Carbon Black Cloud Audit and Remediation is the new name for the product formerly called CB LiveOps.
Audit and Remediation is a real-time query and remediation solution that gives teams faster, easier access to audit and change the system state of endpoints across their organization.
Audit and Remediation contains two components; Live Response and Live Query. This document refers to the Live Query REST API.
Note: For returning users, three sub-fields inside device_filter named: device_ids, policy_ids, and device_types, have been deprecated in favor of device_id, policy_id, and os, respectively.
For API authentication information, view our Carbon Black Cloud Authentication Guide.
Most API routes require all three headers, however, there are exceptions.
X-Auth-Token: required in the request header. This is your authentication token.Content-Type: application/jsonorg_key: required in the API path. This is your Carbon Black Cloud Org Key, you can view it under Settings > API Keys.Live query runs can be scheduled to recur on a specified basis which consists of a recurrence rule and a timezone.
{
"rrule": "RRULE:FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"timezone": "America/New_York"
}The following tables list the fields and values that are supported for each FREQ in a rrule.
Note: Any field that supports “One or more” must use a comma delimiter i.e. 1,2,3
DAILY
| Field | Values |
|---|---|
BYSECOND |
0 |
BYMINUTE |
0 or 30 |
BYHOUR |
0 to 23 |
# Daily at 1:30PM
RRULE:FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0WEEKLY
| Field | Values |
|---|---|
BYSECOND |
0 |
BYMINUTE |
0 or 30 |
BYHOUR |
0 to 23 |
BYDAY |
One or more: SU, MO, TU, WE, TH, FR, SA |
# Monday and Friday of the week at 2:30 AM
RRULE:FREQ=WEEKLY;BYDAY=MO,FR;BYHOUR=13;BYMINUTE=30;BYSECOND=0MONTHLY
Note: Either (BYDAY and BYSETPOS) or BYMONTHDAY is required.
| Field | Values |
|---|---|
BYSECOND |
0 |
BYMINUTE |
0 or 30 |
BYHOUR |
0 to 23 |
BYDAY |
One or more: SU, MO, TU, WE, TH, FR, SA |
BYSETPOS |
-1, 1, 2, 3, 4 |
BYMONTHDAY |
One or more: 1 to 28 |
# Last Monday of the Month at 2:30 AM
RRULE:FREQ=MONTHLY;BYDAY=MO;BYSETPOS=-1;BYHOUR=2;BYMINUTE=30;BYSECOND=0# 1st and 15th of the Month at 2:30 AM
RRULE:FREQ=DAILY;BYMONTHDAY=1,15;BYHOUR=2;BYMINUTE=30;BYSECOND=0See the following sections of RFC 2445 for more information on Recurrence Rules:
The timezone field uses the UTC timezone database names to specify which timezone to apply to the recurrence rule. A list of timezone database names can be found here
Initiates a new Live Query search. If you want the run to recur then include a schedule in the request.
This route includes osquery validation:
osquery SQL, ensuring tables are correct, table columns match, etc.osquery SQL is compatible with the selected device type(s).Device compatibility is checked against the osquery schema. The schema version depends upon the device type of the sensor. The following device schemas can be used to query for a specific device:
WINDOWS: https://osquery.io/schema/4.5.0
MAC: Sensor 3.5.3 - https://osquery.io/schema/4.8.0
Previous Sensor Versions - https://osquery.io/schema/4.1.2
LINUX: Sensor 2.12 - https://osquery.io/schema/4.8.0
Previous Sensor Versions - https://osquery.io/schema/4.1.2
See this UEX article for information about which Carbon Black Cloud sensor versions support which osquery versions.
