CB LiveOps is a real-time query and remediation solution that gives teams faster, easier access to audit and change the system state of endpoints across their organization.
CB LiveOps contains two components; Live Response and Live Query. This document refers to the Live Query REST API.
Note: For returning users, three sub-fields inside device_filter named: device_ids, policy_ids, and device_types, have been deprecated in favor of device_id, policy_id, and os, respectively.
For API authentication information, view our Carbon Black Cloud Authentication Guide.
Most API routes require all three headers, however, there are exceptions.
X-Auth-Token: required in the request header. This is your authentication token.Content-Type: application/jsonorg_key: required in the API path. This is your Carbon Black Cloud Org Key, you can view it under Settings > API Keys.Initiate a new Live Query search.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
CREATE |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/runs
Body
{
"sql": "<string>",
"device_filter": {
"device_id": [
"<long>",
"<long>"
],
"os": [
"<string>",
"<string>"
],
"policy_id": [
"<long>",
"<long>"
]
},
"name": "<string>",
"notify_on_finish": "<boolean>",
"schedule": {
"cancellation_time": "<string>",
"cancelled_by": "<string>",
"next_run_time": "<string>",
"previous_run_time": "<string>",
"recurrence": "<string>",
"rrule": "<string>",
"status": "<string>",
"timezone": "<string>"
}
}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successfully added a Live Query run | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not Found | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
device_filter |
Contains 3 sub-filters: device_id, os, policy. This field and sub-filters are optional and by default, it will run on all devices. |
All Devices | No |
device_filter.device_id |
A list of device IDs to filter on | All Devices IDs | No |
device_filter.os |
A list of operating systems to filter on Allowed Values: [ WINDOWS, MAC, LINUX] |
All Operating Systems | No |
device_filter.policy_id |
A list of policy IDs to filter on | All Policies | No |
name |
Name for your Live Query Run | SQL statement defined under field sql |
No |
notify_on_finish |
Receive an email notification when query is completed | false | No |
sql |
SQL for the Live Query Run | N/A | Yes |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs
Body
{
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"name": "string",
"notify_on_finish": true,
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string"
}
Response
{
"active_org_devices": 0,
"archive_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"archived_by": "string",
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"cancelled_count": 0,
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"error_count": 0,
"id": "string",
"in_progress_count": 0,
"last_result_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"match_count": 0,
"name": "string",
"no_match_count": 0,
"not_started_count": 0,
"not_supported_count": 0,
"notify_on_finish": true,
"org_key": "string",
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"status": "ACTIVE",
"status_update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"success_count": 0,
"template_id": "string",
"timeout_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"total_results": 0
}
Returns the current details of a Live Query run. Users will be able to observe numerous metadata fields, such as status within the JSON response.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
GET <psc-hostname>/livequery/v1/orgs/{org_key}/runs/{id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful retrieval of Live Query details | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Resource does not exist | N/A | N/A |
Field status options:
ACTIVE: currently running.TIMED_OUT: query timed out.COMPLETE: query completed.CANCELLED: user cancelled the Live Query run.Example
Request
GET https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/erzo7cotkasdfghjk707srcjwnjgfmiv
Response
{
"active_org_devices": 0,
"archive_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"archived_by": "string",
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"cancelled_count": 0,
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"error_count": 0,
"id": "string",
"in_progress_count": 0,
"last_result_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"match_count": 0,
"name": "string",
"no_match_count": 0,
"not_started_count": 0,
"not_supported_count": 0,
"notify_on_finish": true,
"org_key": "string",
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"status": "ACTIVE",
"status_update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"success_count": 0,
"template_id": "string",
"timeout_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"total_results": 0
}
Gets results from a Live Query run. The Live Query results can also be exported as a CSV compressed in a ZIP.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/runs/{id}/results/_search
Body
{
"criteria": {
"device.id": [
"<integer>",
"<integer>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<integer>",
"<integer>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query results | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not Found | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
criteria |
A Live Query Criteria. Note that beyond the listed properties in this schema, you can also filter on dynamic fields using this object. A dynamic field would be a column name you’d expect to be returned as part of your Live Query run. For example, if you create a run that targets the users table, a dynamic field on this criteria could be username or any other column outlined in the osQuery schema. |
N/A | No |
criteria.device_id |
List of device IDs to filter on | All Devices | No |
criteria.device_name |
List of device names to filter on | All Devices | No |
