Live Query extension tables are available for Windows 3.8+ sensors. These tables provide insight into the Carbon Black Cloud Windows sensor.
| Column | Type | Description | Version |
|---|---|---|---|
| name | TEXT | Full path name of the canary file | 3.9+ |
| cloud_id | INTEGER | Identifier that the cloud provided config has assigned to the canary file | 3.9+ |
| hidden_file | INTEGER | Boolean value for if the file has the Hidden Attribute set | 3.9+ |
| hidden_destination_dir | INTEGER | Boolean value for if we created the destination directory with the Hidden Attribute | 3.9+ |
| system_file | INTEGER | Boolean value if the file has the System Attribute set | 3.9+ |
| system_destination_dir | INTEGER | Boolean value if we created the destination directory with the System Attribute | 3.9+ |
| same_name | INTEGER | Boolean value if the previous canary file at this location had the same name | 3.9+ |
| file_creation_time | UNSIGNED_BIGINT | Creation time of the file in milliseconds since Unix epoch | 3.9+ |
| fize_size | UNSIGNED_BIGINT | Size of the file in bytes | 3.9+ |
Note:
cb_sensor_canaries extensions return deployed canary file details for the Carbon Black Cloud Windows Sensor.
| Column | Type | Description | Version |
|---|---|---|---|
| rule_guid | TEXT | The scan rule GUID | 3.9+ |
| policy_guid | TEXT | The policy GUID | 3.9+ |
| rule_description | TEXT | The scan rule description | 3.9+ |
| policy_description | TEXT | The policy description | 3.9+ |
| policy_revision | TEXT | The policy revision | 3.9+ |
| scan_result | TEXT | The compliance scan result, PASS, FAIL, UNKNOWN | 3.9+ |
| scan_settings | TEXT | The compliance scan settings ran on system | 3.9+ |
Note:
cb_sensor_compliance_scan_results extensions return the compliance scan results performed by
Carbon Black Cloud Windows Sensor.
| Column | Type | Description | Version |
|---|---|---|---|
| name | TEXT | Name of the counter | 3.8+ |
| value | UNSIGNED_BIGINT | (Relevant for Non-Duration Counters) Amount of times triggered | 3.8+ |
| total | UNSIGNED_BIGINT | (Duration Counters) Total Time in ms | 3.8+ |
| count | UNSIGNED_BIGINT | (Duration Counters) Number of times the counter was hit | 3.8+ |
| min | UNSIGNED_BIGINT | (Duration Counters) Minimum time spent for one passthrough in ms | 3.8+ |
| max | UNSIGNED_BIGINT | (Duration Counters) Maximum time spent for one passthrough in ms | 3.8+ |
Note:
cb_sensor_counters extensions return current counter details for the
Carbon Black Cloud Windows sensor. Sensor counters track sensor actions that have occurred since the last sensor restart.
| Column | Type | Description | Version |
|---|---|---|---|
| name | TEXT | Name of the configprop | 3.8+ |
| value | TEXT | Value of the configprop | 3.8+ |
| is_kernel_configprop | INTEGER | 1: Kernel configprop; 0: Usermode configprop | 3.8+ |
Note:
cb_sensor_configprops extensions return current configprop details and assignments for the
Carbon Black Cloud Windows sensor. Config props are a collection of sensor settings that are configured at the time of installation, based on console settings and installation parameters.