Note: Queries will still be allowed to be added when a list of device ids is specified in the filter and none of the corresponding devices are compatible with the query. In these cases, no results will be returned and the query will be shown as NOT_SUPPORTED in the query result device summaries.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
CREATE |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs
Body
{
"sql": "<string>",
"device_filter": {
"device_id": [
"<long>",
"<long>"
],
"os": [
"<string>",
"<string>"
],
"policy_id": [
"<long>"
]
},
"name": "<string>",
"notify_on_finish": "<boolean>",
"schedule": {
"rrule": "<string>",
"timezone": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
device_filter |
A set of filters to limit the query to run only on matching devices | Object | |
device_filter.device_id |
A list of device IDs | Array | N/A |
device_filter.os |
A list of operating systems | Array | WINDOWS, MAC, LINUX |
device_filter.policy_id |
A list of policy IDs | Array | Limitation only one policy_id can be specified |
name |
Name for your Live Query Run | String | Default: SQL statement defined under field sql |
notify_on_finish |
Receive an email notification when query is completed | Boolean | Default: false |
sql REQUIRED
|
SQL for the Live Query Run | String | N/A |
schedule |
An optional configuration to rerun the query. A template_id will be included in the response. |
Object | |
schedule.rrule |
A recurrence rule to specify the pattern to rerun the query | String | See Recurrence Rules |
schedule.timezone |
The timezone that the rrule will be applied against | String | TZ Database Name ie America/New_York |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successfully added a Live Query run | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value. Query is incompatible with supported Live Query OS platforms | application/json | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not Found | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs
Body
{
"device_filter": {
"os": [
"WINDOWS"
]
},
"name": "Example",
"notify_on_finish": true,
"schedule": {
"rrule": "RRULE:FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"timezone": "America/New_York"
},
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;"
}Response
{
"org_key": "ABCD1234",
"name": "Example",
"id": "796g7bqc6pprul4g6xitlfljmpbf5cch",
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"created_by": "ABCDE12345",
"destinations": [
"LQ"
],
"create_time": "2020-12-04T22:28:23.739Z",
"status_update_time": "2020-12-04T22:28:23.739Z",
"timeout_time": "2020-12-05T18:29:00.000Z",
"cancellation_time": null,
"cancelled_by": null,
"archive_time": null,
"archived_by": null,
"notify_on_finish": true,
"active_org_devices": 1,
"status": "ACTIVE",
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"device_ids": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
]
},
"recommended_query_id": null,
"template_id": "3gxndaedkgu69femybsacsy7eassebsv",
"schedule": {
"status": "ACTIVE",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": "2020-12-04T22:28:23.739Z",
"next_run_time": "2020-12-05T18:30:00.000Z",
"cancellation_time": null,
"cancelled_by": null
},
"schema": null,
"last_result_time": null,
"total_results": 0,
"not_started_count": 1,
"match_count": 0,
"no_match_count": 0,
"success_count": 0,
"in_progress_count": 0,
"error_count": 0,
"not_supported_count": 0,
"cancelled_count": 0
}Returns the current details of a Live Query run. Users will be able to observe numerous metadata fields, such as status within the JSON response.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
GET {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful retrieval of Live Query details | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Resource does not exist | N/A | N/A |
Field status options:
ACTIVE: currently running.TIMED_OUT: query timed out.COMPLETE: query completed.CANCELLED: user cancelled the Live Query run.Example
Request
GET https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/796g7bqc6pprul4g6xitlfljmpbf5cch
Response
{
"org_key": "ABCD1234",
"name": "Example",
"id": "796g7bqc6pprul4g6xitlfljmpbf5cch",
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"created_by": "ALDS6YAEIL",
"destinations": [
"LQ"
],
"create_time": "2020-12-04T22:28:23.739Z",
"status_update_time": "2020-12-04T22:28:40.899Z",
"timeout_time": "2020-12-05T18:29:00.000Z",
"cancellation_time": null,
"cancelled_by": null,
"archive_time": null,
"archived_by": null,
"notify_on_finish": true,
"active_org_devices": 1,
"status": "COMPLETE",
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
],
"device_ids": null
},
"recommended_query_id": null,
"template_id": "3gxndaedkgu69femybsacsy7eassebsv",
"schedule": {
"status": "ACTIVE",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": "2020-12-04T22:28:23.739Z",
"next_run_time": "2020-12-05T18:30:00.000Z",
"cancellation_time": null,
"cancelled_by": null
},
"schema": null,
"last_result_time": "2020-12-04T22:28:39.461Z",
"total_results": 14,
"not_started_count": 0,
"match_count": 1,
"no_match_count": 0,
"success_count": 1,
"in_progress_count": 0,
"error_count": 0,
"not_supported_count": 0,
"cancelled_count": 0
}Gets results from a Live Query run. The Live Query results can also be exported as a CSV compressed in a ZIP, or exported asynchronously (see below for details).
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/_search
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/_search?format=csv
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/_search?format=csv&download=true
Note: The last two routes will stream or download results to a CSV. See Additional Query Parameter Values below for additional information about using the stream or download CSV functionality.
You can use the Job Service API to download large sets of query results without experiencing timeout errors or receiving corrupt files.
This route can take an optional URL query parameter that tells the server to process the request asynchronously.
When downloading very large sets of query results as CSV, make sure you pass “?format=csv&async=true” as a query parameter to the existing /results/_search route or you may receive errors and corrupt files.
You can only request format=csv when using async=true.