query |
A query to perform as part of the results search. Supports Apache Lucene syntax | N/A | No |
rows |
For pagination, how many results to return | N/A | No |
start |
For pagination, where to start retrieving results from | 0 | No |
sort |
field: SQL Response Column order: [ASC or DESC] |
N/A | No |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/erzo7cotkasdfghjk707srcjwnjgfmiv/results/_search
Body
{
"criteria": {
"device.id": [
0
],
"device.name": [
"string"
],
"device.os": [
"WINDOWS",
"MAC",
"LINUX"
],
"device.policy_id": [
0
],
"device.policy_name": [
"string"
],
"status": [
"not_started"
]
},
"query": "string",
"rows": 0,
"sort": [
{
"field": "string",
"order": "ASC"
}
],
"start": 0
}
Response
{
"num_found": 0,
"org_key": "string",
"results": [
{
"device": {
"id": 0,
"name": "string",
"os": "WINDOWS",
"policy_id": 0,
"policy_name": "string"
},
"device_message": "string",
"fields": {},
"id": "string",
"status": "not_started",
"time_received": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
]
}
Get TauTin Live Query Recommendations.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
GET |
Request
GET <psc-hostname>/livequery/v1/orgs/{org_key}/runs/recommendations
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful retrieval of recommended queries | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Resource does not exist | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/recommendations
Response
{
"num_found": 0,
"org_key": "string",
"results": [
{
"link": "string",
"queries": {
"description": "string",
"interval": 0,
"query": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"results": "string",
"supported_platforms": [
"string"
],
"title": "string"
},
"type": "string"
}
]
}
Stop a running Live Query Run by changing its status to CANCELLED. Note that once a Run has been stopped it cannot be set back to ACTIVE.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
UPDATE |
Request
PUT <psc-hostname>/livequery/orgs/{org_key}/runs/{id}/status
Request Body
{
"status": "<string>"
}
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successfully stopped a Live Query run | N/A | N/A |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Resource does not exist | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
| status | Status to apply to the query | CANCELLED | Yes |
Example
Request
PUT https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/nnk1idf2xz3cit8unv3usfwyzmdqj8/status
Body
{
"status": "CANCELLED"
}
Response
{}
Delete a Live Query Run.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
DELETE |
Request
DELETE <psc-hostname>/livequery/v1/orgs/{org_key}/runs/{id}
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successful deletion of a Live Query run | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
DELETE https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/nnk1idf2xz3cit8unv3usfwyzmdqj8
Response
{}
Retrieve facets for Live Query results.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/runs/{id}/results/_facet
Body
{
"criteria": {
"device.id": [
"<integer>",
"<integer>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<integer>",
"<integer>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>",
"terms": {
"fields": [
"<string>",
"<string>"
],
"rows": "<integer>"
}
}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved query run facets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
| criteria.additionalProperties | Map of criteria filter to get facets for | N/A | No |
| query | Free text search that supports case insensitive value queries. Requires whole word values. | N/A | No |
| terms.fields | Facet terms to retrieve | N/A | Yes |
| terms.rows | Number of rows to retrieve per facet search result | 20 | No |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/tfbh5zdtbz16banjkygnodidgk5dxmqt/results/_facet
Body
{
"criteria": {
"device.id": [
0
],
"device.name": [
"string"
],
"device.os": [
"WINDOWS",
"MAC",
"LINUX"
],
"device.policy_id": [
0
],
"device.policy_name": [
"string"
],
"status": [
"not_started"
]
},
"query": "string",
"rows": 0,
"sort": [
{
"field": "string",
"order": "ASC"
}
],
"start": 0,
"terms": {
"fields": [
"string"
],
"rows": 0
}
}
Response
{
"terms": [
{
"field": "string",
"values": [
{
"id": "string",
"name": "string",
"total": 0
}
]
}
]
}
Get facets for device summaries.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/runs/{id}/results/device_summaries/_facet
Body
{
"criteria": {
"device.id": [
"<long>",
"<long>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<long>",
"<long>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"error_description": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>",
"terms": {
"fields": [
"<string>",
"<string>"
],
"rows": "<integer>"
}
}
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query device summary facets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | No Live Query run found for the specified id | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
| criteria.additionalProperties | Map of criteria filter to get facets for | N/A | No |
| query | Free text search that supports case insensitive value queries. Requires whole word values. | N/A | No |
| terms.fields | Device summary fields to filter results on | N/A | Yes |
| terms.rows | Number of rows to retrieve per facet search result | 20 | No |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/tfbh5zdtbz16banjkygnodidgk5dxmqt/results/device_summaries/_facet
Body
{
"criteria": {
"device.id": [
0
],
"device.name": [
"string"
],
"device.os": [
"WINDOWS",
"MAC",
"LINUX"
],
"device.policy_id": [
0
],
"device.policy_name": [
"string"
],
"error_description": [
"string"
],
"status": [
"not_started"
]
},
"query": "string",
"rows": 0,
"sort": [
{
"field": "string",
"order": "ASC"
}
],
"start": 0,
"terms": {
"fields": [
"string"
],
"rows": 0
}
}
Response
{
"terms": [
{
"field": "string",
