Live Query extension tables are available for Windows 3.8+ sensors. These tables provide insight into the Carbon Black Cloud Windows sensor.

cb_sensor_counters extensions return current counter details for the Carbon Black Cloud Windows sensor. Sensor counters track sensor actions that have occurred since the last sensor restart.

Table 1. cb_sensor_counters
Column Type Description
name TEXT Name of the counter
value UNSIGNED_BIGINT (Relevant for Non-Duration Counters) Amount of times triggered
total UNSIGNED_BIGINT (Duration Counters) Total Time in ms
count UNSIGNED_BIGINT (Duration Counters) Number of times the counter was hit
min UNSIGNED_BIGINT (Duration Counters) Minimum time spent for one passthrough in ms
max UNSIGNED_BIGINT (Duration Counters) Maximum time spent for one passthrough in ms

cb_sensor_configprops extensions return current configprop details and assignments for the Carbon Black Cloud Windows sensor. Config props are a collection of sensor settings that are configured at the time of installation, based on console settings and installation parameters.

Table 2. cb_sensor_configprops
Column Type Description
name TEXT Name of the configprop
value TEXT Value of the configprop
is_kernel_configprop INTEGER 1: Kernel configprop; 0: Usermode configprop

cb_sensor_devices extensions return current device details that the Carbon Black Cloud Windows sensor detects.

Table 3. cb_sensor_devices
Column Type Description
device_type TEXT The device type (for example, "DISK”, “CDROM”, etc.)
interface_type TEXT The interface through which the device is connected (for example, “SCSI", “USB”, etc.)
manufacturer TEXT The manufacturer of the device
model_name TEXT The model name of the device
friendly_name TEXT The user-friendly display name of the device
product_id TEXT The product ID of the device
serial_number TEXT The serial number of the device
vendor_id TEXT The vendor ID of the device
drive_letter TEXT The drive letter to which the device is mapped
volume_guid TEXT The GUID of the device’s storage volume

cb_sensor_files extensions return file information that the Carbon Black Cloud Windows sensor gathers. File information includes file metadata, applied reputation, and certificate details.

Table 4. cb_sensor_files
Column Type Description
name TEXT Path name of the file (required)
hash TEXT Hex string of the file's SHA256 hash (key, required)
md5 TEXT Hex string of the file's MD5 hash (required)
size INTEGER File size in bytes
company TEXT The company who produces the file
product TEXT The product the file belongs to
version TEXT The product version
original_name TEXT The original name of the file. It's not impacted by the file renaming
description TEXT The description of the file
file_version TEXT The file version. It may not be the same as the product version
copyright TEXT Copyright information
file_flags TEXT Some properties detected by the sensor
locale TEXT Language
signature_signer TEXT Who signed the file (Required)
signature_issuer TEXT Who issued the signing certificate
signature_state TEXT File signing state
resolved_reputation TEXT The resolved/applied reputation
resolved_reputation_source TEXT Which source the reputation was from while resolving
Note:
  • Required: Must be in the 'where' clause to narrow the result. If multiple required fields are listed, any of them will satisfy the requirement or can be AND or OR.
    Note: Examples:
    SELECT * FROM cb_sensor_files WHERE name LIKE '%%cmd.exe';
    SELECT * FROM cb_sensor_files WHERE hash IS 'b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450';
    SELECT * FROM cb_sensor_files WHERE signature_signer LIKE '%windows%';
  • Limitation: Search by Hash/SHA256 or MD5 does not support 'like %'. The condition must be an exact match.

cb_sensor_files_ex extensions return file information that the Carbon Black Cloud Windows sensor gathers. It extends information in the cb_sensor_files table to include more detailed policy information and other file-related statistics that the sensor caches.

Table 5. cb_sensor_files_ex
Column Type Description
names TEXT All known path names of the file by the sensor (required)
hash TEXT Hex string of the file's SHA256 hash (key, required)
md5 TEXT Hex string of the file's MD5 hash (required, hidden)
signature_signer TEXT Who signed the file (Required, hidden)
dob TEXT Date of the birthday
hash_state TEXT The state of the reputation for this hash
executed TEXT Last time seen the file's execution
tracked_execution_count INTEGER Number of times the executed file was seen by the sensor
psc_info TEXT Some extra information detected by the sensor
kernel_cache_residency TEXT The status of the file in the kernel cache residency
persisted INTEGER 1: persisted in the database; 0: only in memory
cache_lookup_count INTEGER Cache-hit count
ux_info TEXT Information related for displaying
apc_risk_level INTEGER

The risk level for non-malware detected by the local scanner.

  • -2: not detected
  • -1: no risk
  • 0~7: extremely low to extremely high
policy_delays TEXT Summary for Defense policy delay
defense_policy TEXT Summary for Defense policy
rules TEXT Summary for Defense rules
Note:
  • Required: Must be in the "where" clause to narrow the result. If multiple required fields are listed, any of them will satisfy the requirement or can be AND or OR.

    Examples:
    SELECT * FROM cb_sensor_files WHERE name LIKE '%%cmd.exe';
    SELECT * FROM cb_sensor_files WHERE hash IS 'b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450';
    SELECT * FROM cb_sensor_files WHERE signature_signer LIKE '%windows%';
  • Hidden: Not shown from 'select *'. Must be explicitly stated in the 'select' fields.
  • Limitation: Search by Hash/SHA256 or MD5 does not support 'like %'. The condition must be an exact match.

cb_sensor_processes extensions return process information that the Carbon Black Cloud Windows sensor gathers.

Table 6. cb_sensor_processes
Column Type Description
pid INTEGER The process identifier
id TEXT A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0"
start_time TEXT The start-time of the process in FileTime format (100-nanosecond intervals since January 1st, 1601).
terminated INTEGER 1: already terminated, 0 or absent: still alive
user_name TEXT The name of the user that launched the process
user_sid TEXT The SID of the user that launched the process
file_name TEXT The absolute DOS path to the backing executable file
interpreted INTEGER 1: if process is a script; 0: if the process is not a script. Can be empty for some processes (typical for sensor processes).
hash TEXT The SHA256 hash of the executable or script
script_name TEXT The name of the backing script file if process is a script
script_hash TEXT The hash of the backing script, if process is a script
cmd_line TEXT The command line of the process
parent_pid INTEGER The PID of the process that launched this process
parent_id TEXT A formatted string that further identifies the parent process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0"
parent_start_time TEXT The start-time of the parent process in FileTime format (100-nanosecond intervals since January 1st, 1601)
parent_cmd_line TEXT The command line of the parent process
hosted_services TEXT For svchost processes, this specifies the underlying service that is being hosted
tags TEXT Internal sensor tags that contain additional process metadata (for example, “Cb:Psc:ProcessIsCBService”)
file_type_tags TEXT Internal sensor tags that contain additional metadata (for example, "Cb:Defense:Script:CmdScript")
integrity_level TEXT The integrity level of the process
elevated INTEGER 1: process is elevated; 0: process is not elevated
privileges TEXT Privileges the process has enabled (for example, SeImpersonatePrivilege)

cb_sensor_processes_policy extensions return process policy information that the Carbon Black Cloud Windows sensor gathers.

