QUERIES
Windows logon failures with the failure reason and logon type decoded
Approved 1 Comment Submitted by jnelson a week agoWindows logon failures parsed from event logs. This query is based on the information in this articl...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
2Votes
Windows logoff events
Approved 1 Comment Submitted by jnelson a week agoWindows logoff events parsed from event logs:select datetime, eventid, trim(split(split(da...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
0Votes
Windows Login events with the Logon type translated
Approved 1 Comment Submitted by jnelson a week agoWindows login events parsed from the event logs.select datetime, eve...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
0Votes
Windows Recent Apps
Approved 1 Comment Submitted by jnelson a week agoThis query is based on this article:https://df-stream.com/2017/10/recentapps/. There are two dates t...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
0Votes
Process by user
Approved 1 Comment Submitted by gstrandberg 11-26-2020Description:This query gives you the started processed also with usernameTested on Windows 7 Wi...
2Votes
CB Standard (CB Defense) Background Scan Status
Approved 7 Comments Submitted by Alon 11-09-2020Description: This query leverages the new feature in Audit and Remediation to be able to query the W...
Carbon Black Compliance Help Desk Operations IT Hygiene Windows
5Votes
Finding specific indicators of compromise (IOCs) for Mac in memory or on disk
Approved 5 Comments Submitted by alpopov 10-07-2020Description: Finding specific indicators of compromise (IOCs) in memory or on diskWhat The Data...
1Vote
List all inactive security products
Approved 1 Comment Submitted by jaydelcic 10-01-2020Description: Threat actors disable AV to evade detection. The proposed query probes the state of reg...
2Votes
macOS Disk Encryption
Approved 1 Comment Submitted by stympanick 09-17-2020Source:https://www.uptycs.com/blog/osquery-tutorial-how-to-check-disk-encryption-on-mac-linux-and-wi...
3Votes
Audit docker TCP API sockets (re Doki malware)
Approved 1 Comment Submitted by gallen 07-30-2020Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable ...
Carbon Black Compliance IT Hygiene Linux Vulnerability Management
1Vote
Welcome to the Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
Query Use Cases
IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.
Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.
Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.
Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.
Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.
Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.
