The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Query Exchange

QUERIES

CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability

Under Review 1 Comment Submitted by ralamer a week ago

Description:This query checks if the registry value (EnableTrailerSupport) is set or not. If this va...

Community Vulnerability Management Windows

2Votes

Querying Sysmon logs

Approved 1 Comment Submitted by jnelson 2 weeks ago

With the ability to query Windows Event Logs we can also query Sysmon logs as they show up in Event ...

Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows

1Vote

Search/Hunt for Persistence through Windows Services installed within the Past 30 days

Approved 5 Comments Submitted by jstreet16 10-12-2021

Description:Search windows service creation events using the system logs event id 7045 from the past...

Community Compliance Help Desk Operations Incident Response Windows

4Votes

Search windows artifacts of execution for evidence of a file

Approved 1 Comment Submitted by jstreet16 10-12-2021

Description: Search multiple artifacts of execution to search for evidence of an executable seen by ...

Community Help Desk Operations Incident Response Windows

1Vote

Ideas for working out FULL OUTER JOIN limitation

Approved 4 Comments Submitted by jstreet16 10-01-2021

Description: Given a file path check for the existence and evidence of execution of a fileWhat The D...

Carbon Black Incident Response Windows

1Vote

Disk utilization on Windows

Approved 3 Comments Submitted by jnelson 09-30-2021

This query converts the size and free space to GB, then calculate the percent full for the disk.

Carbon Black Help Desk Operations IT Hygiene Windows

1Vote

Windows with WSL enabled

Approved 2 Comments Submitted by slist 09-20-2021

Description: This query looks for Windows endpoints with WSL feature enabled
What The Data Shows...

Carbon Black Vulnerability Management Windows

3Votes

macOS - CB Standard Background Scan Status

Approved 1 Comment Submitted by lschulze 09-16-2021

Description: This query queriesthe Apple System Log (ASL) data structure for system events. The quer...

Community Help Desk Operations IT Hygiene Mac

5Votes

macOS - Local Administrator Accounts

Approved 1 Comment Submitted by lschulze 09-01-2021

Description: The query allows you to check macOS systems for local administrator accounts.The admini...

Community Compliance IT Hygiene Mac

1Vote

query for other IT tools

Approved 6 Comments Submitted by vbianconi 08-11-2021

Description:Query for other IT tools
What The Data Shows:Whether your endpoints have any conflic...

Carbon Black Compliance IT Hygiene Linux Mac Other Windows

1Vote

Welcome to the Query Exchange

The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”

Query Use Cases

IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.

Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.

Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.

Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.

Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.

Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.