Table 7. cb_sensor_processes_policy
Column Type Description
pid INTEGER The process identifier
id TEXT A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0"
policy_reputation TEXT The reputation of the process
bypass_policy TEXT The bypass (ignore) policy assigned to the process
allow_policy TEXT The allow (and log) policy assigned to the process
terminate_policy TEXT The terminate policy assigned to the process
deny_policy TEXT The deny policy assigned to the process
parent_policy_reputation TEXT The reputation of the parent process
parent_bypass_policy TEXT The bypass (ignore) policy assigned to the parent process
parent_allow_policy TEXT The allow (and log) policy assigned to the parent process
parent_terminate_policy TEXT The terminate policy assigned to the parent process
parent_deny_policy TEXT The deny policy assigned to the parent process
interpreter_policy_reputation TEXT If the process is a script, this is the reputation of the script interpreter
interpreter_bypass_policy TEXT If the process is a script, this is the bypass policy assigned to the script interpreter
interpreter_allow_policy TEXT If the process is a script, this is the allow policy assigned to the script interpreter
interpreter_terminate_policy TEXT If the process is a script, this is the terminate policy assigned to the script interpreter
interpreter_deny_policy TEXT If the process is a script, this is the deny policy assigned to the script interpreter
script_policy_reputation TEXT If the process is a script, this is the reputation of the script
script_bypass_policy TEXT If the process is a script, this is the bypass policy of the script itself
script_allow_policy TEXT If the process is a script, this is the allow policy of the script itself
script_terminate_policy TEXT If the process is a script, this is the terminate policy of the script itself
script_deny_policy TEXT If the process is a script, this is the deny policy of the script itself
applied_policy_reputation TEXT The reputation of the process, as applied by the kernel
applied_bypass_policy TEXT The bypass policy of the process, as applied by the kernel
applied_allow_policy TEXT The allow policy of the process, as applied by the kernel
applied_terminate_policy TEXT The terminate policy of the process, as applied by the kernel
applied_deny_policy TEXT The deny policy of the process, as applied by the kernel

cb_sensor_processes_reputation extensions return process reputation information that the Carbon Black Cloud Windows sensor gathers.

Table 8. cb_sensor_processes_reputation
Column Type Description
pid INTEGER The process identifier
id TEXT

A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0"

effective_reputation TEXT The effective reputation of the process
effective_reputation_source TEXT The source of the effective reputation
cloud TEXT The reputation of the process as determined by the cloud
pre_existing TEXT The reputation of the process as determined by whether the executable/script was already present on the sensor prior to install
av TEXT The reputation of the process as determined by local AV
it_tool TEXT The reputation of the process, as determined by whether it was dropped by a trusted IT tool
certificate TEXT The reputation of the process, as determined by whether it was signed using an approved certificate
hash TEXT The reputation of the process, as determined by whether the hash is approved or banned
cb_sensor TEXT The reputation of the process, as determined by whether it is a sensor process
operating_system TEXT The reputation of the process, as determined by whether it is a pre-determined OS hash

cb_sensor_status extensions return current status details for the Carbon Black Cloud Windows Sensor. This data is similar to the output of the repcli status command.

Table 9. cb_sensor_status
Column Type Description
category TEXT A categorical grouping of status information:
  • General: General sensor details (sensor state, Device ID, policy name, etc.)
  • Version: Sensor version, SVN Revision, third-party tool versions, etc.
  • BackgroundScan: Details on the configuration and state of the Background scan
  • Cloud: Details about the sensor's connectivity to the Cloud backend
  • Queue: Details about the current queue status
  • Diagnostic: Logging level, maintenance mode, etc.
  • Rules: Details about any applied DRE policies
  • LocalScanner: Details pertaining to the local scanner configuration/state
  • Alarms: Details on any triggered alarms
name TEXT Name of the status data
value TEXT Value of the status data

cb_sensor_volumes extensions return current volume details that the Carbon Black Cloud Windows sensor gathers.

Table 10. cb_sensor_volumes
Column Type Description
name TEXT The volume name
guid TEXT The volume GUID
file_system TEXT The volume’s file system type (for example, NTFS, FASTFAT, etc.)
device_type INTEGER The device type as defined by internal Windows values. See https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types
device_characteristics INTEGER A bitmask of internal Windows values that provide additional information about the volume’s device
serial_number INTEGER The serial number of the volume
alignment_requirement INTEGER An internal Windows value that defines the alignment requirement of the volume for data transfers
sector_size INTEGER The volume sector size
shadow_copy INTEGER 1: the volume is a shadow-copy or “snapshot" volume
device_manufacturer TEXT The manufacturer of the volume’s device
device_name TEXT The name of the volume’s device
device_serial_number TEXT The serial number of the volume’s device
Note: For information about RepCLI commands, see Managing Sensors by using RepCLI.