Announcing VMware Carbon Black Cloud Live Query Scroll Results

Back to Blogs

Announcing VMware Carbon Black Cloud Live Query Scroll Results

Posted on December 5, 2023

A new API endpoint for retrieving query results from the Live Query API has been released!

Request

POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/results/_scroll

Usecases:

You can retreive query results for devices across multiple runs simplifying data ingest into your integration.
Supports paginating beyond 10k results using search_after though limited to 10k rows per request.

Note: After requesting the initial results use the search_after from the response and the same search request to paginate the remaining result set. Repeat using the next search_after in the response until num_remaining is 0.

Examples

Initial Request

Request

POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/results/_scroll

Request Headers

X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body

{
  "criteria": {
    "device.id": [ 18563901 ],
    "time_received": {
        "range": "-3h"
    },
  },
  "rows": 1
}

Response Body

{
  "org_key": "ABCD1234",
  "num_found": 45,
  "num_remaining": 44,
  "search_after": "MTY5OTQ0OTQ2MDY1NywxODU2MzkwMSwyaGtiY3F4cjl3dG1sZmlienloYzBmcmludW44Y2I1MCwxMTY7MTY5OTM4OTkxMzAwMCwxNjk5NDc2MzEzMDAwOzEzMTU=",
  "results": [
    {
        "id": "vhrporu7k1g3kdit3a6diu7taxlkzeuf",
        "device": {
            "id": 18563901,
            "name": "DESKTOP-3EDDD6D",
            "policy_id": 20366688,
            "policy_name": "Standard",
            "os": "WINDOWS"
        },
        "status": "matched",
        "time_received": "2023-11-07T21:33:14.482Z",
        "device_message": "",
        "fields": {
            "cmdline": "wininit.exe",
            "cwd": "",
            "name": "wininit.exe",
            "on_disk": 1,
            "path": "C:\\Windows\\System32\\wininit.exe"
        }
    }
  ]
}

To download or review the Carbon Black Cloud Postman collection, click here.

Second Request

Request

POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/results/_scroll

Request Headers

X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"

Request Body

{
  "criteria": {
    "device.id": [ 18563901 ],
    "time_received": {
        "range": "-3h"
    },
  },
  "search_after": "MTY5OTQ0OTQ2MDY1NywxODU2MzkwMSwyaGtiY3F4cjl3dG1sZmlienloYzBmcmludW44Y2I1MCwxMTY7MTY5OTM4OTkxMzAwMCwxNjk5NDc2MzEzMDAwOzEzMTU=",
  "rows": 1
}

Response Body

{
  "org_key": "ABCD1234",
  "num_found": 45,
  "num_remaining": 43,
  "search_after": "MTY5OTQ1MDM3Njg3MCwxODU2MzkwMSx3OTdrbHhqaGhsbWE5cjh2cXIzYTJjMGZvcnFzaGp1diwxMTc7MTY5OTM5MDcxODAwMCwxNjk5NDc3MTE4MDAwOzEzMDc=",
  "results": [
    {
        "id": "vhrporu7k1g3kdit3a6diu7taxlkzeuf",
        "device": {
            "id": 18563901,
            "name": "DESKTOP-3EDDD6D",
            "policy_id": 20366688,
            "policy_name": "Standard",
            "os": "WINDOWS"
        },
        "status": "matched",
        "time_received": "2023-11-07T21:33:14.482Z",
        "device_message": "",
        "fields": {
            "cmdline": "winlogon.exe",
            "cwd": "C:\\WINDOWS\\system32\\",
            "name": "winlogon.exe",
            "on_disk": 1,
            "path": "C:\\Windows\\System32\\winlogon.exe"
        }
    }
  ]
}

To download or review the Carbon Black Cloud Postman collection, click here.

More Information

Have questions or feedback?

Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
Report bugs and change requests to Carbon Black Support

Subscribe to the Developer Network Newsletter