Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi guys,
Maybe I missing something but "*carbon_black_info"* not work at all (return empty table), Anyone know about it?

<@U018E1SMPHP> or <@U017LLL13UP> do you mind taking a look at this?

I checked the code a bit and its look like osquery go the wrong registry path
```// Carbon Black registry path
const std::string kCbRegLoc = "SOFTWARE\\CarbonBlack\\config"; 
...
queryKey("HKEY_LOCAL_MACHINE\\" + kCbRegLoc, results);```

I have client here and this path doesn't exists

I can take a peak in a little bit as well.
W/out having looked at the code yet, I'm suspicious that it's only looking for the reg path of 1 of our products. We have 3, that would each have their own hive, and likely slightly different paths depending on version as well.

CB EDR (Formerly CB Response)
CB App Control (Formerly CB Protect)
CB Cloud NGAV (Formerly CB Defense)

<@U018CU81VC1>
Yeah, just confirmed that
```// Carbon Black registry path
const std::string kCbRegLoc = "SOFTWARE\\CarbonBlack\\config"; ```
Is the correct location for the Carbon Black EDR product.
• Formerly Carbon Black Response
• Formerly the original "Carbon Black" company pre-mergers/pre-acquisitions. 
So it appears the *carbon_black_info* table is specific to the Carbon Black *EDR* Product.
So likely could do with some naming/description updates in order to avoid confusion.

I'm guessing your client has either CB Cloud or CB App Control products, and *not* the CB EDR Product?

To be honest, having a CB specific table feels weird. I dunno that expanding it makes more sense than removing it

Instead of losing the functionality maybe `windows_security_products` could be `security_products` and expanded