Query Exchange

 View Only
  • 1.  query for other IT tools

    Posted Aug 11, 2021 08:15 AM

    Description: Query for other IT tools

    What The Data Shows: Whether your endpoints have any conflicting security tools installed that may cause interoperability issues.

    SQL: Please see comments section.

    Hello team

    Wondering if anyone has used A&R to query whether their endpoints have any conflicting security tools installed that may cause interoperability issues?

    For example, how would you craft a query to ask your endpoints what machines have vendor A installed (thinking about AVs, for example)? Is this something we can potentially do?


    #Compliance
    #CarbonBlack
    #Windows
    #Mac
    #Linux
    #ITHygiene
    #Other


  • 2.  RE: query for other IT tools

    Posted Aug 11, 2021 02:06 PM

    osquery has a windows_security_products schema you can query, to query the installed security products on Windows (those registered in the Windows Security Center).

    Should be as simple as:

    SELECT * FROM windows_security_products;

    https://osquery.io/schema/4.9.0/#windows_security_products



  • 3.  RE: query for other IT tools

    Posted Aug 11, 2021 02:49 PM

    thanks  , that's very helpful. 

     

    I also tried to do a simple file search (assuming that we know the exact filename) . I am going to put "file #1" and "file#2" for privacy reasons, but this can be easily adaptable

    SELECT * FROM file;
    SELECT * FROM file WHERE filename = "file#1.exe" and "file#2.exe"

    It returned me several "error" and "unsupported" messages. 

    Do you know if generic files are supported?

     



  • 4.  RE: query for other IT tools

    Posted Aug 11, 2021 03:22 PM

    Per experience, the first query won't work.

    SELECT * FROM file;

    It's too board. osquery will tell you to be more specific. If you actually ran that query, you would be asking osquery to return you the million of files that are on the system. So you need to be more specific by using at least one other parameter, such as path. For instance:

    SELECT * FROM file WHERE path LIKE "C:\ProgramData\%%" AND filename = "security.exe";

    For the second query, I think the syntax is wrong. You're using the wrong operator, it shouldn't be AND but OR. Otherwise, you're basically asking osquery to return you an entry that has 2 filename property. And you also can't query directly the filename directly, you need to use another attribute.

    For instance, this works:

    SELECT * FROM file WHERE path LIKE "C:\Temp\%%" AND (filename = "file1.exe" OR filename = "file2.exe");

    What's important to remember here is to use the path property when you query the file table, and also to use OR if you want to query multiple values for a property.

     



  • 5.  RE: query for other IT tools

    Posted Aug 11, 2021 05:28 PM

    thanks a lot   that's incredibly helpful. I just tried the query and it returns much better results. Really appreciate your help!



  • 6.  RE: query for other IT tools

    Posted Aug 11, 2021 05:40 PM

    This is very useful, thank you.



  • 7.  RE: query for other IT tools

    Broadcom Employee
    Posted Aug 20, 2021 09:33 PM