- ?format=zip&async=true is not supported
Body
{
"criteria": {
"device.id": [
"<integer>",
"<integer>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<integer>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria.device.id |
List of device IDs to filter on | Array | N/A |
criteria.device.name |
List of device names to filter on | Array | N/A |
criteria.device.os |
List of os’s to filter on | Array | WINDOWS, MAC, LINUX |
criteria.device.policy_id |
List of device policy IDs to filter on | Array | N/A |
criteria.device.policy_name |
List of device policy names to filter on | Array | N/A |
criteria.status |
List of statuses to filter on | Array | ACTIVE, TIMED_OUT, COMPLETE, CANCELLED |
query |
Free text search that supports case insensitive value queries. Requires whole word values. | String | N/A |
rows |
For pagination, how many results to return | Integer | Default: 100 |
start |
For pagination, where to start retrieving results from | Integer | Default: 0 |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. | Array | order supports ASC or DESC
Supported fields: fields. + any field in the fields object of the results |
Additional Query Parameter Values
To utilize the stream or download CSV functionality, please read the information below:
| Field | Definition | Data Type | Values |
|---|---|---|---|
format |
List of format to stream (currently only CSV is available) |
String | Default: json |
download |
A parameter to allow download into specified format (will always return a zipped CSV file) |
Boolean | Default: false |
Stream CSV File
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/_search?format=csv
NOTE: To use the stream functionality, set the Accept: text/csv header for the correct response to return.
Download CSV File
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/_search?format=csv&download=true
NOTE: To retrieve the export as a zipped CSV file, set the Accept: application/octet-stream header and include download=true in the query parameters.
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query results | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not Found | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/erzo7cotkasdfghjk707srcjwnjgfmiv/results/_search
Body
{
"criteria": {
"device.os": [
"WINDOWS"
]
},
"rows": 2,
"sort": [
{
"field": "fields.install_date",
"order": "ASC"
}
],
"start": 0
}Response
{
"org_key": "ABCD1234",
"num_found": 14,
"results": [
{
"id": "796g7bqc6pprul4g6xitlfljmpbf5cch",
"device": {
"id": 329219,
"name": "DESKTOP-8QONQUJ",
"policy_id": 2198,
"policy_name": "default",
"os": "WINDOWS"
},
"status": "matched",
"time_received": "2020-12-04T22:28:39.461Z",
"device_message": "",
"fields": {
"install_date": 20200316,
"install_location": "",
"install_source": "C:\\ProgramData\\Package Cache\\{F3241984-5A0E-4632-9025-AA16E0780A4B}v14.20.27508\\packages\\vcRuntimeMinimum_amd64\\",
"name": "Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.20.27508",
"publisher": "Microsoft Corporation",
"uninstall_string": "MsiExec.exe /I{F3241984-5A0E-4632-9025-AA16E0780A4B}",
"version": "14.20.27508"
}
},
{
"id": "796g7bqc6pprul4g6xitlfljmpbf5cch",
"device": {
"id": 329219,
"name": "DESKTOP-8QONQUJ",
"policy_id": 2198,
"policy_name": "default",
"os": "WINDOWS"
},
"status": "matched",
"time_received": "2020-12-04T22:28:39.461Z",
"device_message": "",
"fields": {
"install_date": 20200316,
"install_location": "",
"install_source": "C:\\ProgramData\\Package Cache\\{C9DE51F8-7846-4621-815D-E8AFD3E3C0FF}v14.20.27508\\packages\\vcRuntimeAdditional_x86\\",
"name": "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508",
"publisher": "Microsoft Corporation",
"uninstall_string": "MsiExec.exe /I{C9DE51F8-7846-4621-815D-E8AFD3E3C0FF}",
"version": "14.20.27508"
}
}
]
}Get Tau Tin Live Query Recommendations.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
GET {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/recommendations
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful retrieval of recommended queries | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Resource does not exist | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/recommendations
Response
{
"org_key": "ABCD1234",
"num_found": 91,
"results": [
{
"link": null,
"queries": {
"description": "The Authorized_keys file for SSH is a critical file that controls which users can log into which systems.",
"interval": 86400,
"query": {
"c5df11f1dfaec0fbf0aad23e": "SELECT *\nFROM users\nJOIN authorized_keys USING (UID);"
},
"results": "Lists all relevant information about the authorized keys on the target systems.",
"supported_platforms": [
"linux",
