QUERIES
Is there any monitoring account for Carbon Black EDR? Any access control verification?
Under Review 1 Comment Submitted by JSuser a week agoIs there any monitoring account for Carbon Black EDR? Any access control verification?
0Votes
Search/Hunt for malicious chrome extensions (w/ Identifiers)
Approved 4 Comments Submitted by M_Kiran_Kumar 09-02-2022Description: This query looks for extensions using known extension identifiers.Replace the extension...
Carbon Black Compliance Incident Response IT Hygiene Windows
2Votes
Search Download Folders for ISO downloads
Approved 2 Comments Submitted by craken-da-ship 08-03-2022Description: This query searches the downloads folder of all computers looking for .iso files. Can b...
1Vote
Powershell Execution Policy inquiry (user)
Approved 1 Comment Submitted by jnelson 06-01-2022Description: This query looks for the 'ExecutionPolicy' registry key under HKEY_USERS hive to provid...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Vulnerability Management Windows
4Votes
Powershell Execution Policy inquiry (machine)
Approved 3 Comments Submitted by HenriqueLima 05-31-2022Description: This query looks for the 'ExecutionPolicy' registry key under HKLM hive to provide info...
Community Compliance IT Hygiene Vulnerability Management Windows
3Votes
Local Administrator Permissions (w/ Domain Users)
Approved 2 Comments Submitted by jnelson 04-29-2022Description:The Least Privileged Model reduces risk by limiting the users who haveadminpermissi...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
5Votes
Find where users have logged in
Approved 2 Comments Submitted by jnelson 02-09-2022This query looks for the existence of a Windows user's folder which indicates that they have logged ...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
6Votes
CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability
Under Review 1 Comment Submitted by ralamer 01-14-2022Description:This query checks if the registry value (EnableTrailerSupport) is set or not. If this va...
4Votes
Querying Sysmon logs
Approved 1 Comment Submitted by jnelson 01-07-2022With the ability to query Windows Event Logs we can also query Sysmon logs as they show up in Event ...
Carbon Black Compliance Help Desk Operations Incident Response IT Hygiene Windows
3Votes
Search/Hunt for Persistence through Windows Services installed within the Past 30 days
Approved 5 Comments Submitted by jstreet16 10-12-2021Description:Search windows service creation events using the system logs event id 7045 from the past...
Community Compliance Help Desk Operations Incident Response Windows
5Votes
Welcome to the Query Exchange
The Query Exchange is a place for everyone to take, learn, and share queries. Since Live Query is built off of the open source project Osquery, we want to encourage the spirit of community participation. As a collective group we can help each other be more efficient, more innovative, and more secure. All query submissions default to the “Under Review” stage when initially posted. Once submissions are vetted by Carbon Black, submissions will be updated to reflect “Approved.”
Query Use Cases
IT Hygiene: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's IT Hygiene.
Compliance: Provides a list of SQL queries that we recommend you run in Live Query to help manage Compliance across your organization.
Incident Response: Provides a list of SQL queries that we recommend you run in Live Query to help during an investigation.
Vulnerability Management: Provides a list of SQL queries that we recommend you run in Live Query to help with Vulnerability Management in your organization.
Help Desk Operations: Provides a list of SQL queries that we recommend you run in Live Query to help with Help Desk items.
Container Support: Provides a list of SQL queries that we recommend you run in Live Query to help with your organization's Container Support.
