The following examples show some types of queries you can make with the Live Inventory SDK. Each query must use the das
database.
Listing Malicious Files
If you have Carbon Black File Reputation enabled, you can use the following query to get a listing of the file names and prevalence of all malicious files determined to be on your systems that run the Carbon Black App Control Agent:
USE das SELECT First_Seen_Path, First_Seen_Name, Sha256, Threat, Trust, Prevalence FROM bit9_public.ExFileCatalog WHERE Threat IN ('2 - Malicious', '1 - Potential risk') ORDER BY First_Seen_Path, First_Seen_Name
If you run this query and there is data available, the output will be similar to the following:
First_Seen_Path |
First_Seen_Name |
Sha256* |
Threat |
Trust |
Prev. |
---|---|---|---|---|---|
c:\temp\folder1 |
myfileapp.exe |
46b8... |
1 - Potential risk |
2 |
1 |
c:\documents and settings\user1 |
numbergen.exe |
552e... |
1 - Potential risk |
1 |
1 |
c:\documents and settings\user2 |
makemess.exe |
4d9a... |
1 - Potential risk |
3 |
1 |
c:\hp\bin |
endprocess.exe |
1effc... |
1 - Potential risk |
3 |
13 |
c:\program files\mywebapp\ |
f4dothis.dll |
abcd... |
2 - Malicious |
0 |
1 |
c:\jobfiles |
myway.exe |
2345... |
2 - Malicious |
0 |
1 |
*:Sha56
field will be fully expressed. It is truncated in this table due to formatting restictions.
Listing App Control Agent Systems by Policy and Enforcement Level
You can use the following query to determine how many systems are running the agent and group the results by Policy and Enforcement Level:
USE das SELECT Policy, Enforcement_Level, Disconnected_Level, COUNT(*) AS Computer_Count FROM bit9_public.ExComputers GROUP BY Policy, Enforcement_Level, Disconnected_Level ORDER BY Policy
If you run this query and there is data available, the output will be similar to the following:
Policy |
Connected_Enforcement_Level |
Disconnected_Enforcement_Level |
Count |
---|---|---|---|
Agent Disabled |
None (Disabled) |
None (Disabled) |
3 |
Research Team |
Medium (Prompt Unapproved) |
Medium (Prompt Unapproved) |
6 |
Default Policy |
None (Visibility) |
None (Visibility) |
1 |
General Office |
High (Block Unapproved) |
High (Block Unapproved) |
49 |
Guest Policy |
High (Block Unapproved) |
High (Block Unapproved) |
1 |
IT Group |
Low (Monitor Unapproved) |
Low (Monitor Unapproved) |
11 |
Listing New Unapproved Files by Policy
You can use the following query to determine how many new unapproved files have appeared during the past 24 hours, and group the results by Policy:
USE das SELECT Policy, COUNT(*) FROM bit9_public.ExFileInstances fi JOIN bit9_public.ExComputers c ON c.Computer_Id = fi.Computer_Id WHERE fi.Date_Created>DATEADD(day, -1, GetUTCDate()) AND Local_State = 'Unapproved' GROUP BY Policy ORDER BY COUNT(*) DESC
If you run this query and there is data available, the output will be similar to the following:
Policy |
New Unapproved File Count |
---|---|
Research Team |
529 |
General Office |
101 |
IT Group |
257 |
Listing New Unapproved Files by Computer and Policy
You can use the following query to determine how many new unapproved files have appeared during the past 24 hours, and group the results by Computer and Policy:
USE das SELECT c.Computer, c.Policy, COUNT(*) as Unapproved_Count FROM bit9_public.ExFileInstances fi JOIN bit9_public.ExComputers c ON c.Computer_Id = fi.Computer_Id WHERE fi.Date_Created>DATEADD(day, -1, GetUTCDate()) AND Local_State = 'Unapproved' GROUP BY c.Computer, c.Policy ORDER BY COUNT(*) DESC
If you run this query and there is data available, the output will be similar to the following:
Computer Name |
Policy |
New Unapproved File Count |
---|---|---|
MYCORP\DESKTOP-3 |
Research Team |
307 |
MYCORP\LAPTOP-1 |
General Office |
215 |
MYCORP\LAPTOP-4 |
Research Team |
32 |
MYCORP\DESKTOP-8 |
IT Group |
3 |
MYCORP\DESKTOP-10 |
General Office |
2 |
MYCORP\LAPTOP-7 |
General Office |
1 |