CB LiveOps: Query Builder Returns Zero Results
search cancel

CB LiveOps: Query Builder Returns Zero Results

book

Article ID: 285129

calendar_today

Updated On:

Products

Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)

Issue/Introduction

  • Zero results returned when running a LiveQuery made using the Query Builder
  • Query uses the shell_history table

Environment

  • CB LiveOps Web Console: All Versions

Cause

  • The shell_history table needs to be JOINed to the users table in order to obtain results
  • The Query Builder GUI does not provide the ability to use the SQL JOIN clause

Resolution

  • The query will need to be run using the SQL Tab instead of the Query Builder GUI
  • An example of this query would be: 
    SELECT u.username,sh.time,sh.command,sh.history_file 
    FROM users AS u 
    JOIN shell_history AS sh USING(uid);

Additional Information

Although only the shell_history table is offered in the Query Builder GUI, the following tables also need to be JOIN-ed to another table for results to come back: 
chrome_extensions - All OSs
crashes - OSX
browser_plugins - OSX
safari_extensions - OSX
preferences - OSX
opera_extensions - OSX, Linux
firefox_addons - OSX, Linux
known_hosts - OSX, Linux
authorized_keys - OSX, Linux
user_ssh_keys - OSX, Linux