Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Audit and Remediation: Live Query Best Practices

Audit and Remediation: Live Query Best Practices

Environment

  • Carbon Black Cloud: All Versions
    • Audit and Remediation Add-On

Objective

Tips and best practices for getting started with Live Query.

Resolution

  • When creating and running a Live Query, there are several limitations to consider:
  1. Queries are limited to a maximum memory usage of 500MB. The query is terminated if the query's memory usage exceeds 500MB.
  2. The resulting query payload is limited to the maximum size of 1MB. Query results exceeding 1MB are truncated without warning.
  3. The user interface limits the results to 10,000. To see the full results, use the Export button or use the Live Query API.
  4. Queries that take over 900 seconds are terminated.
  5. These limitations exist to protect the endpoint and network from being overloaded.
  • Given these limitations, users should keep in mind that queries are not meant for broad items, like searching an entire endpoint for a specific file.
  • Queries that are more granular and focused will be less likely to run into one of the query limitations.
  • If a query is run against all endpoints, the total number of devices is derived from the number of devices that have checked in during the previous 7 days.
  • Sensors counted towards the Devices Responded total include endpoints that successfully matched the query (one or more results returned), did not match the query (zero results), or returned an error message.
  • A query is completed when all devices have responded or if 7 days have elapsed.
  • Additional tables containing data specific to Carbon Black Cloud can be found in the User Guide.

Additional Notes


Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-07-2024
Views:
165
Contributors