Live Query extension tables are available for Windows 3.8+ sensors. These tables provide insight into the Carbon Black Cloud Windows sensor.

Table 1. cb_sensor_canaries
Column Type Description Version
name TEXT Full path name of the canary file 3.9+
cloud_id INTEGER Identifier that the cloud provided config has assigned to the canary file 3.9+
hidden_file INTEGER Boolean value for if the file has the Hidden Attribute set 3.9+
hidden_destination_dir INTEGER Boolean value for if we created the destination directory with the Hidden Attribute 3.9+
system_file INTEGER Boolean value if the file has the System Attribute set 3.9+
system_destination_dir INTEGER Boolean value if we created the destination directory with the System Attribute 3.9+
same_name INTEGER Boolean value if the previous canary file at this location had the same name 3.9+
file_creation_time UNSIGNED_BIGINT Creation time of the file in milliseconds since Unix epoch 3.9+
fize_size UNSIGNED_BIGINT Size of the file in bytes 3.9+
Note: cb_sensor_canaries extensions return deployed canary file details for the Carbon Black Cloud Windows Sensor.
Table 2. cb_sensor_compliance_scan_results
Column Type Description Version
rule_guid TEXT The scan rule GUID 3.9+
policy_guid TEXT The policy GUID 3.9+
rule_description TEXT The scan rule description 3.9+
policy_description TEXT The policy description 3.9+
policy_revision TEXT The policy revision 3.9+
scan_result TEXT The compliance scan result, PASS, FAIL, UNKNOWN 3.9+
scan_settings TEXT The compliance scan settings ran on system 3.9+
Note: cb_sensor_compliance_scan_results extensions return the compliance scan results performed by Carbon Black Cloud Windows Sensor.
Table 3. cb_sensor_counters
Column Type Description Version
name TEXT Name of the counter 3.8+
value UNSIGNED_BIGINT (Relevant for Non-Duration Counters) Amount of times triggered 3.8+
total UNSIGNED_BIGINT (Duration Counters) Total Time in ms 3.8+
count UNSIGNED_BIGINT (Duration Counters) Number of times the counter was hit 3.8+
min UNSIGNED_BIGINT (Duration Counters) Minimum time spent for one passthrough in ms 3.8+
max UNSIGNED_BIGINT (Duration Counters) Maximum time spent for one passthrough in ms 3.8+
Note: cb_sensor_counters extensions return current counter details for the Carbon Black Cloud Windows sensor. Sensor counters track sensor actions that have occurred since the last sensor restart.
Table 4. cb_sensor_configprops
Column Type Description Version
name TEXT Name of the configprop 3.8+
value TEXT Value of the configprop 3.8+
is_kernel_configprop INTEGER 1: Kernel configprop; 0: Usermode configprop 3.8+
Note: cb_sensor_configprops extensions return current configprop details and assignments for the Carbon Black Cloud Windows sensor. Config props are a collection of sensor settings that are configured at the time of installation, based on console settings and installation parameters.
Table 5. cb_sensor_curl
Column Type Description Version
url TEXT The url for the request (required)* 3.9+
method TEXT

The HTTP method for the request.

Currently only supported method is "GET"

3.9+
response_code INTEGER The HTTP status code for the response 3.9+
round_trip_time UNSIGNED_BIGINT Time taken to complete the request, in milliseconds 3.9+
bytes UNSIGNED_BIGINT Number of bytes in the response 3.9+
result TEXT The HTTP response body 3.9+
curl_code TEXT The Curl Code value plus the human readable translation of the code 3.9+
tls_protocol_version TEXT TLS protocol version number 3.9+
cert_subject TEXT Subject info on the server side cert 3.9+
cert_issuer TEXT Issuer info on the server side cert 3.9+
cert_public_key TEXT The public key value of the server side cert (DER Format) 3.9+
cipher_algorithm TEXT The discovered bulk encryption cipher algorithm 3.9+
key_exchange_algorithm TEXT The discovered key exchange algorithm 3.9+
mac_hash_algorithm TEXT The discovered Message Authentication Codes (MAC) hash algorithm 3.9+
cipher_strength INTEGER The strength of the bulk encryption cipher 3.9+
key_exchange_strength INTEGER The Key exchange algorithm length, in bits 3.9+
mac_hash_strength INTEGER The strength of the MAC hash 3.9+
is_tls_version_safe INTEGER Boolean value for if the TLS protocol version is deemed "safe" by the current sensor configuration 3.9+
is_tls_suite_safe INTEGER Boolean value for if the TLS suites are deemed "safe" by the current sensor configuration 3.9+
is_tls_cert_safe INTEGER Boolean value for if the TLS cert is deemed "safe" by the current sensor configuration 3.9+
configprop_overrides_successful INTEGER Boolean value for if the 'configprop_test_overrides' was successfully applied 3.9+
configprop_test_overrides TEXT JSON formatted configprop overrides that is temporarily applied to the sensor, for the duration of the HTTP GET being performed on the provided 'url'. Get technical help when attempting to craft the JSON 3.9+
proxy_server TEXT INPUT: Proxy server string that the sensor should use when attempting to establish the curl connection.OUTPUT: Proxy server string that the sensor used while attempting to establish the curl connection. 3.9+
proxy_credential_override TEXT INPUT: Proxy server credentials that the sensor should use during the curl request. Format is "user:password"(Only relevant if a proxy_server INPUT is also in use). 3.9+
use_alternate_cloud_port TEXT INPUT: Boolean value ('1' or '0') controlling if the sensor should use the alternate cloud port value (54443).OUTPUT: Boolean value ('1' or '0') informing if the sensor used the alternate cloud port value (54443). 3.9+
Note: cb_sensor_curl extensions perform a HTTP GET request against the provided 'url' using the current Carbon Black Cloud Windows Sensor Curl configuration settings.
Note:
  • Required: Must be present in the 'where' clause.
  • *Limitation: Do not use 'url' with a SQL "LIKE". It must be an exact value (url='<full_http_url>').
Table 6. cb_sensor_devices
Column Type Description Version
device_type TEXT The device type (for example, "DISK”, “CDROM”, etc.) 3.8+
interface_type TEXT The interface through which the device is connected (for example, “SCSI", “USB”, etc.) 3.8+
manufacturer TEXT The manufacturer of the device 3.8+
model_name TEXT The model name of the device 3.8+
friendly_name TEXT The user-friendly display name of the device 3.8+
product_id TEXT The product ID of the device 3.8+
serial_number TEXT The serial number of the device 3.8+
vendor_id TEXT The vendor ID of the device 3.8+
drive_letter TEXT The drive letter to which the device is mapped 3.8+
volume_guid TEXT The GUID of the device’s storage volume 3.8+
Note: cb_sensor_devices extensions return current device details that the Carbon Black Cloud Windows sensor detects.
Table 7. cb_sensor_files
Column Type Description Version
name TEXT Path name of the file (required) 3.8+
hash TEXT Hex string of the file's SHA256 hash (key, required) 3.8+
md5 TEXT Hex string of the file's MD5 hash (required) 3.8+
size INTEGER File size in bytes 3.8+
company TEXT The company who produces the file 3.8+
product TEXT The product the file belongs to 3.8+
version TEXT The product version 3.8+
original_name TEXT The original name of the file. It's not impacted by the file renaming 3.8+
description TEXT The description of the file 3.8+
file_version TEXT The file version. It may not be the same as the product version 3.8+
copyright TEXT Copyright information 3.8+
file_flags TEXT Some properties detected by the sensor 3.8+
locale TEXT Language 3.8+
signature_signer TEXT Who signed the file (Required) 3.8+
signature_issuer TEXT Who issued the signing certificate 3.8+
signature_state TEXT File signing state 3.8+
resolved_reputation TEXT The resolved/applied reputation 3.8+
resolved_reputation_source TEXT Which source the reputation was from while resolving 3.8+
Note: cb_sensor_files extensions return file information that the Carbon Black Cloud Windows sensor gathers. File information includes file metadata, applied reputation, and certificate details.
Note:
  • Required: Must be in the 'where' clause to narrow the result. If multiple required fields are listed, any of them will satisfy the requirement or can be AND or OR.
    Note: Examples:
    SELECT * FROM cb_sensor_files WHERE name LIKE '%%cmd.exe';
    SELECT * FROM cb_sensor_files WHERE hash IS 'b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450';
    SELECT * FROM cb_sensor_files WHERE signature_signer LIKE '%windows%';
  • Limitation: Search by Hash/SHA256 or MD5 does not support 'like %'. The condition must be an exact match.
Table 8. cb_sensor_files_ex
Column Type Description Version
names TEXT All known path names of the file by the sensor (required) 3.8+
hash TEXT Hex string of the file's SHA256 hash (key, required) 3.8+
md5 TEXT Hex string of the file's MD5 hash (required, hidden) 3.8+
signature_signer TEXT Who signed the file (Required, hidden) 3.8+
dob TEXT Date of the birthday 3.8+
hash_state TEXT The state of the reputation for this hash 3.8+
executed TEXT Last time seen the file's execution 3.8+
tracked_execution_count INTEGER Number of times the executed file was seen by the sensor 3.8+
psc_info TEXT Some extra information detected by the sensor 3.8+
kernel_cache_residency TEXT The status of the file in the kernel cache residency 3.8+
persisted INTEGER 1: persisted in the database; 0: only in memory 3.8+
cache_lookup_count INTEGER Cache-hit count 3.8+
ux_info TEXT Information related for displaying 3.8+
apc_risk_level INTEGER

The risk level for non-malware detected by the local scanner.

  • -2: not detected
  • -1: no risk
  • 0~7: extremely low to extremely high
3.8+
policy_delays TEXT Summary for Defense policy delay 3.8+
defense_policy TEXT Summary for Defense policy 3.8+
rules TEXT Summary for Defense rules 3.8+
Note: cb_sensor_files_ex extensions return file information that the Carbon Black Cloud Windows sensor gathers. It extends information in the cb_sensor_files table to include more detailed policy information and other file-related statistics that the sensor caches.
Note:
  • Required: Must be in the "where" clause to narrow the result. If multiple required fields are listed, any of them will satisfy the requirement or can be AND or OR.

    Examples:
    SELECT * FROM cb_sensor_files WHERE name LIKE '%%cmd.exe';
    SELECT * FROM cb_sensor_files WHERE hash IS 'b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450';
    SELECT * FROM cb_sensor_files WHERE signature_signer LIKE '%windows%';
  • Hidden: Not shown from 'select *'. Must be explicitly stated in the 'select' fields.
  • Limitation: Search by Hash/SHA256 or MD5 does not support 'like %'. The condition must be an exact match.
Table 9. cb_sensor_logon_sessions
Column Type Description Version
unique_logon_id TEXT For Windows, it's LUID in ########-######## format 3.9+
linked_unique_logon_id TEXT For Windows, it's LUID in ########-######## format 3.9+
session INTEGER A terminal services session identifier 3.9+
user_id TEXT For Windows, it's SID 3.9+
user_name TEXT The account name of the security principal that owns the logon session 3.9+
user_domain_name TEXT The name of the domain used to authenticate the owner of the logon session 3.9+
user_principal_name TEXT The user principal name or email address for the owner of the logon session 3.9+
logon_type TEXT The value that identifies the logon method 3.9+
logon_time TEXT The time the session owner logged on 3.9+
logon_server TEXT The name of the server used to authenticate the owner of the logon session 3.9+
authentication_package TEXT The name of the authentication package used to authenticate the owner of the logon session 3.9+
dns_domain_name TEXT The DNS name for the owner of the logon session 3.9+
password_last_set TEXT The time when the user last changed the password 3.9+
last_logon_time TEXT The time that the session owner most recently logged on successfully 3.9+
last_failed_logon_time TEXT The time of the most recent failed attempt to log on 3.9+
failed_logon_attempts INTEGER The number of failed attempts to log on since the last successful log on 3.9+
active INTEGER Boolean value if the logon session is still active (1), or recently ended (0) 3.9+
Note: cb_sensor_logon_sessions extensions return information gathered by Carbon Black Cloud Windows Sensor.
Table 10. cb_sensor_processes
Column Type Description Version
pid INTEGER The process identifier 3.8+
id TEXT A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0" 3.8+
start_time TEXT The start-time of the process in FileTime format (100-nanosecond intervals since January 1st, 1601). 3.8+
terminated INTEGER 1: already terminated, 0 or absent: still alive 3.8+
user_name TEXT The name of the user that launched the process 3.8+
user_sid TEXT The SID of the user that launched the process 3.8+
file_name TEXT The absolute DOS path to the backing executable file 3.8+
interpreted INTEGER 1: if process is a script; 0: if the process is not a script. Can be empty for some processes (typical for sensor processes). 3.8+
hash TEXT The SHA256 hash of the executable or script 3.8+
script_name TEXT The name of the backing script file if process is a script 3.8+
script_hash TEXT The hash of the backing script, if process is a script 3.8+
cmd_line TEXT The command line of the process 3.8+
cmd_line_yara_tags TEXT Yara Tag(s) that apply to the process command line 3.9+
parent_pid INTEGER The PID of the process that launched this process 3.8+
parent_id TEXT A formatted string that further identifies the parent process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0" 3.8+
parent_start_time TEXT The start-time of the parent process in FileTime format (100-nanosecond intervals since January 1st, 1601) 3.8+
parent_cmd_line TEXT The command line of the parent process 3.8+
hosted_services TEXT For svchost processes, this specifies the underlying service that is being hosted 3.8+
tags TEXT Internal sensor tags that contain additional process metadata (for example, “Cb:Psc:ProcessIsCBService”) 3.8+
file_type_tags TEXT Internal sensor tags that contain additional metadata (for example, "Cb:Defense:Script:CmdScript") 3.8+
integrity_level TEXT The integrity level of the process 3.8+
elevated INTEGER 1: process is elevated; 0: process is not elevated 3.8+
privileges TEXT Privileges the process has enabled (for example, SeImpersonatePrivilege) 3.8+
Note: cb_sensor_processes extensions return process information that the Carbon Black Cloud Windows sensor gathers.
Table 11. cb_sensor_processes_policy
Column Type Description Version
pid INTEGER The process identifier 3.8+
id TEXT A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0" 3.8+
policy_reputation TEXT The reputation of the process 3.8+
bypass_policy TEXT The bypass (ignore) policy assigned to the process 3.8+
allow_policy TEXT The allow (and log) policy assigned to the process 3.8+
terminate_policy TEXT The terminate policy assigned to the process 3.8+
deny_policy TEXT The deny policy assigned to the process 3.8+
parent_policy_reputation TEXT The reputation of the parent process 3.8+
parent_bypass_policy TEXT The bypass (ignore) policy assigned to the parent process 3.8+
parent_allow_policy TEXT The allow (and log) policy assigned to the parent process 3.8+
parent_terminate_policy TEXT The terminate policy assigned to the parent process 3.8+
parent_deny_policy TEXT The deny policy assigned to the parent process 3.8+
interpreter_policy_reputation TEXT If the process is a script, this is the reputation of the script interpreter 3.8+
interpreter_bypass_policy TEXT If the process is a script, this is the bypass policy assigned to the script interpreter 3.8+
interpreter_allow_policy TEXT If the process is a script, this is the allow policy assigned to the script interpreter 3.8+
interpreter_terminate_policy TEXT If the process is a script, this is the terminate policy assigned to the script interpreter 3.8+
interpreter_deny_policy TEXT If the process is a script, this is the deny policy assigned to the script interpreter 3.8+
script_policy_reputation TEXT If the process is a script, this is the reputation of the script 3.8+
script_bypass_policy TEXT If the process is a script, this is the bypass policy of the script itself 3.8+
script_allow_policy TEXT If the process is a script, this is the allow policy of the script itself 3.8+
script_terminate_policy TEXT If the process is a script, this is the terminate policy of the script itself 3.8+
script_deny_policy TEXT If the process is a script, this is the deny policy of the script itself 3.8+
applied_policy_reputation TEXT The reputation of the process, as applied by the kernel 3.8+
applied_bypass_policy TEXT The bypass policy of the process, as applied by the kernel 3.8+
applied_allow_policy TEXT The allow policy of the process, as applied by the kernel 3.8+
applied_terminate_policy TEXT The terminate policy of the process, as applied by the kernel 3.8+
applied_deny_policy TEXT The deny policy of the process, as applied by the kernel 3.8+
Note: cb_sensor_processes_policy extensions return process policy information that the Carbon Black Cloud Windows sensor gathers.
Table 12. cb_sensor_processes_reputation
Column Type Description Version
pid INTEGER The process identifier 3.8+
id TEXT

A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0"

3.8+
effective_reputation TEXT The effective reputation of the process 3.8+
effective_reputation_source TEXT The source of the effective reputation 3.8+
cloud TEXT The reputation of the process as determined by the cloud 3.8+
pre_existing TEXT The reputation of the process as determined by whether the executable/script was already present on the sensor prior to install 3.8+
av TEXT The reputation of the process as determined by local AV 3.8+
it_tool TEXT The reputation of the process, as determined by whether it was dropped by a trusted IT tool 3.8+
certificate TEXT The reputation of the process, as determined by whether it was signed using an approved certificate 3.8+
hash TEXT The reputation of the process, as determined by whether the hash is approved or banned 3.8+
cb_sensor TEXT The reputation of the process, as determined by whether it is a sensor process 3.8+
operating_system TEXT The reputation of the process, as determined by whether it is a pre-determined OS hash 3.8+
Note: cb_sensor_processes_reputation extensions return process reputation information that the Carbon Black Cloud Windows sensor gathers.
Table 13. cb_sensor_status
Column Type Description Version
category TEXT A categorical grouping of status information:
  • General: General sensor details (sensor state, Device ID, policy name, etc.)
  • Version: Sensor version, SVN Revision, third-party tool versions, etc.
  • BackgroundScan: Details on the configuration and state of the Background scan
  • Cloud: Details about the sensor's connectivity to the Cloud backend
  • Queue: Details about the current queue status
  • Diagnostic: Logging level, maintenance mode, etc.
  • Rules: Details about any applied DRE policies
  • LocalScanner: Details pertaining to the local scanner configuration/state
  • Alarms: Details on any triggered alarms
3.8+
name TEXT Name of the status data 3.8+
value TEXT Value of the status data 3.8+
Note: cb_sensor_status extensions return current status details for the Carbon Black Cloud Windows Sensor. This data is similar to the output of the repcli status command.
Table 14. cb_sensor_volumes
Column Type Description Version
name TEXT The volume name 3.8+
guid TEXT The volume GUID 3.8+
file_system TEXT The volume’s file system type (for example, NTFS, FASTFAT, etc.) 3.8+
device_type INTEGER The device type as defined by internal Windows values. See https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types 3.8+
device_characteristics INTEGER A bitmask of internal Windows values that provide additional information about the volume’s device 3.8+
serial_number INTEGER The serial number of the volume 3.8+
alignment_requirement INTEGER An internal Windows value that defines the alignment requirement of the volume for data transfers 3.8+
sector_size INTEGER The volume sector size 3.8+
shadow_copy INTEGER 1: the volume is a shadow-copy or “snapshot" volume 3.8+
device_manufacturer TEXT The manufacturer of the volume’s device 3.8+
device_name TEXT The name of the volume’s device 3.8+
device_serial_number TEXT The serial number of the volume’s device 3.8+
Note: cb_sensor_volumes extensions return current volume details that the Carbon Black Cloud Windows sensor gathers.