Live Query leverages osquery to interrogate endpoints.

You can find the full list of osquery tables and schemas in the osquery site.

Required Products: Carbon Black Cloud Audit and Remediation

Required Data: Live Query Input (App Input)

Results are pulled into Splunk after the query completes. Scheduled queries are marked as completed as soon as the next scheduled one begins. If you are running daily queries, your data can be delayed up to a day.