"mac"
],
"title": "Authorized SSH Keys"
},
"type": "compliance"
}
]
}Stop a running Live Query Run by changing its status to CANCELLED. Note that once a Run has been stopped it cannot be set back to ACTIVE.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
UPDATE |
Request
PUT {cbc-hostname}/livequery/orgs/{org_key}/runs/{id}/status
Request Body
{
"status": "<string>"
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| status REQUIRED | Status to apply to the query | String | CANCELLED |
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully stopped a Live Query run | N/A | N/A |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Resource does not exist | N/A | N/A |
| 409 | Can’t cancel a run that isn’t running | N/A | N/A |
Example
Request
PUT https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/wo6ryi4rq2vmxhzwlnoc5xbpfez0kw1n/status
Body
{
"status": "CANCELLED"
}Response
{
"org_key": "wnexfkq7",
"name": "Example",
"id": "wo6ryi4rq2vmxhzwlnoc5xbpfez0kw1n",
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"created_by": "ALDS6YAEIL",
"destinations": [
"LQ"
],
"create_time": "2020-12-04T23:45:06.403Z",
"status_update_time": "2020-12-04T23:45:10.588Z",
"timeout_time": "2020-12-05T18:29:00.000Z",
"cancellation_time": "2020-12-04T23:45:10.588Z",
"cancelled_by": "ALDS6YAEIL",
"archive_time": null,
"archived_by": null,
"notify_on_finish": true,
"active_org_devices": 1,
"status": "CANCELLED",
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
],
"device_ids": null
},
"recommended_query_id": null,
"template_id": "dyk4moxdmssnfawqmqjn4vd7ngxnifts",
"schedule": {
"status": "ACTIVE",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": "2020-12-04T23:45:06.403Z",
"next_run_time": "2020-12-05T18:30:00.000Z",
"cancellation_time": null,
"cancelled_by": null
},
"schema": null,
"last_result_time": null,
"total_results": 0,
"not_started_count": 1,
"match_count": 0,
"no_match_count": 0,
"success_count": 0,
"in_progress_count": 0,
"error_count": 0,
"not_supported_count": 0,
"cancelled_count": 0
}Deletes a Live Query Run.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
DELETE |
Request
DELETE {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successful deletion of a Live Query run | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
DELETE https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/nnk1idf2xz3cit8unv3usfwyzmdqj8
Response
No ContentRetrieves facets for Live Query results.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/_facet
Body
{
"criteria": {
"device.id": [
"<integer>",
"<integer>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<integer>",
"<integer>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"terms": {
"fields": [
"<string>",
"<string>"
],
"rows": "<integer>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria.device.id |
List of device IDs to filter on | Array | N/A |
criteria.device.name |
List of device names to filter on | Array | N/A |
criteria.device.os |
List of os’s to filter on | Array | WINDOWS, MAC, LINUX |
criteria.device.policy_id |
List of device policy IDs to filter on | Array | N/A |
criteria.device.policy_name |
List of device policy names to filter on | Array | N/A |
criteria.status |
List of statuses to filter on | Array | ACTIVE, TIMED_OUT, COMPLETE, CANCELLED |
query |
Free text search that supports case insensitive value queries. Requires whole word values. | String | N/A |
terms REQUIRED
|
The alert fields to facet and how many of the top entries to return. | Object | Supported Fields: fields. + any field in the fields object of the results |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved query run facets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/796g7bqc6pprul4g6xitlfljmpbf5cch/results/_facet
Body
{
"criteria": {
"device.os": [
"WINDOWS"
]
},
"terms": {
"fields": [
"fields.name"
],
"rows": 5
}
}Response
{
"terms": [
{
"field": "fields.name",
"values": [
{
"total": 1,
"id": "Carbon Black Cloud Sensor 64-bit",
"name": "Carbon Black Cloud Sensor 64-bit"
},
{
"total": 1,
"id": "Google Chrome",
"name": "Google Chrome"
},
{
"total": 1,
"id": "Google Update Helper",
"name": "Google Update Helper"
},
{
"total": 1,
"id": "Microsoft Edge",
"name": "Microsoft Edge"
},
{
"total": 1,
"id": "Microsoft Edge Update",
"name": "Microsoft Edge Update"
}
]
}
]
}Gets facets for device summaries.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/device_summaries/_facet
Body
{
"criteria": {
"device.id": [
"<long>",
"<long>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<long>",
"<long>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"terms": {
"fields": [
"<string>",
"<string>"
