The Run Livequery Alert Action creates a new Live Query Run.
Examples:
- Automatically get the logged-in users on an endpoint after a credential scraping alert
- Using Live Query to Enrich LSASS Scraping Investigations
Note:
- This Alert Action requires Carbon Black Cloud Audit and Remediation.
- See also Live Query API.
Configuration:
- LiveQuery Name
- The name for the Live Query Run.
- SQL Query
- The field name in the search results that contains the SQL query to be submitted.
- Device IDs
- Optional: The field name in the search results that contains a comma-separated list of device IDs against which the query will be run.
- Device OS
-
Optional: The field name in the search results that contains a comma-separated list of device operating systems (or
ALL) against which the query will be run. - Policy Name
- Optional: The field name in the search results that contains a comma-separated list of policy IDs against which the query will be run.
