Live Query Schema 1.0.0


Introduction

Using Live Query, you can ask questions of endpoints and quickly identify areas for improving security and IT hygiene by using recommended SQL queries created by Carbon Black security experts or by crafting your own. Live Query is powered by https://osquery.io, an open-source project that uses an SQLite interface.

Live Query forwarder streams the results of the Live Query jobs that you have running in your Carbon Black Cloud (CBC) organization. Live Query jobs can be initiated or scheduled one of two ways:

  • using the CBC console, under the Live Query menu (documented here)[https://techdocs.broadcom.com/bin/gethidpage?ux-context-string=cbc_120&appid=cbc&format=rendered]
  • using the Live Query API (documented here)[/reference/carbon-black-cloud/cb-liveops/latest/livequery-api/]

Once such Live Query jobs are running, your Live Query data forwarder instance will stream each targeted device’s query results as they’re submitted from each endpoint.

The following tables list the fields that can be included in a livequery record for each livequery type generated by the Carbon Black Cloud.

Fields in the Schema section are included with most livequery types and the exceptions are annotated.

Livequery Type Examples

    {
        "run_id": "kmbszesslcuibslbqiyavlkeueavrex7",
        "org_key": "EWRTY2PK",
        "query_name": "TESSST",
        "query": "SELECT CASE\n           WHEN EXISTS\n                  (SELECT DATA\n                   FROM registry\n                   WHERE PATH=\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LimitBlankPasswordUse\"\n                     AND DATA=1) THEN \"Blank Password Auth via Network Not Possible\"\n           ELSE \"Blank Password Auth via Network Possible\"\n       END \"Limit Blank Password Use\";",
        "device": {
            "id": 26657837,
            "name": "LABLAB-CUBUNGRL",
            "policy_id": 165700,
            "policy_name": "Standard",
            "os": "WINDOWS"
        },
        "status": "matched",
        "time_received": "2025-08-18T11:03:14.746Z",
        "fields": {
            "Limit Blank Password Use": "Blank Password Auth via Network Not Possible"
        }
    }

Data Types

Find more detail on the data types here.

Schema

Field Name Definition Datatype
device Device where the query was executed. 
 
"device": {
   "id": "<integer>",
   "name": "<string>",
   "policy_id": "<integer>",
   "policy_name": "<string>",
   "os": "<string>"
}
Object
device_message Error message from the device if the query failed to run. String
fields The resulting data returned from the device for the specified query. JSON object with no particular format, depends on the query. Object
org_key The organization key String
query The SQL of the osquery that was run String
query_name Name of the Live Query Run. If omitted the name will default to the SQL of the run String
run_id The ID of the Live Query run String
status Status of the Live Query run String
time_received The time the result was received from the device by Carbon Black Cloud String

Last modified on August 27, 2025