IMPORTANT PRODUCT ADVISORY: Please check out this critical security bulletin for the PSC
cancel
Showing results for 
Search instead for 
Did you mean: 

Query Exchange

QUERIES

Enable LSA protections - Mimikatz

Under Review 1 Comment Submitted by ksnihur Friday

Description: Looks to see if the lsass process is protectedWhat The Data Shows: It will show what ma...

Community IT Hygiene Windows

0Votes

Bad Rabbit Scheduled Tasks

Approved 3 Comments Submitted by ksnihur Thursday

Description:Bad Rabbit Scheduled TasksWhat The Data Shows: Provides IOC for BadRabbitSQL:SELECT name...

Community Incident Response Windows

0Votes

Retrieve Firefox Addons that are installed and not...

Approved 3 Comments Submitted by ksnihur a week ago

Description: Query looks for installed Firefox add-ons that are active and not set to auto update.Wh...

Community IT Hygiene Linux Mac Vulnerability Management

0Votes

check state of docker containers

Approved 3 Comments Submitted by coreymaygard 2 weeks ago

Description: looks to see what state all docker containers are in. (running, paused, stopped)What Th...

Community Compliance Container Support Help Desk Operations Linux

0Votes

check running/scheduled cron jobs

Approved 3 Comments Submitted by coreymaygard 2 weeks ago

Description: looks for run any running or scheduled cron jobs on linux hosts.What The Data Shows: al...

Community Compliance Incident Response Linux

0Votes

View Installed Chrome Extensions

Under Review 1 Comment Submitted by coreymaygard 2 weeks ago

Description: view all installed chrome extensions, along with update urls and descriptions
What ...

Community Compliance Vulnerability Management Windows

0Votes

Check APT repositories

Approved 1 Comment Submitted by coreymaygard 2 weeks ago

Description: currently configured APT repositories
What The Data Shows: allows to make sure only...

Community Compliance IT Hygiene Linux

0Votes

List all loaded Kernel modules

Approved 1 Comment Submitted by mjomha 2 weeks ago

Description: Lists all loaded Kernel modules on a system and which account uses it.
What The Dat...

Community Incident Response IT Hygiene Linux Vulnerability Management

0Votes

Check Linux file permission changes

Approved 3 Comments Submitted by mjomha 2 weeks ago

Description:Lists all executable and the level of permissions users/groups have on each file, helps ...

Community Incident Response IT Hygiene Linux

0Votes

Evidence of execution or file access using Shimcac...

Under Review 1 Comment Submitted by jaydelcic 2 weeks ago

Description: Shimcache keeps a record of file execution or its existence in the Shim Database.ShimCa...

Community Incident Response Windows

0Votes

Welcome to the Query Exchange

The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”

Query Use Cases

IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.

Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.

Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.

Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.

Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.

Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.