Cb LiveQuery : How to Query Endpoints Using Query Builder
search cancel

Cb LiveQuery : How to Query Endpoints Using Query Builder

book

Article ID: 290017

calendar_today

Updated On:

Products

Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)

Issue/Introduction

Use the query builder in LiveQuery to Query endpoints

Environment

  • Cb Live Query: Current Version
  • Cb Defense Web Console: .38 Release and higher
  • Cb Defense Sensor: Version 3.3 and higher
  • Microsoft Windows: All Supported Versions

Resolution

  1. Log in to PSC and navigate to the "Live Query" page
  2. Under "New Query", choose the "Query Builder" tab
  3. Select a table you wish to query from from the "Select a table" list.
  4. Under "Select a field", select one of the following options:
    • Select "All Fields"
    • Select a specific field, and enter a value you wish to search for. For additional fields, click the "+" button
  5. From the "Select a policy" dropdown list, choose a policy containing endpoints you want to run the query on
  6. Give your query a name in the "Query name" box
  7. If you wish to have an email sent when the query completes, check " Email me when complete"
  8. Click "Run". You will get either a green( success) status message, or a red( failure) message
    • For failure messages, please note the message, adjust your query, and try again
    • For success messages, please continue to monitor the Live Query console for results to be returned, or if you have the option checked, look for an email to be sent to you when the query completes, then come back to the console to view results.

Additional Information

Depending on what the query does, results can take some time to be returned. This is expected behavior. If you need assistance with SQL syntax, or table schema, please refer to the documentation links for each in the "SQL Query" tab.