The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS - CB Standard Background Scan Status

Description: This query queries the Apple System Log (ASL) data structure for system events. The query specifically provides the latest CB Standard/Advanced background scan status. The background scan status is getting updated in the "System.log" only once per day.

What The Data Shows: Date & Time of latest background scan status update, device name, background scan status information (in progress, complete, disabled)

SQL: 

SELECT MAX(datetime(time,"unixepoch","localtime")) AS "Scan Status Update Date & Time", host AS "Hostname",
CASE
WHEN message like "%IN_PROGRESS%" then "IN PROGRESS"
WHEN message like "%COMPLETE%" then "COMPLETE"
WHEN message like "%DISABLED%" then "DISABLED"
END "Background Scan Status"
FROM asl
WHERE message LIKE "BACKGROUND%";

Tested with OSQuery 4.9.0 on MacOS BigSur 11.6.

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved