logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

CB Standard (CB Defense) Background Scan Status

Status: Approved Submitted by on ‎11-09-2020 10:59 AM

Description: This query leverages the new feature in Audit and Remediation to be able to query the Windows event log. The query specifically displays the latest CB Standard (formally CB Defense) background scan status. The background scan status event is sent to the Windows event viewer every time the system reboots. 

What The Data Shows: Shows the latest background scan status (in progress, complete, disabled) as well as the date and time that the scan event was registered.

SQL:

SELECT

  CASE

    WHEN data like "%IN_PROGRESS%" then "IN PROGRESS"

    WHEN  data like "%COMPLETE%" then "COMPLETE"

    WHEN  data like "%DISABLED%" then "DISABLED"

  END "Background Scan Status"

, MAX(DATETIME(datetime)) AS "Scan Status Update Date and Time"

FROM

 windows_eventlog where channel = 'Application' and eventid = '17' and data like '%BACKGROUND_SCAN%';

Tags (1)
Comment
10 Comments
jnelson
Carbon Black Employee
‎11-20-2020 09:54 AM
‎11-20-2020 09:54 AM
Status changed to: Approved
 
mdeschenes1
New Contributor II
‎12-31-2020 05:23 AM
‎12-31-2020 05:23 AM

Works great for windows endpoint, any plans to support Linux Sensors? 

jnelson
Carbon Black Employee
‎01-02-2021 12:18 PM
‎01-02-2021 12:18 PM

@mdeschenes1 @Alon 

That would require a new table with the ability to parse the Linux Carbon Black file. I suggest reaching out to your account team and have them submit a feature request.  

ctiMT1
New Contributor
‎01-19-2021 05:26 PM
‎01-19-2021 05:26 PM

Are Windows event log timestamps also capable of being queried?

Is there a way to convert the system times to UTC/unixepoch times?

Alon
Carbon Black Employee
‎01-20-2021 11:04 AM
‎01-20-2021 11:04 AM

@ctiMT1 , check out https://community.carbonblack.com/t5/Query-Exchange/Programs-Installed-In-Non-Standard-Windows-Locat... for an example of converting unixepoch.

There are 2 timestamps that you can query against for the Windows event logs. Check out https://osquery.io/schema/4.6.0/#windows_eventlog

jnelson
Carbon Black Employee
‎01-20-2021 12:08 PM
‎01-20-2021 12:08 PM

@ctiMT1 Change this part:

 

MAX(DATETIME(datetime))

 

To this:

 

MAX((julianday(datetime) - 2440587.5)*86400.0)

 

 

ctiMT1
New Contributor
‎01-20-2021 11:40 PM
‎01-20-2021 11:40 PM
@jnelson wrote:

@CtiMT1 Change this part:

 

MAX(DATETIME(datetime))

 

To this:

 

MAX((julianday(datetime) - 2440587.5)*86400.0)

Thanks for this, this really helped me out! I also went ahead and did some additional reading and testing. 

 

Turns out for our instance "datetime" returned event log data in UTC already!

This what I put in to test if the datetime was already doing UTC:

select datetime, datetime(datetime,'localtime') as "EventTime(System's Timezone)", datetime(datetime,'utc') as "EventTime(UTC)", (julianday(datetime) - 2440587.5)*86400.0 as "EventTime(JulianDay)"
JulianeNeumann
Carbon Black Employee
‎06-10-2021 02:37 AM
‎06-10-2021 02:37 AM

Anything a Mac user can do to check Background Scan Status on all Mac Devices via A&R? :) 

jnelson
Carbon Black Employee
‎06-14-2021 12:28 PM
‎06-14-2021 12:28 PM

@JulianeNeumann That would require a new table with the ability to parse the Mac Carbon Black log file. Submitting a feature request is the best recourse.  

lschulze
Carbon Black Employee
‎09-15-2021 05:56 AM
‎09-15-2021 05:56 AM

Hi Team,

why is this query not part of the "recommended" section within Carbon Black Cloud - Audit & Remediation? 

Thanks,
Leon

logo