"values": [
{
"id": "string",
"name": "string",
"total": 0
}
]
}
]
}
Get device summaries from the results of a Live Query run.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/runs/{id}/results/device_summaries/_search
Body
{
"criteria": {
"device.id": [
"<long>",
"<long>"
],
"device.name": [
"<string>",
"<string>"
],
"device.os": [
"<string>",
"<string>"
],
"device.policy_id": [
"<long>",
"<long>"
],
"device.policy_name": [
"<string>",
"<string>"
],
"error_description": [
"<string>",
"<string>"
],
"status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query device summaries | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | No Live Query run found for the specified id | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
| criteria.additionalProperties | Map of criteria filter to get facets for | N/A | No |
| query | Free text search that supports case insensitive value queries. Requires whole word values. | N/A | No |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/tfbh5zdtbz16banjkygnodidgk5dxmqt/results/device_summaries/_facet
Body
{
"criteria": {
"device.id": [
0
],
"device.name": [
"string"
],
"device.os": [
"WINDOWS",
"MAC",
"LINUX"
],
"device.policy_id": [
0
],
"device.policy_name": [
"string"
],
"error_description": [
"string"
],
"status": [
"not_started"
]
},
"query": "string",
"rows": 0,
"sort": [
{
"field": "string",
"order": "ASC"
}
],
"start": 0
}
Response
{
"num_found": 0,
"org_key": "string",
"results": [
{
"device": {
"id": 0,
"name": "string",
"os": "WINDOWS",
"policy_id": 0,
"policy_name": "string"
},
"error_description": "string",
"finish_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"metrics": {
"additionalProp1": 0,
"additionalProp2": 0,
"additionalProp3": 0
},
"start_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"status": "not_started",
"total_results": 0,
"update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
]
}
Get and search for Live Query runs.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/runs/_search
Body
{
"criteria": {
"recommended_query_id": [
"<string>",
"<string>"
],
"schedule.status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved query runs | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
| query | Free text search that supports case insensitive value queries. Requires whole word values. | N/A | No |
| rows | For paging, how many runs to return | 20 | No |
| sort.field | Field to sort results on | N/A | No |
| sort.order | Return runs in ascending (ASC) or descending (DESC) order. | ASC | No |
| start | For paging, where to start retrieving runs from | 0 | No |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/runs/_search
Body
{
"criteria": {
"recommended_query_id": [
"string"
],
"schedule.status": [
"ACTIVE"
]
},
"query": "string",
"rows": 0,
"sort": [
{
"field": "active_org_devices",
"order": "ASC"
}
],
"start": 0
}
Response
{
"num_found": 0,
"org_key": "string",
"results": [
{
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"id": "string",
"last_run_create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"name": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"notify_on_finish": true,
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
]
}
Creating a Live Query Template.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
CREATE |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/templates
Body
{
"sql": "<string>",
"device_filter": {
"device_id": [
"<long>",
"<long>"
],
"os": [
"<string>",
"<string>"
],
"policy_id": [
"<long>",
"<long>"
]
},
"name": "<string>",
"notify_on_finish": "<boolean>",
"schedule": {
"cancellation_time": "<string>",
"cancelled_by": "<string>",
"next_run_time": "<string>",
"previous_run_time": "<string>",
"recurrence": "<string>",
"rrule": "<string>",
"status": "<string>",
"timezone": "<string>"
}
}
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 201 | Successfully created Live Query template | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | No Live Query run found for the specified id | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
device_filter |
Contains 3 sub-filters: device_id, os, policy. This field and sub-filters are optional and by default, it will run on all devices. |
All Devices | No |
device_filter.device_id |
A list of device IDs to filter on | All Devices IDs | No |
device_filter.os |
A list of operating systems to filter on Allowed Values: [ WINDOWS, MAC, LINUX] |
All Operating Systems | No |
device_filter.policy_id |
A list of policy IDs to filter on | All Policies | No |
name |
Name for your Live Query Run | SQL statement defined under field sql |
No |
notify_on_finish |
Receive an email notification when query is completed | false | No |
sql |
SQL for the Live Query Run | N/A | Yes |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/templates
Body
{
"sql": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"name": "string",
"notify_on_finish": true,
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
}
}
Response
{
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"id": "string",
"last_run_create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"name": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"notify_on_finish": true,
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
Retrieve facets for Live Query Templates.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/templates/_facet
Body
{
"criteria": {
"recommended_query_id": [
"<string>",
"<string>"
],
"schedule.status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>",
"terms": {
"fields": [
"<string>",
"<string>"
],
"rows": "<integer>"
}
}
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved facet values | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
| criteria.additionalProperties | Map of criteria filter to get facets for | N/A | No |
| query | Free text search that supports case insensitive value queries. Requires whole word values. | N/A | No |
| terms.fields | Device summary fields to filter results on | N/A | Yes |
| terms.rows | Number of rows to retrieve per facet search result | 20 | No |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/templates/_facet
Body
{
"criteria": {
"recommended_query_id": [
"string"
],
"schedule.status": [
"ACTIVE"
]
},
"query": "string",
"rows": 0,
"sort": [
{
"field": "string",
"order": "ASC"
}
],
"start": 0,
"terms": {
"fields": [
"string"
],
"rows": 0
}
}
Response
{
}
Get and search for Live Query templates.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
POST <psc-hostname>/livequery/v1/orgs/{org_key}/templates/_search
Body
{
"criteria": {
"recommended_query_id": [
"<string>",
"<string>"
],
"schedule.status": [
"<string>",
"<string>"
]
},
"query": "<string>",
"rows": "<integer>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<integer>"
}
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved Live Query templates, sorted by create_time descending by default | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
| criteria.additionalProperties | Map of criteria filter to get facets for | N/A | No |
| query | Free text search that supports case insensitive value queries. Requires whole word values. | N/A | No |
Example
Request
POST https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/templates/_search
Body
{
"criteria": {
"recommended_query_id": [
"string"
],
"schedule.status": [
"ACTIVE"
]
},
"query": "string",
"rows": 0,
"sort": [
{
"field": "string",
"order": "ASC"
}
],
"start": 0
}
Response
{
"num_found": 0,
"org_key": "string",
"results": [
{
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"id": "string",
"last_run_create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"name": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"notify_on_finish": true,
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
]
}
Retrieve a Live Query template (i.e. run schedule) by template id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
READ |
Request
GET <psc-hostname>/livequery/v1/orgs/{org_key}/templates/{template_id}
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved a Live Query template | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/templates/erzo7cotkasdfghjk707srcjwnjgfmiv
Response
{
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"id": "string",
"last_run_create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"name": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"notify_on_finish": true,
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
Edit a query template (i.e. run schedule).
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
UPDATE |
Request
PUT <psc-hostname>/livequery/v1/orgs/{org_key}/templates/{template_id}
Body
{
"create_time": "<string>",
"created_by": "<string>",
"device_filter": {
"device_id": [
"<long>",
"<long>"
],
"os": [
"<string>",
"<string>"
],
"policy_id": [
"<long>",
"<long>"
]
},
"id": "<string>",
"last_run_create_time": "<string>",
"name": "<string>",
"next_run_time": "<string>",
"notify_on_finish": "<boolean>",
"recommended_query_id": "<string>",
"schedule": {
"cancellation_time": "<string>",
"cancelled_by": "<string>",
"next_run_time": "<string>",
"previous_run_time": "<string>",
"recurrence": "<string>",
"rrule": "<string>",
"status": "<string>",
"timezone": "<string>"
},
"sql": "<string>",
"update_time": "<string>"
}
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully updated Live Query template | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Request Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
device_filter |
Contains 3 sub-filters: device_id, os, policy. This field and sub-filters are optional and by default, it will run on all devices. |
All Devices | No |
device_filter.device_id |
A list of device IDs to filter on | All Devices IDs | No |
device_filter.os |
A list of operating systems to filter on Allowed Values: [ WINDOWS, MAC, LINUX] |
All Operating Systems | No |
device_filter.policy_id |
A list of policy IDs to filter on | All Policies | No |
name |
Name for your Live Query Run | SQL statement defined under field sql |
No |
notify_on_finish |
Receive an email notification when query is completed | false | No |
sql |
SQL for the Live Query Run | N/A | Yes |
Example
Request
PUT https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/templates/erzo7cotkasdfghjk707srcjwnjgfmiv
Body
{
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"id": "string",
"last_run_create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"name": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"notify_on_finish": true,
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
Response
{
"create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"created_by": "string",
"device_filter": {
"device_id": [
0
],
"os": [
"WINDOWS"
],
"policy_id": [
0
]
},
"id": "string",
"last_run_create_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"name": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"notify_on_finish": true,
"recommended_query_id": "string",
"schedule": {
"cancellation_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"cancelled_by": "string",
"next_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"previous_run_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
"recurrence": "DAILY",
"rrule": "string",
"status": "ACTIVE",
"timezone": "America/New_York"
},
"sql": "string",
"update_time": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
}
Delete a query schedule by id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
livequery.manage |
DELETE |
Request
DELETE <psc-hostname>/livequery/v1/orgs/{org_key}/templates/{template_id}
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successfully deleted a query schedule | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
Example
Request
DELETE https://defense.conferdeploy.net/livequery/v1/orgs/ASDF12A/templates/erzo7cotkasdfghjk707srcjwnjgfmiv
Response
{}