Audit and Remediation: 'SELECT * FROM file' without WHERE clause returns only 'Not Matched'
Article ID: 290283
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Trying to search without a WHERE clause returns no results, only Not Matched on the file table
- Query shows as complete, but no device returns results
Example SELECT * FROM file; Results All devices included in query show 'Not Matched'
Environment
- Carbon Black Cloud Console: All Versions
- Audit and Remediation (was CB LiveOps)
- OS Query: 2.11.2 - Current
Cause
The file table requires a WHERE clause (otherwise known as an argument) to return results
Resolution
Ensure searches against the file table and any other table requiring arguments include a WHERE clause
Additional Information
- Review the documentation on Tables with arguments and the OSQL Schema page for details on which tables require arguments
- Typically tables with a large number of non-repeating data (like all files and directories for a given machine) will require a WHERE clause to run successfully
- OSQL reports identifying tables requiring arguments with a dropper icon, maintenance of this list is not under the control of VMware Carbon Black
Feedback
Yes
No
Powered by
