___| __ ) ____| _) | __ \ __| \ \ / __ \ _ \ __ \ __| |\ \ / _ \ | | | | ` < | | __/ | |\__ \ | \ \ / __/ \____| ___/ _____|_/\_\ .__/ \___|_| _|____/_| \_/ \___| _|
A tool that detects the "expensive" Carbon Black watchlists.
This tool assist in detecting watchlists defined as "expensive", which may adversely affect the performance of the Carbon Black Response.
- Install Python 3 and PIP
- Clone this repository
- Go inside the repository and install the requirements:
pip install -r requirements.txt
How it works ?
This tool checks all the watchlists in the product for the cases specified in the following items.
- Number of wildcards used
- Is wildcard used with "modload" operand ?
- Is wildcard used with "filemod" operand ?
- Query Execution Time (last execution time)
- Number of "OR" operator use
- Is there usage of equals instead of colons with any operand ?
- Url, port, and Carbon Black API Key fields must be entered in the config file.
- Config file and script must be in the same directory. Then the script can be run as follows:
- After the script runs, it will generate the results as ".csv" in the directory where it is located.
[APIKEY] API_KEY = apikey [URL] CB_URL = https://184.108.40.206 CB_PORT = 80
|((process_name:net.exe OR process_name:net1.exe) AND cmdline:use)||30||0||FALSE||FALSE||FALSE||1|