| Column | Type | Description | Version |
|---|---|---|---|
| url | TEXT | The url for the request (required)* | 3.9+ |
| method | TEXT | The HTTP method for the request. Currently only supported method is "GET" |
3.9+ |
| response_code | INTEGER | The HTTP status code for the response | 3.9+ |
| round_trip_time | UNSIGNED_BIGINT | Time taken to complete the request, in milliseconds | 3.9+ |
| bytes | UNSIGNED_BIGINT | Number of bytes in the response | 3.9+ |
| result | TEXT | The HTTP response body | 3.9+ |
| curl_code | TEXT | The Curl Code value plus the human readable translation of the code | 3.9+ |
| tls_protocol_version | TEXT | TLS protocol version number | 3.9+ |
| cert_subject | TEXT | Subject info on the server side cert | 3.9+ |
| cert_issuer | TEXT | Issuer info on the server side cert | 3.9+ |
| cert_public_key | TEXT | The public key value of the server side cert (DER Format) | 3.9+ |
| cipher_algorithm | TEXT | The discovered bulk encryption cipher algorithm | 3.9+ |
| key_exchange_algorithm | TEXT | The discovered key exchange algorithm | 3.9+ |
| mac_hash_algorithm | TEXT | The discovered Message Authentication Codes (MAC) hash algorithm | 3.9+ |
| cipher_strength | INTEGER | The strength of the bulk encryption cipher | 3.9+ |
| key_exchange_strength | INTEGER | The Key exchange algorithm length, in bits | 3.9+ |
| mac_hash_strength | INTEGER | The strength of the MAC hash | 3.9+ |
| is_tls_version_safe | INTEGER | Boolean value for if the TLS protocol version is deemed "safe" by the current sensor configuration | 3.9+ |
| is_tls_suite_safe | INTEGER | Boolean value for if the TLS suites are deemed "safe" by the current sensor configuration | 3.9+ |
| is_tls_cert_safe | INTEGER | Boolean value for if the TLS cert is deemed "safe" by the current sensor configuration | 3.9+ |
| configprop_overrides_successful | INTEGER | Boolean value for if the 'configprop_test_overrides' was successfully applied | 3.9+ |
| configprop_test_overrides | TEXT | JSON formatted configprop overrides that is temporarily applied to the sensor, for the duration of the HTTP GET being performed on the provided 'url'. Get technical help when attempting to craft the JSON | 3.9+ |
| proxy_server | TEXT | INPUT: Proxy server string that the sensor should use when attempting to establish the curl connection.OUTPUT: Proxy server string that the sensor used while attempting to establish the curl connection. | 3.9+ |
| proxy_credential_override | TEXT | INPUT: Proxy server credentials that the sensor should use during the curl request. Format is "user:password"(Only relevant if a proxy_server INPUT is also in use). | 3.9+ |
| use_alternate_cloud_port | TEXT | INPUT: Boolean value ('1' or '0') controlling if the sensor should use the alternate cloud port value (54443).OUTPUT: Boolean value ('1' or '0') informing if the sensor used the alternate cloud port value (54443). | 3.9+ |
Note:
cb_sensor_curl extensions perform a HTTP GET request against the provided 'url' using the current Carbon Black Cloud Windows Sensor Curl configuration settings.
Note:
- Required: Must be present in the 'where' clause.
- *Limitation: Do not use 'url' with a SQL "LIKE". It must be an exact value (url='<full_http_url>').
| Column | Type | Description | Version |
|---|---|---|---|
| device_type | TEXT | The device type (for example, "DISK”, “CDROM”, etc.) | 3.8+ |
| interface_type | TEXT | The interface through which the device is connected (for example, “SCSI", “USB”, etc.) | 3.8+ |
| manufacturer | TEXT | The manufacturer of the device | 3.8+ |
| model_name | TEXT | The model name of the device | 3.8+ |
| friendly_name | TEXT | The user-friendly display name of the device | 3.8+ |
| product_id | TEXT | The product ID of the device | 3.8+ |
| serial_number | TEXT | The serial number of the device | 3.8+ |
| vendor_id | TEXT | The vendor ID of the device | 3.8+ |
| drive_letter | TEXT | The drive letter to which the device is mapped | 3.8+ |
| volume_guid | TEXT | The GUID of the device’s storage volume | 3.8+ |
Note:
cb_sensor_devices extensions return current device details that the
Carbon Black Cloud Windows sensor detects.
| Column | Type | Description | Version |
|---|---|---|---|
| name | TEXT | Path name of the file (required) | 3.8+ |
| hash | TEXT | Hex string of the file's SHA256 hash (key, required) | 3.8+ |
| md5 | TEXT | Hex string of the file's MD5 hash (required) | 3.8+ |
| size | INTEGER | File size in bytes | 3.8+ |
| company | TEXT | The company who produces the file | 3.8+ |
| product | TEXT | The product the file belongs to | 3.8+ |
| version | TEXT | The product version | 3.8+ |
| original_name | TEXT | The original name of the file. It's not impacted by the file renaming | 3.8+ |
| description | TEXT | The description of the file | 3.8+ |
| file_version | TEXT | The file version. It may not be the same as the product version | 3.8+ |
| copyright | TEXT | Copyright information | 3.8+ |
| file_flags | TEXT | Some properties detected by the sensor | 3.8+ |
| locale | TEXT | Language | 3.8+ |
| signature_signer | TEXT | Who signed the file (Required) | 3.8+ |
| signature_issuer | TEXT | Who issued the signing certificate | 3.8+ |
| signature_state | TEXT | File signing state | 3.8+ |
| resolved_reputation | TEXT | The resolved/applied reputation | 3.8+ |
| resolved_reputation_source | TEXT | Which source the reputation was from while resolving | 3.8+ |
Note:
cb_sensor_files extensions return file information that the
Carbon Black Cloud Windows sensor gathers. File information includes file metadata, applied reputation, and certificate details.
Note:
- Required: Must be in the 'where' clause to narrow the result. If multiple required fields are listed, any of them will satisfy the requirement or can be AND or OR.
Note: Examples:
SELECT * FROM cb_sensor_files WHERE name LIKE '%%cmd.exe'; SELECT * FROM cb_sensor_files WHERE hash IS 'b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450'; SELECT * FROM cb_sensor_files WHERE signature_signer LIKE '%windows%';
- Limitation: Search by Hash/SHA256 or MD5 does not support 'like %'. The condition must be an exact match.
| Column | Type | Description | Version |
|---|---|---|---|
| names | TEXT | All known path names of the file by the sensor (required) | 3.8+ |
| hash | TEXT | Hex string of the file's SHA256 hash (key, required) | 3.8+ |
| md5 | TEXT | Hex string of the file's MD5 hash (required, hidden) | 3.8+ |
| signature_signer | TEXT | Who signed the file (Required, hidden) | 3.8+ |
| dob | TEXT | Date of the birthday | 3.8+ |
| hash_state | TEXT | The state of the reputation for this hash | 3.8+ |
| executed | TEXT | Last time seen the file's execution | 3.8+ |
| tracked_execution_count | INTEGER | Number of times the executed file was seen by the sensor | 3.8+ |
| psc_info | TEXT | Some extra information detected by the sensor | 3.8+ |
| kernel_cache_residency | TEXT | The status of the file in the kernel cache residency | 3.8+ |
| persisted | INTEGER | 1: persisted in the database; 0: only in memory | 3.8+ |
| cache_lookup_count | INTEGER | Cache-hit count | 3.8+ |
| ux_info | TEXT | Information related for displaying | 3.8+ |
| apc_risk_level | INTEGER | The risk level for non-malware detected by the local scanner.
|
3.8+ |
| policy_delays | TEXT | Summary for Defense policy delay | 3.8+ |
| defense_policy | TEXT | Summary for Defense policy | 3.8+ |
| rules | TEXT | Summary for Defense rules | 3.8+ |
Note:
cb_sensor_files_ex extensions return file information that the
Carbon Black Cloud Windows sensor gathers. It extends information in the
cb_sensor_files table to include more detailed policy information and other file-related statistics that the sensor caches.
Note:
- Required: Must be in the "where" clause to narrow the result. If multiple required fields are listed, any of them will satisfy the requirement or can be AND or OR.Examples:
SELECT * FROM cb_sensor_files WHERE name LIKE '%%cmd.exe'; SELECT * FROM cb_sensor_files WHERE hash IS 'b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450'; SELECT * FROM cb_sensor_files WHERE signature_signer LIKE '%windows%';
- Hidden: Not shown from 'select *'. Must be explicitly stated in the 'select' fields.
- Limitation: Search by Hash/SHA256 or MD5 does not support 'like %'. The condition must be an exact match.
| Column | Type | Description | Version |
|---|---|---|---|
| unique_logon_id | TEXT | For Windows, it's LUID in ########-######## format | 3.9+ |
| linked_unique_logon_id | TEXT | For Windows, it's LUID in ########-######## format | 3.9+ |
| session | INTEGER | A terminal services session identifier | 3.9+ |
| user_id | TEXT | For Windows, it's SID | 3.9+ |
| user_name | TEXT | The account name of the security principal that owns the logon session | 3.9+ |
| user_domain_name | TEXT | The name of the domain used to authenticate the owner of the logon session | 3.9+ |
| user_principal_name | TEXT | The user principal name or email address for the owner of the logon session | 3.9+ |
| logon_type | TEXT | The value that identifies the logon method | 3.9+ |
| logon_time | TEXT | The time the session owner logged on | 3.9+ |
| logon_server | TEXT | The name of the server used to authenticate the owner of the logon session | 3.9+ |
| authentication_package | TEXT | The name of the authentication package used to authenticate the owner of the logon session | 3.9+ |
| dns_domain_name | TEXT | The DNS name for the owner of the logon session | 3.9+ |
| password_last_set | TEXT | The time when the user last changed the password | 3.9+ |
| last_logon_time | TEXT | The time that the session owner most recently logged on successfully | 3.9+ |
| last_failed_logon_time | TEXT | The time of the most recent failed attempt to log on | 3.9+ |
| failed_logon_attempts | INTEGER | The number of failed attempts to log on since the last successful log on | 3.9+ |
| active | INTEGER | Boolean value if the logon session is still active (1), or recently ended (0) | 3.9+ |
Note:
cb_sensor_logon_sessions extensions return information gathered by
Carbon Black Cloud Windows Sensor.
| Column | Type | Description | Version |
|---|---|---|---|
| pid | INTEGER | The process identifier | 3.8+ |
| id | TEXT | A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0" | 3.8+ |
| start_time | TEXT | The start-time of the process in FileTime format (100-nanosecond intervals since January 1st, 1601). | 3.8+ |
| terminated | INTEGER | 1: already terminated, 0 or absent: still alive | 3.8+ |
| user_name | TEXT | The name of the user that launched the process | 3.8+ |
| user_sid | TEXT | The SID of the user that launched the process | 3.8+ |
| file_name | TEXT | The absolute DOS path to the backing executable file | 3.8+ |
| interpreted | INTEGER | 1: if process is a script; 0: if the process is not a script. Can be empty for some processes (typical for sensor processes). | 3.8+ |
| hash | TEXT | The SHA256 hash of the executable or script | 3.8+ |
| script_name | TEXT | The name of the backing script file if process is a script | 3.8+ |
| script_hash | TEXT | The hash of the backing script, if process is a script | 3.8+ |
| cmd_line | TEXT | The command line of the process | 3.8+ |
| cmd_line_yara_tags | TEXT | Yara Tag(s) that apply to the process command line | 3.9+ |
| parent_pid | INTEGER | The PID of the process that launched this process | 3.8+ |
| parent_id | TEXT | A formatted string that further identifies the parent process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0" | 3.8+ |
| parent_start_time | TEXT | The start-time of the parent process in FileTime format (100-nanosecond intervals since January 1st, 1601) | 3.8+ |
| parent_cmd_line | TEXT | The command line of the parent process | 3.8+ |
| hosted_services | TEXT | For svchost processes, this specifies the underlying service that is being hosted | 3.8+ |
| tags | TEXT | Internal sensor tags that contain additional process metadata (for example, “Cb:Psc:ProcessIsCBService”) | 3.8+ |
| file_type_tags | TEXT | Internal sensor tags that contain additional metadata (for example, "Cb:Defense:Script:CmdScript") | 3.8+ |
| integrity_level | TEXT | The integrity level of the process | 3.8+ |
| elevated | INTEGER | 1: process is elevated; 0: process is not elevated | 3.8+ |
| privileges | TEXT | Privileges the process has enabled (for example, SeImpersonatePrivilege) | 3.8+ |
Note:
cb_sensor_processes extensions return process information that the
Carbon Black Cloud Windows sensor gathers.
| Column | Type | Description | Version |
|---|---|---|---|
| pid | INTEGER | The process identifier | 3.8+ |
| id | TEXT | A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0" | 3.8+ |
| policy_reputation | TEXT | The reputation of the process | 3.8+ |
| bypass_policy | TEXT | The bypass (ignore) policy assigned to the process | 3.8+ |
| allow_policy | TEXT | The allow (and log) policy assigned to the process | 3.8+ |
| terminate_policy | TEXT | The terminate policy assigned to the process | 3.8+ |
| deny_policy | TEXT | The deny policy assigned to the process | 3.8+ |
| parent_policy_reputation | TEXT | The reputation of the parent process | 3.8+ |
| parent_bypass_policy | TEXT | The bypass (ignore) policy assigned to the parent process | 3.8+ |
| parent_allow_policy | TEXT | The allow (and log) policy assigned to the parent process | 3.8+ |
| parent_terminate_policy | TEXT | The terminate policy assigned to the parent process | 3.8+ |
| parent_deny_policy | TEXT | The deny policy assigned to the parent process | 3.8+ |
| interpreter_policy_reputation | TEXT | If the process is a script, this is the reputation of the script interpreter | 3.8+ |
| interpreter_bypass_policy | TEXT | If the process is a script, this is the bypass policy assigned to the script interpreter | 3.8+ |
| interpreter_allow_policy | TEXT | If the process is a script, this is the allow policy assigned to the script interpreter | 3.8+ |
| interpreter_terminate_policy | TEXT | If the process is a script, this is the terminate policy assigned to the script interpreter | 3.8+ |
| interpreter_deny_policy | TEXT | If the process is a script, this is the deny policy assigned to the script interpreter | 3.8+ |
| script_policy_reputation | TEXT | If the process is a script, this is the reputation of the script | 3.8+ |
| script_bypass_policy | TEXT | If the process is a script, this is the bypass policy of the script itself | 3.8+ |
| script_allow_policy | TEXT | If the process is a script, this is the allow policy of the script itself | 3.8+ |
| script_terminate_policy | TEXT | If the process is a script, this is the terminate policy of the script itself | 3.8+ |
| script_deny_policy | TEXT | If the process is a script, this is the deny policy of the script itself | 3.8+ |
| applied_policy_reputation | TEXT | The reputation of the process, as applied by the kernel | 3.8+ |
| applied_bypass_policy | TEXT | The bypass policy of the process, as applied by the kernel | 3.8+ |
| applied_allow_policy | TEXT | The allow policy of the process, as applied by the kernel | 3.8+ |
| applied_terminate_policy | TEXT | The terminate policy of the process, as applied by the kernel | 3.8+ |
| applied_deny_policy | TEXT | The deny policy of the process, as applied by the kernel | 3.8+ |
Note:
cb_sensor_processes_policy extensions return process policy information that the
Carbon Black Cloud Windows sensor gathers.
