QUERIES
Enable LSA protections - Mimikatz
Under Review 1 Comment Submitted by ksnihur FridayDescription: Looks to see if the lsass process is protectedWhat The Data Shows: It will show what ma...
0Votes
Bad Rabbit Scheduled Tasks
Approved 3 Comments Submitted by ksnihur ThursdayDescription:Bad Rabbit Scheduled TasksWhat The Data Shows: Provides IOC for BadRabbitSQL:SELECT name...
0Votes
Retrieve Firefox Addons that are installed and not...
Approved 3 Comments Submitted by ksnihur a week agoDescription: Query looks for installed Firefox add-ons that are active and not set to auto update.Wh...
0Votes
check state of docker containers
Approved 3 Comments Submitted by coreymaygard 2 weeks agoDescription: looks to see what state all docker containers are in. (running, paused, stopped)What Th...
Community Compliance Container Support Help Desk Operations Linux
0Votes
check running/scheduled cron jobs
Approved 3 Comments Submitted by coreymaygard 2 weeks agoDescription: looks for run any running or scheduled cron jobs on linux hosts.What The Data Shows: al...
0Votes
View Installed Chrome Extensions
Under Review 1 Comment Submitted by coreymaygard 2 weeks agoDescription: view all installed chrome extensions, along with update urls and descriptionsWhat ...
0Votes
Check APT repositories
Approved 1 Comment Submitted by coreymaygard 2 weeks agoDescription: currently configured APT repositoriesWhat The Data Shows: allows to make sure only...
0Votes
List all loaded Kernel modules
Approved 1 Comment Submitted by mjomha 2 weeks agoDescription: Lists all loaded Kernel modules on a system and which account uses it.What The Dat...
Community Incident Response IT Hygiene Linux Vulnerability Management
0Votes
Check Linux file permission changes
Approved 3 Comments Submitted by mjomha 2 weeks agoDescription:Lists all executable and the level of permissions users/groups have on each file, helps ...
0Votes
Evidence of execution or file access using Shimcac...
Under Review 1 Comment Submitted by jaydelcic 2 weeks agoDescription: Shimcache keeps a record of file execution or its existence in the Shim Database.ShimCa...
0Votes
Welcome to the Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
Monthly Query Winner
-
Magneto
New Contributor II
Read More
Query Use Cases
IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.
Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.
Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.
Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.
Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.
Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.
