Migration Guide For Live Response From v3 To v6¶
This guide will help you migrate from Live Response v3 to v6.
Overview¶
Most of the changes from v3 to v6 are on the routes. Thе updated API (v6) includes a more granular approach to roles-based access control (RBAC).
Access Permissions¶
A key wth a Custom Access Level with appropriate permissions needs to be created for the Live Response. The following table shows the corresponding permissions that needs to be enabled, based on the existing roles.
| Permission | What it controls (commands) | Which existing roles have access |
|---|---|---|
| org.liveresponse | Permanently disabling the Live Response feature on an individual endpoint:
Disable Live Response on the Endpoints page
|
Level 3 Analyst
Live Response Admin - Legacy
Super Admin
|
| org.liveresponse.files | Read, write and/or delete files on the endpoint:
cd, delete, dir, drives, get, mkdir, put, pwd
|
Level 2 Analyst
Level 3 Analyst
Live Response Admin - Legacy
Super Admin
|
| org.liveresponse.memdump | Dump kernel memory on the endpoint:
memdump
|
Level 3 Analyst
Live Response Admin - Legacy
Super Admin
|
| org.liveresponse.process | List, stop and execute processes on the endpoint:
exec, execfg, kill, ps
|
Level 2 Analyst (cannot execute)
Level 3 Analyst
Live Response Admin - Legacy
Super Admin
|
| org.liveresponse.registry | View, add, edit and delete registry entries:
reg add, reg delete, reg query, reg set
|
Level 2 Analyst
Level 3 Analyst
Live Response Admin - Legacy
Super Admin
|
| org.liveresponse.session | Initiate live response sessions, plus:
clear, help
|
Level 2 Analyst
Level 3 Analyst
Live Response Admin - Legacy
Super Admin
|
Changes in the routes and response codes¶
| v3 | v6 |
|---|---|
| /integrationServices/v3/cblr/ | /appservices/v6/orgs/{org_key}/liveresponse/ |
| POST /sessions/{session_id} 200 | POST /sessions 201 |
| POST /session/{session_id)/file 200 | POST /sessions/{session_id)/files 201 |
| POST /session/{session_id}/command | POST /sessions/{session_id}/commands |
| PUT /session {“session_id”: “1:37191”, “status”: “CLOSE”} | DELETE /sessions/{session_id} 204 |
| GET /session/{sessionId}/file/{fileId}/content 200 | GET /sessions/{session_id}/files/{file_id}/content 302 |
| DELETE /session/{sessionId}/file/{fileId} 200 | DELETE /sessions/{session_id}/files/{file_id} 204 |
Changes in some of the request/response fields¶
| Where is the change? | v3 | v6 |
|---|---|---|
| All API endpoints | sensor_id | device_id |
| Process command | username | process_username |
| Process command | path | process_path |
| Process command | pid | process_pid |
| Process command | command_line | process_cmdline |
| Process command | parent | parent_pid |
| Registry command | valueType | value_type |
| Registry command | valueData | value_data |
| Registry command | valueName | value_name |