This section describes how to create and run a query.

On the navigation bar, click Live Query. The Live Query page shows any currently running query, a completed query, or a blank page depending on the status of the most recently run query.

You can run only one query at a time. If you run a new query, previous query results are discarded.

The maximum number of sensors you can target for a single query is 200. If you select more than 200 sensors, only the first 200 sensors receive the query, based on the 200 sensors that have most recently checked in.

There are two ways to run a query – you can use a preformed recommended query that Carbon Black EDR provides, or you can write your own SQL query.

Recommended queries are organized into the following categories:

  • Compliance – verify that hosts are in compliance with common security-related requirements

  • IT hygiene – check the status of credentials, certificates, and accounts on your hosts

  • Threat hunting – check for commonly used threat techniques on your hosts

  • Vulnerability management – discover which patches, drivers, chrome extensions, etc. are active on your hosts

Run a Recommended Query

Perform the following procedure to run a recommended query.

Procedure

  1. On the navigation bar, click Live Query.
  2. On the Live Query page, click Run New Query.
  3. Click the Recommended tab if it is not already selected.
    The run new query displaying the recommended tab
  4. To optionally view the query SQL code, click View SQL.
  5. Click Use next to the recommended query name. The query appears in the SQL tab so that you can modify it, or run it as is.
  6. Identify the endpoints to receive the query.
    You can select endpoints by sensor group, or you can select individual sensors by host name. A message shows the number of sensors that you have selected. Note that the number of sensors that are shown includes all sensors, not just the sensors that are Live Query-compatible.
  7. Click Run. The selected sensors pick up the query the next time the sensors check in with the server.

Run your own SQL Query

Perform the following procedure to run your own SQL query.

Procedure

  1. On the navigation bar, click Live Query.
  2. On the Live Query page, click Run New Query.
  3. Click the SQL tab.
    The run query page displaying the SQL Query tab
  4. In the text box, type your SQL query. For help writing a query, click the provided links:
  5. Identify the endpoints to receive the query. You can select endpoints by sensor group, or you can select individual sensors by host name. A message displays the number of sensors that you have selected. Note that the number of sensors that are shown includes all sensors, not just the sensors that are Live Query-compatible.
  6. Click Run. The selected sensors pick up the query the next time the sensors check in with the server.
    Note: Double quotation marks produce errors in your SQL query. Use single quotation marks instead. Chained queries (separated by ;) are not supported.