Audit and Remediation: How to Free-Form Query Endpoints
search cancel

Audit and Remediation: How to Free-Form Query Endpoints


Article ID: 289756


Updated On:


Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)


Run a custom query using Audit and Remediation


  • Carbon Black Cloud Console: 0.38 Release and higher
    • Audit and Remediation
  • Carbon Black Cloud Linux Sensor: 2.3.x.x and Higher
  • Carbon Black Cloud macOS Sensor: 3.3.x.x and Higher
  • Carbon Black Cloud Windows Sensor: 3.3.x.x and Higher


  1. Go to Live Query > New Query
  2. Click SQL Query tab
  3. Enter name of query for reference (required)
  4. Enter desired query in SQL box
  5. Select specific Policy(ies) or Endpoint(s) as desired
  6. Click Run

    Additional Information

    Results can take some time to be returned. This is expected behavior. If you need assistance with SQL syntax, or table schema, please refer to the documentation links for each in the "SQL Query" tab.
    • A summary email can be sent, indicating the results are available in the console by selecting the "Email me when complete" option when creating the query
    • On submitting a query, either a green( success) status message, or a red( failure) message will be displayed
      • For failure messages, please note the message, adjust the query, and try again
      • For success messages, please continue to monitor the Live Query console for results to be returned, or look for an email to be sent when the query completes, then come back to the console to view results