The Carbon Black Cloud console provides queries that are predefined by the Carbon Black security experts. You can run these recommended queries directly or after modifying them according to your environment.

Procedure

  1. Navigate to the Live Query > New Query page and select a predefined query under the Recommended tab.
  2. Browse the categories IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance, and the related queries.
  3. Optional. To narrow your list of queries, use the OS filter drop-down menu.
  4. Optional. To modify any of the custom queries, click the plus icon, and then the Edit SQL link.
    The SQL Query tab displays. Here you can follow the steps for running your own live query.
  5. Optional. To run a query on a limited set of endpoints, or policy, click the endpoints or policy links below the category cards.
    Only query devices compatible with the supported sensor/OS return results.
  6. Execute your query in either way.
    • Click Run for any query you would like to try.
    • Click Schedule to schedule a query to run daily, weekly, or monthly.

Schedule and Manage a Recommended Query

Procedure

  1. On the Recommended tab, search for a specific query.
    For example, type Extension in the search text box to identify recommended queries related to extensions.
  2. Locate the query in the results and click the Schedule link.
    The Schedule Query window displays.
  3. Modify the query name as needed.
  4. Select a policy that contains endpoints or a specific endpoint for the query to run against it.
    If you select a policy with no endpoints, a warning text displays.
  5. Select the frequency of the query execution.
  6. Select the day and time to run the query.
  7. Select Email me a summary of query results as needed.
  8. To save your changes, click Schedule.
  9. Go to the Live Query > Query Results > Scheduled tab.
    Your query displays at the top of the list of queries.
  10. Optional. Under the Last Run Time column, to view the time stamped result sets related to this query, click the chevron next to your scheduled query.
  11. Optional. To view the query configuration and SQL string, select the Query Details icon next to the query name.
  12. While your scheduled query is active, to stop, edit, or delete it, locate the Actions column and click the down arrow.
  13. To view a record of all the modifications related to your query, go to the Settings > Audit Log page.