The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Open sockets from Endpoints

Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response

Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908

What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more


select u.username,,,
from processes as p
join users as u
    on u.uid=p.uid
join process_open_sockets as pos
where pos.remote_port !='0'
limit 1000;


1 Comment
Carbon Black Employee
Status changed to: Approved

@gstrandberg awesome query! I edited it to make it a little more readable. Hope you don't mind.