CB LiveOps: Query Builder Returns Zero Results
search cancel

CB LiveOps: Query Builder Returns Zero Results


Article ID: 285129


Updated On:


Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)


  • Zero results returned when running a LiveQuery made using the Query Builder
  • Query uses the shell_history table


  • CB LiveOps Web Console: All Versions


  • The shell_history table needs to be JOINed to the users table in order to obtain results
  • The Query Builder GUI does not provide the ability to use the SQL JOIN clause


  • The query will need to be run using the SQL Tab instead of the Query Builder GUI
  • An example of this query would be: 
    SELECT u.username,sh.time,sh.command,sh.history_file 
    FROM users AS u 
    JOIN shell_history AS sh USING(uid);

Additional Information

Although only the shell_history table is offered in the Query Builder GUI, the following tables also need to be JOIN-ed to another table for results to come back: 
chrome_extensions - All OSs
crashes - OSX
browser_plugins - OSX
safari_extensions - OSX
preferences - OSX
opera_extensions - OSX, Linux
firefox_addons - OSX, Linux
known_hosts - OSX, Linux
authorized_keys - OSX, Linux
user_ssh_keys - OSX, Linux