This section describes Carbon Black EDR Live Query, and how to create and run queries against your endpoints.

Live Query can expose an operating system as a high-performance relational database — you can write SQL-based queries that explore operating system data to analyze security vulnerabilities. Live Query is based on osquery, which is an open source project that uses a SQLite interface. Live Query is released with Carbon Black EDR 7.2, and requires the Carbon Black EDR Windows sensor 7.1.0 or higher.

All users can view queries on the sensors for which they have View permissions. To execute a Live Query, an analyst must have the Execute Live Query enhanced permission. See Adding Enhanced Permissions for Analysts.