The following examples show some types of queries you can make with the Live Inventory SDK. Each query must use the das database.
Listing Malicious Files
If you have Carbon Black File Reputation enabled, you can use the following query to get a listing of the file names and prevalence of all malicious files determined to be on your systems that run the Carbon Black App Control Agent:
USE das
SELECT First_Seen_Path, First_Seen_Name, Sha256, Threat,
Trust, Prevalence
FROM bit9_public.ExFileCatalog
WHERE Threat IN ('2 - Malicious', '1 - Potential risk') ORDER BY First_Seen_Path,
First_Seen_Name
If you run this query and there is data available, the output will be similar to the following:
| First_Seen_Path |
First_Seen_Name |
Sha256* |
Threat |
Trust |
Prev. |
|---|---|---|---|---|---|
| c:\temp\folder1 |
myfileapp.exe |
46b8... |
1 - Potential risk |
2 |
1 |
| c:\documents and settings\user1 |
numbergen.exe |
552e... |
1 - Potential risk |
1 |
1 |
| c:\documents and settings\user2 |
makemess.exe |
4d9a... |
1 - Potential risk |
3 |
1 |
| c:\hp\bin |
endprocess.exe |
1effc... |
1 - Potential risk |
3 |
13 |
| c:\program files\mywebapp\ |
f4dothis.dll |
abcd... |
2 - Malicious |
0 |
1 |
| c:\jobfiles |
myway.exe |
2345... |
2 - Malicious |
0 |
1 |
*:Sha56 field will be fully expressed. It is truncated in this table due to formatting restictions.
Listing App Control Agent Systems by Policy and Enforcement Level
You can use the following query to determine how many systems are running the agent and group the results by Policy and Enforcement Level:
USE das
SELECT Policy, Enforcement_Level, Disconnected_Level, COUNT(*)
AS Computer_Count
FROM bit9_public.ExComputers
GROUP BY Policy, Enforcement_Level, Disconnected_Level ORDER BY Policy
If you run this query and there is data available, the output will be similar to the following:
| Policy |
Connected_Enforcement_Level |
Disconnected_Enforcement_Level |
Count |
|---|---|---|---|
| Agent Disabled |
None (Disabled) |
None (Disabled) |
3 |
| Research Team |
Medium (Prompt Unapproved) |
Medium (Prompt Unapproved) |
6 |
| Default Policy |
None (Visibility) |
None (Visibility) |
1 |
| General Office |
High (Block Unapproved) |
High (Block Unapproved) |
49 |
| Guest Policy |
High (Block Unapproved) |
High (Block Unapproved) |
1 |
| IT Group |
Low (Monitor Unapproved) |
Low (Monitor Unapproved) |
11 |
Listing New Unapproved Files by Policy
You can use the following query to determine how many new unapproved files have appeared during the past 24 hours, and group the results by Policy:
USE das
SELECT Policy, COUNT(*) FROM bit9_public.ExFileInstances fi
JOIN bit9_public.ExComputers c
ON c.Computer_Id = fi.Computer_Id
WHERE fi.Date_Created>DATEADD(day, -1, GetUTCDate()) AND
Local_State = 'Unapproved'
GROUP BY Policy
ORDER BY COUNT(*) DESC
If you run this query and there is data available, the output will be similar to the following:
| Policy |
New Unapproved File Count |
|---|---|
| Research Team |
529 |
| General Office |
101 |
| IT Group |
257 |
Listing New Unapproved Files by Computer and Policy
You can use the following query to determine how many new unapproved files have appeared during the past 24 hours, and group the results by Computer and Policy:
USE das
SELECT c.Computer, c.Policy, COUNT(*) as Unapproved_Count FROM bit9_public.ExFileInstances
fi
JOIN bit9_public.ExComputers c
ON c.Computer_Id = fi.Computer_Id
WHERE fi.Date_Created>DATEADD(day, -1, GetUTCDate()) AND Local_State = 'Unapproved'
GROUP BY c.Computer, c.Policy
ORDER BY COUNT(*) DESC
If you run this query and there is data available, the output will be similar to the following:
| Computer Name |
Policy |
New Unapproved File Count |
|---|---|---|
| MYCORP\DESKTOP-3 |
Research Team |
307 |
| MYCORP\LAPTOP-1 |
General Office |
215 |
| MYCORP\LAPTOP-4 |
Research Team |
32 |
| MYCORP\DESKTOP-8 |
IT Group |
3 |
| MYCORP\DESKTOP-10 |
General Office |
2 |
| MYCORP\LAPTOP-7 |
General Office |
1 |
