Query Exchange

QUERIES

MacOS - List Install history from InstallHistory.plist

Approved 2 Comments Submitted by cearl 2 weeks ago

Description: Pulls all install history from MacOS - tested on Catalina and Big Sur.What The Data Sho...

Community IT Hygiene Mac

0Votes

Finding Files on Systems - Used for Dell Vulnerability DSA-2021-088

Approved 11 Comments Submitted by Justang 05-05-2021

Description: Looks for a file called dbutil_2_3.sys in multiple directories (Windows / Users directo...

Community Incident Response IT Hygiene Vulnerability Management Windows

9Votes

Insecure TLS versions enabled

Approved 1 Comment Submitted by jnelson 04-20-2021

This query is designed to find Windows systems (Win7, Win Server 2012 R2 and above) that have overri...

Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Vulnerability Management Windows

0Votes

Windows logon failures with the failure reason and logon type decoded

Approved 1 Comment Submitted by jnelson 04-09-2021

Windows logon failures parsed from event logs. This query is based on the information in this articl...

Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows

3Votes

Windows logoff events

Approved 1 Comment Submitted by jnelson 04-09-2021

Windows logoff events parsed from event logs:
select datetime, eventid, trim(split(split(da...

Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows

0Votes

Windows Login events with the Logon type translated

Approved 1 Comment Submitted by jnelson 04-09-2021

Windows login events parsed from the event logs.




select datetime,
eve...

Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows

0Votes

Windows Recent Apps

Approved 1 Comment Submitted by jnelson 04-09-2021

This query is based on this article:https://df-stream.com/2017/10/recentapps/. There are two dates t...

Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows

0Votes

Process by user

Approved 1 Comment Submitted by gstrandberg 11-26-2020

Description:This query gives you the started processed also with username
Tested on Windows 7 Wi...

Carbon Black Compliance Incident Response Linux Mac Windows

2Votes

CB Standard (CB Defense) Background Scan Status

Approved 9 Comments Submitted by Alon 11-09-2020

Description: This query leverages the new feature in Audit and Remediation to be able to query the W...

Carbon Black Compliance Help Desk Operations IT Hygiene Windows

5Votes

Finding specific indicators of compromise (IOCs) for Mac in memory or on disk

Approved 5 Comments Submitted by alpopov 10-07-2020

Description: Finding specific indicators of compromise (IOCs) in memory or on disk
What The Data...

Community Mac Vulnerability Management

1Vote

Welcome to the Query Exchange

The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”

Query Use Cases

IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.

Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.

Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.

Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.

Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.

Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.