Environment

• Carbon Black Cloud: All Versions
  • Audit and Remediation Add-On

Objective

Resolution

• When creating and running a Live Query, there are several limitations to consider:

1. Queries are limited to a maximum memory usage of 500MB. The query is terminated if the query's memory usage exceeds 500MB.
2. The resulting query payload is limited to the maximum size of 1MB. Query results exceeding 1MB are truncated without warning.
3. The user interface limits the results to 10,000. To see the full results, use the Export button or use the Live Query API.
4. Queries that take over 900 seconds are terminated.
5. These limitations exist to protect the endpoint and network from being overloaded.

• Given these limitations, users should keep in mind that queries are not meant for broad items, like searching an entire endpoint for a specific file.
• Queries that are more granular and focused will be less likely to run into one of the query limitations.
• If a query is run against all endpoints, the total number of devices is derived from the number of devices that have checked in during the previous 7 days.
• Sensors counted towards the Devices Responded total include endpoints that successfully matched the query (one or more results returned), did not match the query (zero results), or returned an error message.
• A query is completed when all devices have responded or if 7 days have elapsed.
• Additional tables containing data specific to Carbon Black Cloud can be found in the User Guide.

Additional Notes

• For step-by-step guidance on how to run recommended and custom queries, refer to Getting Started - Live Query.
• A short, 5-minute demo of the Live Query feature can be found here: Audit and Remediation Technical Overview.

Related Content