Query Results
Queries can be run on the fly as custom queries. They can also be saved as scheduled queries to be run on a regular, predetermined basis with the results sent to an application or a specified data store.
Query Results Page
The Results page provides information about one or more query’s results in your Organization, as shown in the figure below.
Note: Query result rows are kept for 48 hours. You should assign a remote data store if you wish to store query results longer than 48 hours.
The Results page displays a list of all the scheduled queries for your organization, with a toggle to change the view to custom queries. The page provides a high-level summary of the current status, endpoints returned, number of results, the name of the catalog query used, if any, and more. You can also access the details of each query’s results directly from this page. You can also download the results' tables in a json format.
This page consists of the following 15 user interface elements and columns:
| Element | Description |
|---|---|
| Download JSON | Click the Download JSON icon to download the Results page table as a JSON file. |
| Note: The maximum number of query results records that can be downloaded is 10000 records. | |
| Refreshed | The last refreshed date and time are displayed. Click the Refresh button to refresh the page view. |
| Filters | This element displays the filters that are available for use with the query results listed on this page. The available filters act on how the query will be run. The active filters are Scheduled and Non-scheduled. Selecting Scheduled will display only those queries that have execution schedules applied to them. Selecting Non-scheduled will display only those queries that are being run as custom queries. Selecting both filters or clearing both filters will display all of the query results. |
| Hide/Show Filters | This element will either hide or display the Filters pane. |
| Name | Click on the Name link to open the individual Results page, described below. Click the vertical dots to open the action menu. Options include: Link Query, Rename, Copy Link, Copy Query ID, Reuse, Stop. If the query has expired or is an custom query, the Stop option will be unavailable. |
| Status | Current status of the queries. A percentage gauge is added for active queries, showing how much has been completed. |
| Catalog | The specific catalog used by the query. Click the link to view the query information. If the query is a custom query, the word Custom will be displayed in this column. |
| Endpoints | Shows the endpoint count in the query’s results out of the total possible endpoints. |
| Results | The number of records in the results. |
| Errors | The number of errors returned to the query. |
| Result Rows | The number of rows in the query’s results. |
| Frequency | