As a more advanced SQL user, you can use the open text SQL Builder to get more granular in running your queries. Also, you can run recommended queries directly or after modifying them according to your environment.

Prerequisites

Refer to these resources for writing a valid SQL query:

Procedure

  1. Navigate to the Live Query > New Query page and define a query under the SQL Query tab.
  2. Select a policy that contains endpoints or a specific endpoint for the query to run against it.
    If you select a policy with no endpoints, a warning text displays.
  3. Enter a SQL string into the SQL configuration field.
    You can copy the SQL from a Recommended Query, the Query Exchange or write it based on the Osquery schema.
  4. Execute your live query in either way.
    • To start a one-time query, click Run.
    • To schedule a query to run daily, weekly, or monthly, select Schedule query.

Run and Manage a One-Time Query

Procedure

  1. After you populate all the required fields, to run a one-time query, leave the Schedule query check box unchecked.
  2. Select Email me a summary of query results as needed.
  3. To run the query now, click Run.
  4. Go to the Live Query > Query Results > One-Time tab.
    Your query displays at the top of the list of queries.
  5. Optional. To view results details for your query, click the query name.
    The Carbon Black Cloud console displays a dedicated to your query page where you can also filter the results and the devices response. For more information, see View Query Results.
  6. Optional. To view the query configuration and SQL string, select the Query Details icon next to the query name.
  7. While your query is running, to stop, rerun, schedule, duplicate, or delete it, locate the Actions column and click the down arrow.
    You can also perform these actions, except schedule, from the dedicated query page by selecting the Take Action drop-down menu.
  8. To view a record of all the modifications related to your query, go to the Settings > Audit Log page.

What to do next

You can schedule your one-time query or schedule a new live query. For an example on scheduling a query, see Schedule and Manage a Recommended Query.