QUERIES
Installed Firefox add-ons without Default
Approved 2 Comments Submitted by sk-mobily a week agoDescription: This query help for get all installed add-ons on Firefox without default say (Pocket, W...
0Votes
Installed Firefox add-ons
Approved 1 Comment Submitted by sk-mobily a week agoDescription: This query help for get all installed add-ons on FirefoxWhat The Data Shows: : Thi...
Community Help Desk Operations Incident Response IT Hygiene Windows
0Votes
Printnightmare - CVE-2021-34527 - Windows Patch verification
Approved 1 Comment Submitted by jc_1 3 weeks agoDescription:Query looks for Windows patch released for CVE-2021-34527 (anything between KB5004945 - ...
2Votes
Finding Registry Keys - Used for PrintNightmare CVE-2021-34527
Approved 2 Comments Submitted by Justang 3 weeks agoNothing fancy here, just an easy registry check. You're welcome to spruce it up to your specific nee...
3Votes
MacOS - List Install history from InstallHistory.plist
Approved 2 Comments Submitted by cearl 06-08-2021Description: Pulls all install history from MacOS - tested on Catalina and Big Sur.What The Data Sho...
1Vote
Finding Files on Systems - Used for Dell Vulnerability DSA-2021-088
Approved 11 Comments Submitted by Justang 05-05-2021Description: Looks for a file called dbutil_2_3.sys in multiple directories (Windows / Users directo...
Community Incident Response IT Hygiene Vulnerability Management Windows
9Votes
Insecure TLS versions enabled
Approved 1 Comment Submitted by jnelson 04-20-2021This query is designed to find Windows systems (Win7, Win Server 2012 R2 and above) that have overri...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Vulnerability Management Windows
0Votes
Windows logon failures with the failure reason and logon type decoded
Approved 5 Comments Submitted by jnelson 04-09-2021Windows logon failures parsed from event logs. This query is based on the information in this articl...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
5Votes
Windows logoff events
Approved 1 Comment Submitted by jnelson 04-09-2021Windows logoff events parsed from event logs:select datetime, eventid, trim(split(split(da...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
0Votes
Windows Login events with the Logon type translated
Approved 1 Comment Submitted by jnelson 04-09-2021Windows login events parsed from the event logs.select datetime, eve...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
0Votes
Welcome to the Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
Query Use Cases
IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.
Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.
Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.
Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.
Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.
Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.