],
"rows": "<integer>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria.device.id |
List of device IDs to filter on | Array | N/A |
criteria.device.name |
List of device names to filter on | Array | N/A |
criteria.device.os |
List of os’s to filter on | Array | WINDOWS, MAC, LINUX |
criteria.device.policy_id |
List of device policy IDs to filter on | Array | N/A |
criteria.device.policy_name |
List of device policy names to filter on | Array | N/A |
criteria.status |
List of statuses to filter on | Array | ACTIVE, TIMED_OUT, COMPLETE, CANCELLED |
query |
Free text search that supports case insensitive value queries. Requires whole word values. | String | N/A |
terms REQUIRED
|
The alert fields to facet and how many of the top entries to return. | Object | Supported Fields: The criteria fields listed above |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query device summary facets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | No Live Query run found for the specified id | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/796g7bqc6pprul4g6xitlfljmpbf5cch/results/device_summaries/_facet
Body
{
"criteria": {
"device.os": [
"WINDOWS"
]
},
"terms": {
"fields": [
"device.id"
],
"rows": 5
}
}Response
{
"terms": [
{
"field": "device.id",
"values": [
{
"total": 1,
"id": "329219",
"name": "329219"
}
]
}
]
}Gets device summaries from the results of a Live Query run.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/{id}/results/device_summaries/_search
Body
{
"criteria": {
"device.id": [
"<long>",
"<long>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<long>",
"<long>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"error_description": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria.device.id |
List of device IDs to filter on | Array | N/A |
criteria.device.name |
List of device names to filter on | Array | N/A |
criteria.device.os |
List of os’s to filter on | Array | WINDOWS, MAC, LINUX |
criteria.device.policy_id |
List of device policy IDs to filter on | Array | N/A |
criteria.device.policy_name |
List of device policy names to filter on | Array | N/A |
criteria.status |
List of statuses to filter on | Array | ACTIVE, TIMED_OUT, COMPLETE, CANCELLED |
query |
Free text search that supports case insensitive value queries. Requires whole word values. | String | N/A |
rows |
For pagination, how many results to return | Integer | Default: 100 |
start |
For pagination, where to start retrieving results from | Integer | Default: 0 |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. | Array | order supports ASC or DESC
Supported fields: metrics. + any field in the fields object of the results |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query device summaries | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | No Live Query run found for the specified id | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/796g7bqc6pprul4g6xitlfljmpbf5cch/results/device_summaries/_search
Body
{
"criteria": {
"device.os": [
"WINDOWS"
]
},
"rows": 2,
"start": 0
}Response
{
"org_key": "ABCD1234",
"num_found": 1,
"results": [
{
"total_results": 14,
"status": "matched",
"device": {
"id": 329219,
"name": "DESKTOP-8QONQUJ",
"policy_id": 2198,
"policy_name": "default",
"os": "WINDOWS"
},
"error_description": "",
"metrics": {
"average_system_memory_in_use": 29.0,
"osquery_creation_time_unix_ms": 1.607120918782E12,
"osquery_current_memory_in_use_mb": 0.0,
"total_cpu_peak": 0.0,
"current_misc_io_operation_rate": 381.0,
"current_misc_io_transfer_rate_kb": 19.0,
"current_write_transfer_rate_kb": 28.0,
"current_system_memory_in_use_mb": 2437.0,
"total_cpu_current": 0.0,
"total_write_operations": 8.0,
"average_read_transfer_rate_kb": 164.0,
"average_write_operation_rate": 8.0,
"current_system_memory_available": 71.0,
"osquery_life_time_ms": 406.0,
"total_read_operations": 44.0,
"average_misc_io_transfer_rate_kb": 19.0,
"total_cpu_average": 0.0,
"current_system_memory_in_use": 29.0,
"peak_system_memory_available": 71.0,
"kernel_cpu_average": 0.0,
"total_write_transfer_count_mb": 0.0,
"osquery_peak_memory_in_use_mb": 1.0,
"average_misc_io_operation_rate": 381.0,
"average_system_memory_in_use_mb": 2438.0,
"average_read_operation_rate": 44.0,
"peak_system_memory_in_use": 29.0,
"current_read_operation_rate": 44.0,
"osquery_total_kernel_mode_time_ms": 46.0,
"kernel_cpu_peak": 0.0,
"osquery_average_percent_of_memory_in_use": 0.03,
"average_write_transfer_rate_kb": 28.0,
"average_system_memory_available": 71.0,
"osquery_average_memory_in_use_mb": 0.0,
"total_read_transfer_count_mb": 0.0,
"user_cpu_average": 0.0,
"peak_system_memory_available_mb": 5753.0,
