 Nov 2022): Include more event_type (crossproc, modload & netconn)
- v0.5 (25 Dec 2022): Script reworked by ChatGPT from OpenAI. (No, seriously by AI)
MIT License. Copyright (c) 2022 Mohd Khairulazam. See License.