Using Queries

You can create and run queries across identified devices to gather system information.

How to run an Organization Query from the Catalog

1. Go to the Investigate page.

   Any values or parameters you enter on the Investigate page will be retained if you move to another page or tab, then return. However, if you click Clear all the information will not be saved.

2. Define the devices that the query will be run against.

• Enter the ID for one or more of your organization's devices in the Devices field.

or

1. Click Add random devices () icon. The Add random devices dialog opens.

   The default value for the Devices field is 10. You can change it by entering a new number in the Number field or using arrows.

2. Select the desired operating system(s).

3. Click Add. The selected devices are added to the Devices field.

3. Define your query by selecting an existing query from the Orbital Catalog.

1. Click Browse catalog. The Catalog popup window opens.

2. Type the name of the needed query in the Search field.

3. Click the desired query to view its detailed information.

4. When you have found the query you wish to run, click Use query.

5. Add any required parameters in the Parameters field if the query requires you to specify them.

4. Click Run query to run it and view the results.

You can copy the SQL by clicking the Copy to clipboard icon or selecting Use query.

Some catalog queries will require additional parameters once they have been added. These queries will display one or more Parameters fields describing the required information.

The SQL statements of queries added from the Catalog are hidden by default. To display the SQL, click the arrow on the catalog query name.

Other useful cataloged queries to start with include:

• Inventory System Information

• Process Mutex Search

• SHA-256 Hash of Running Processes

• Logged In Users

How to Download a Query

Use Download to download the results of the active ad hoc query. The retrieved records can be either formatted as a CSV or JSON file.

To download the active query results:

1. Click Download.

2. Select the file type, either JSON or CSV.

3. Click Download ready. This will download the ad hoc query results in a ZIP file.

How to save a Query to the Catalog

1. Go to the Query page.

2. Click the Custom SQL field and enter your SQL statement. You will notice that as you type your SQL statement, the Save query button is displayed.

• If you need to enter a multi-statement query, click Add. This will clear the Custom SQL field and place the previous SQL statement at the bottom of the page.

3. Click Save query.

4. Type the query name and its description.

5. Select the operating system that the query will be run against, using the OS checkboxes. This results in no operating systems being selected.

6. Click Save. Your custom query is listed at the bottom of the page.

You can configure Custom Query settings on the My Account page.

More Info

• Investigation

• The Orbital Builder

• Using Custom Queries

• Scheduled Queries

• Linked Queries