"peak_system_memory_in_use_mb": 2439.0,
"current_system_memory_available_mb": 5753.0,
"current_read_transfer_rate_kb": 164.0,
"kernel_cpu_current": 0.0,
"total_misc_io_transfer_count_mb": 0.0,
"osquery_current_percent_of_all_memory": 0.0,
"osquery_peak_percent_of_memory_in_use": 0.06,
"user_cpu_peak": 0.0,
"average_system_memory_available_mb": 5752.0,
"osquery_current_percent_of_memory_in_use": 0.0,
"osquery_total_user_mode_time_ms": 0.0,
"total_misc_io_operations": 387.0,
"current_write_operation_rate": 8.0,
"osquery_peak_percent_of_all_memory": 0.02,
"osquery_average_percent_of_all_memory": 0.01,
"process_monitoring_rate_ms": 500.0,
"user_cpu_current": 0.0,
"osquery_exit_time_unix_ms": 1.607120919188E12
},
"start_time": "2020-12-04T22:28:38.354Z",
"finish_time": "2020-12-04T22:28:39.461Z",
"update_time": "2020-12-04T22:28:40.886Z"
}
]
}Get and search for Live Query runs.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/runs/_search
Body
{
"criteria": {
"recommended_query_id": [
"<string>",
"<string>"
],
"schedule.status": [
"<string>",
"<string>"
],
"template_id": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria.recommended_query_id |
List of recommended query ids to filter on. This can be found in the output of the recommendations API | Array | N/A |
criteria.schedule.status |
List of query run statuses to filter on | Array | ACTIVE, CANCELLED |
criteria.template_id |
List of template ids that created scheduled runs | Array | N/A |
query |
Free text search that supports case insensitive value queries. Requires whole word values. | String | N/A |
rows |
For pagination, how many results to return | Integer | Default: 100 |
start |
For pagination, where to start retrieving results from | Integer | Default: 0 |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. | Array | order supports ASC or DESC
Supported fields: Any fields from the results not within an object |
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved query runs | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/runs/_search
Body
{
"criteria": {
"schedule.status": [
"COMPLETE"
]
},
"rows": 2,
"sort": [
{
"field": "create_time",
"order": "ASC"
}
],
"start": 0
}Response
{
"org_key": "WNEXFKQ7",
"num_found": 23,
"results": [
{
"org_key": "wnexfkq7",
"name": null,
"id": "s0m51cvwm0k1yik0wycvamg1sdhlptt0",
"sql": "SELECT * FROM logged_in_users;",
"created_by": "ECQPVHWP2Y",
"destinations": [
"LQ"
],
"create_time": "2019-11-14T18:42:48.225Z",
"status_update_time": "2019-11-14T18:44:14.694Z",
"timeout_time": "2019-11-21T18:42:48.225Z",
"cancellation_time": null,
"cancelled_by": null,
"archive_time": null,
"archived_by": null,
"notify_on_finish": false,
"active_org_devices": 1,
"status": "COMPLETE",
"device_filter": null,
"recommended_query_id": null,
"template_id": null,
"schedule": null,
"schema": null,
"last_result_time": null,
"total_results": 0,
"not_started_count": 0,
"match_count": 0,
"no_match_count": 0,
"success_count": 0,
"in_progress_count": 0,
"error_count": 0,
"not_supported_count": 0,
"cancelled_count": 0
},
{
"org_key": "wnexfkq7",
"name": null,
"id": "dfvlzwddywxrvirhugkzpgul9ng1ag1f",
"sql": "SELECT name,",
"created_by": "ECQPVHWP2Y",
"destinations": [
"LQ"
],
"create_time": "2019-11-14T18:44:02.669Z",
"status_update_time": "2019-11-14T18:44:14.861Z",
"timeout_time": "2019-11-21T18:44:02.669Z",
"cancellation_time": null,
"cancelled_by": null,
"archive_time": null,
"archived_by": null,
"notify_on_finish": false,
"active_org_devices": 1,
"status": "COMPLETE",
"device_filter": null,
"recommended_query_id": null,
"template_id": null,
"schedule": null,
"schema": null,
"last_result_time": null,
"total_results": 0,
"not_started_count": 0,
"match_count": 0,
"no_match_count": 0,
"success_count": 0,
"in_progress_count": 0,
"error_count": 0,
"not_supported_count": 0,
"cancelled_count": 0
}
]
}Creates a Live Query Template to perform the query on a schedule.
This route includes osquery validation:
osquery SQL, ensuring tables are correct, table columns match, etc.osquery SQL is compatible with the selected device type(s).Device compatibility is checked against the osquery schema. The schema version depends upon the device type of the sensor. The following device schemas can be used to query for a specific device:
WINDOWS: https://osquery.io/schema/4.5.0
MAC: Sensor 3.5.3 - https://osquery.io/schema/4.8.0
Previous Sensor Versions - https://osquery.io/schema/4.1.2
LINUX: Sensor 2.12 - https://osquery.io/schema/4.8.0
Previous Sensor Versions - https://osquery.io/schema/4.1.2
See this UEX article for information about which Carbon Black Cloud sensor versions support which osquery versions.
