Cb LiveOps: Querying User Account Certificates Returns No Results
Article ID: 289846
Updated On:
Products
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)
Issue/Introduction
- Querying the certificates table in LiveQuery returns items in the System/Local Computer store, not from the user account or personal store
- Running same query using osqueryi on an endpoint returns all certificates from user and local computer stores
Environment
- Cb Defense PSC Console: All Versions
- Cb Defense Sensor: Version 3.3 and Higher
- Microsoft Windows: All Supported Versions
- Cb LiveOps: LiveQuery page
Cause
- Cb Defense Sensor runs queries in local system/local machine context only
Resolution
- Query needs to be run in the user context to get results that include personal certificates
- Run the query directly from osqueryi on the endpoint to return results from the user/personal and the local/machine account store
Additional Information
- LiveQuery only runs in the local system context, no user impersonation available
- Results for other contexts (such as user) will not be returned
Feedback
Yes
No
Powered by
