keithmccammon · July 27, 2016 19:06
diff --git a/cblr-batch.py b/cblr-batch.py
 #!/usr/bin/env python

 import argparse
 import sys

 from cbapi.response import CbEnterpriseResponseAPI
 from cbapi.response.models import Process, Sensor
 from cbapi.response.live_response_api import LiveResponseSession


 def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("--profile", type=str, action="store",
                        help="The credentials.response profile to use.")
    parser.add_argument("--query", type=str, action="store",
                        help="A query to downselect results before we look for the target process by name.")
    parser.add_argument("process_name", type=str, action="store",
                        help="This process will die if we find it.")

    args = parser.parse_args()

    if args.profile:
        cb = CbEnterpriseResponseAPI(profile=args.profile)
    else:
        cb = CbEnterpriseResponseAPI()

    query = ''

    process_name = args.process_name.strip()
    if args.query:
        query += args.query.strip()

    query += ' process_name:%s' % process_name

    query_result = cb.select(Process).where(query)
    query_result_len = len(query_result)

    print "%d results" % query_result_len

    sensors = set()
    for proc in query_result:
        sensors.add(proc.sensor)

    for sensor in sensors:
        # To isolate each sensor
        #s.network_isolation_enabled = True
        #s.save()

        lr = cb.live_response.request_session(sensor.id)

        process_list = lr.list_processes()
        
        for proc in process_list:
            if process_name in proc['path']:
                target_pid = proc['pid']
                print "Found target with PID %d. Killing . . . " % target_pid
                lr.kill_process(target_pid)

                # Verify
                verify_process_list = lr.list_processes()
                confirmed_kill = False
                for proc in verify_process_list:
                    if process_name in proc['path']:
                        confirmed_kill = True

                if confirmed_kill == True:
                    print ". . . confirmed kill!"
                else:
                    print " . . . fail."

        lr.close()

 if __name__ == '__main__':

    sys.exit(main())
	#!/usr/bin/env python

	import argparse
	import sys

	from cbapi.response import CbEnterpriseResponseAPI
	from cbapi.response.models import Process, Sensor
	from cbapi.response.live_response_api import LiveResponseSession


	def main():
	parser = argparse.ArgumentParser()
	parser.add_argument("--profile", type=str, action="store",
	help="The credentials.response profile to use.")
	parser.add_argument("--query", type=str, action="store",
	help="A query to downselect results before we look for the target process by name.")
	parser.add_argument("process_name", type=str, action="store",
	help="This process will die if we find it.")

	args = parser.parse_args()

	if args.profile:
	cb = CbEnterpriseResponseAPI(profile=args.profile)
	else:
	cb = CbEnterpriseResponseAPI()

	query = ''

	process_name = args.process_name.strip()
	if args.query:
	query += args.query.strip()

	query += ' process_name:%s' % process_name

	query_result = cb.select(Process).where(query)
	query_result_len = len(query_result)

	print "%d results" % query_result_len

	sensors = set()
	for proc in query_result:
	sensors.add(proc.sensor)

	for sensor in sensors:
	# To isolate each sensor
	#s.network_isolation_enabled = True
	#s.save()

	lr = cb.live_response.request_session(sensor.id)

	process_list = lr.list_processes()

	for proc in process_list:
	if process_name in proc['path']:
	target_pid = proc['pid']
	print "Found target with PID %d. Killing . . . " % target_pid
	lr.kill_process(target_pid)

	# Verify
	verify_process_list = lr.list_processes()
	confirmed_kill = False
	for proc in verify_process_list:
	if process_name in proc['path']:
	confirmed_kill = True

	if confirmed_kill == True:
	print ". . . confirmed kill!"
	else:
	print " . . . fail."

	lr.close()

	if __name__ == '__main__':

	sys.exit(main())