Note: Queries will still be allowed to be added when a list of device ids is specified in the filter and none of the corresponding devices are compatible with the query. In these cases, no results will be returned and the query will be shown as NOT_SUPPORTED in the query result device summaries.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
CREATE |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/templates
Body
{
"sql": "<string>",
"device_filter": {
"device_id": [
"<long>",
"<long>"
],
"os": [
"<string>",
"<string>"
],
"policy_id": [
"<long>"
]
},
"name": "<string>",
"notify_on_finish": "<boolean>",
"schedule": {
"rrule": "<string>",
"timezone": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
device_filter |
A set of filters to limit the query to run only on matching devices | Object | |
device_filter.device_id |
A list of device IDs | Array | N/A |
device_filter.os |
A list of operating systems | Array | WINDOWS, MAC, LINUX |
device_filter.policy_id |
A list of policy IDs | Array | Limitation only one policy_id can be specified |
name REQUIRED
|
Name for your Live Query Run | String | Default: SQL statement defined under field sql |
notify_on_finish |
Receive an email notification when query is completed | Boolean | Default: false |
sql REQUIRED
|
SQL for the Live Query Run | String | N/A |
schedule REQUIRED
|
A configuration to rerun the query | Object | |
schedule.rrule |
A recurrence rule to specify the pattern to rerun the query | String | See Recurrence Rules |
schedule.timezone |
The timezone that the rrule will be applied against | String | TZ Database Name ie America/New_York |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successfully added a Live Query run | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value. Query is incompatible with supported Live Query OS platforms | application/json | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not Found | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/templates
Body
{
"device_filter": {
"os": [
"WINDOWS"
]
},
"name": "Example",
"notify_on_finish": true,
"schedule": {
"rrule": "RRULE:FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"timezone": "America/New_York"
},
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;"
}Response
{
"id": "1tmi0r8cbmivkhu77e8zg1rxij2xcgju",
"name": "Example",
"created_by": "ABCDE12345",
"create_time": "2020-12-07T22:57:03.395Z",
"update_time": "2020-12-07T22:57:03.395Z",
"notify_on_finish": true,
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"device_ids": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
]
},
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"last_run_create_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"schedule": {
"status": "ACTIVE",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"cancellation_time": null,
"cancelled_by": null
},
"recommended_query_id": null,
"schema": null,
"destinations": [
"LQ"
]
}Get and search for Live Query templates.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST {cbc-hostname}/livequery/v1/orgs/{org_key}/templates/_search
Body
{
"criteria": {
"recommended_query_id": [
"<string>",
"<string>"
],
"schedule.status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria.recommended_query_id |
List of recommended query ids to filter on. This can be found in the output of the recommendations API | Array | N/A |
criteria.schedule.status |
List of query run statuses to filter on | Array | ACTIVE, CANCELLED |
query |
Free text search that supports case insensitive value queries. Requires whole word values. | String | N/A |
rows |
For pagination, how many results to return | Integer | Default: 100 |
start |
For pagination, where to start retrieving results from | Integer | Default: 0 |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. | Array | order supports ASC or DESC
Supported fields: name, sql, create_time, last_run_create_time, update_time, schedule.next_run_time |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query templates, sorted by create_time descending by default | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/templates/_search
Body
{
"criteria": {
"schedule.status": [
"ACTIVE"
]
},
"rows": 2,
"sort": [
{
"field": "last_run_create_time",
"order": "ASC"
}
],
"start": 0
}Response
{
"org_key": "ABCD1234",
"num_found": 1,
"results": [
{
"id": "1tmi0r8cbmivkhu77e8zg1rxij2xcgju",
"name": "Example",
"created_by": "ABCDE12345",
"create_time": "2020-12-07T22:57:03.395Z",
"update_time": "2020-12-07T22:57:03.395Z",
"notify_on_finish": true,
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"device_ids": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
]
},
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"last_run_create_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"schedule": {
"status": "ACTIVE",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"cancellation_time": null,
"cancelled_by": null
},
"recommended_query_id": null,
"schema": null,
"destinations": [
"LQ"
]
}
]
}Retrieve a Live Query template (i.e. run schedule) by template id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
GET {cbc-hostname}/livequery/v1/orgs/{org_key}/templates/{template_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved a Live Query template | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/templates/1tmi0r8cbmivkhu77e8zg1rxij2xcgju
Response
{
"id": "1tmi0r8cbmivkhu77e8zg1rxij2xcgju",
"name": "Example",
"created_by": "ABCDE12345",
"create_time": "2020-12-07T22:57:03.395Z",
"update_time": "2020-12-07T22:57:03.395Z",
"notify_on_finish": true,
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"device_ids": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
]
},
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"last_run_create_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"schedule": {
"status": "ACTIVE",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"cancellation_time": null,
"cancelled_by": null
},
"recommended_query_id": null,
"schema": null,
"destinations": [
"LQ"
]
}Edit a query template (i.e. run schedule).