| Column | Type | Description | Version |
|---|---|---|---|
| pid | INTEGER | The process identifier | 3.8+ |
| id | TEXT | A formatted string that further identifies the process: <pid>-<start_time>-<siloID>. For example: “6320-132814763524433819-0" |
3.8+ |
| effective_reputation | TEXT | The effective reputation of the process | 3.8+ |
| effective_reputation_source | TEXT | The source of the effective reputation | 3.8+ |
| cloud | TEXT | The reputation of the process as determined by the cloud | 3.8+ |
| pre_existing | TEXT | The reputation of the process as determined by whether the executable/script was already present on the sensor prior to install | 3.8+ |
| av | TEXT | The reputation of the process as determined by local AV | 3.8+ |
| it_tool | TEXT | The reputation of the process, as determined by whether it was dropped by a trusted IT tool | 3.8+ |
| certificate | TEXT | The reputation of the process, as determined by whether it was signed using an approved certificate | 3.8+ |
| hash | TEXT | The reputation of the process, as determined by whether the hash is approved or banned | 3.8+ |
| cb_sensor | TEXT | The reputation of the process, as determined by whether it is a sensor process | 3.8+ |
| operating_system | TEXT | The reputation of the process, as determined by whether it is a pre-determined OS hash | 3.8+ |
Note:
cb_sensor_processes_reputation extensions return process reputation information that the
Carbon Black Cloud Windows sensor gathers.
| Column | Type | Description | Version |
|---|---|---|---|
| category | TEXT | A categorical grouping of status information:
|
3.8+ |
| name | TEXT | Name of the status data | 3.8+ |
| value | TEXT | Value of the status data | 3.8+ |
Note:
cb_sensor_status extensions return current status details for the
Carbon Black Cloud Windows Sensor. This data is similar to the output of the
repcli status command.
| Column | Type | Description | Version |
|---|---|---|---|
| name | TEXT | The volume name | 3.8+ |
| guid | TEXT | The volume GUID | 3.8+ |
| file_system | TEXT | The volume’s file system type (for example, NTFS, FASTFAT, etc.) | 3.8+ |
| device_type | INTEGER | The device type as defined by internal Windows values. See https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types | 3.8+ |
| device_characteristics | INTEGER | A bitmask of internal Windows values that provide additional information about the volume’s device | 3.8+ |
| serial_number | INTEGER | The serial number of the volume | 3.8+ |
| alignment_requirement | INTEGER | An internal Windows value that defines the alignment requirement of the volume for data transfers | 3.8+ |
| sector_size | INTEGER | The volume sector size | 3.8+ |
| shadow_copy | INTEGER | 1: the volume is a shadow-copy or “snapshot" volume | 3.8+ |
| device_manufacturer | TEXT | The manufacturer of the volume’s device | 3.8+ |
| device_name | TEXT | The name of the volume’s device | 3.8+ |
| device_serial_number | TEXT | The serial number of the volume’s device | 3.8+ |
Note:
cb_sensor_volumes extensions return current volume details that the
Carbon Black Cloud Windows sensor gathers.
For information about RepCLI commands, see Managing Sensors by using RepCLI.