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
UPDATE |
Request
PUT {cbc-hostname}/livequery/v1/orgs/{org_key}/templates/{template_id}
Body
{
"create_time": "<string>",
"created_by": "<string>",
"device_filter": {
"device_id": [
"<long>",
"<long>"
],
"os": [
"<string>",
"<string>"
],
"policy_id": [
"<long>",
"<long>"
]
},
"id": "<string>",
"last_run_create_time": "<string>",
"name": "<string>",
"next_run_time": "<string>",
"notify_on_finish": "<boolean>",
"recommended_query_id": "<string>",
"schedule": {
"cancellation_time": "<string>",
"cancelled_by": "<string>",
"next_run_time": "<string>",
"previous_run_time": "<string>",
"recurrence": "<string>",
"rrule": "<string>",
"status": "<string>",
"timezone": "<string>"
},
"sql": "<string>",
"update_time": "<string>"
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
device_filter |
A set of filters to limit the query to run only on matching devices | Object | |
device_filter.device_id |
A list of device IDs | Array | N/A |
device_filter.os |
A list of operating systems | Array | WINDOWS, MAC, LINUX |
device_filter.policy_id |
A list of policy IDs | Array | Limitation only one policy_id can be specified |
name REQUIRED
|
Name for your Live Query Run | String | Default: SQL statement defined under field sql |
notify_on_finish |
Receive an email notification when query is completed | Boolean | Default: false |
sql REQUIRED
|
SQL for the Live Query Run | String | N/A |
schedule REQUIRED
|
An optional configuration to rerun the query | Object | |
schedule.rrule |
A recurrence rule to specify the pattern to rerun the query | String | See Recurrence Rules |
schedule.timezone |
The timezone that the rrule will be applied against | String | TZ Database Name ie America/New_York |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully updated Live Query template | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
PUT https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/templates/1tmi0r8cbmivkhu77e8zg1rxij2xcgju
Body
{
"id": "1tmi0r8cbmivkhu77e8zg1rxij2xcgju",
"name": "Example",
"created_by": "ABCDE12345",
"create_time": "2020-12-07T22:57:03.395Z",
"update_time": "2020-12-07T22:57:03.395Z",
"notify_on_finish": true,
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"device_ids": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
]
},
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"last_run_create_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"schedule": {
"status": "CANCELLED",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": null,
"next_run_time": "2020-12-08T18:30:00.000Z",
"cancellation_time": null,
"cancelled_by": null
},
"recommended_query_id": null,
"schema": null,
"destinations": [
"LQ"
]
}Response
{
"id": "1tmi0r8cbmivkhu77e8zg1rxij2xcgju",
"name": "Example",
"created_by": "ABCDE12345",
"create_time": "2020-12-07T22:57:03.395Z",
"update_time": "2020-12-07T23:17:31.264Z",
"notify_on_finish": true,
"device_filter": {
"policy_id": null,
"os": [
"WINDOWS"
],
"device_id": null,
"deployment_type": null,
"device_ids": null,
"policy_ids": null,
"device_types": [
"WINDOWS"
]
},
"sql": "SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs;",
"last_run_create_time": null,
"next_run_time": null,
"schedule": {
"status": "CANCELLED",
"recurrence": "DAILY",
"timezone": "America/New_York",
"rrule": "FREQ=DAILY;BYHOUR=13;BYMINUTE=30;BYSECOND=0",
"previous_run_time": null,
"next_run_time": null,
"cancellation_time": "2020-12-07T23:17:31.264Z",
"cancelled_by": "ABCDE12345"
},
"recommended_query_id": null,
"schema": null,
"destinations": [
"LQ"
]
}Delete a query schedule by id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
DELETE |
Request
DELETE {cbc-hostname}/livequery/v1/orgs/{org_key}/templates/{template_id}
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successfully deleted a query schedule | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
DELETE https://defense.conferdeploy.net/livequery/v1/orgs/ABCD1234/templates/1tmi0r8cbmivkhu77e8zg1rxij2xcgju
Response
No Content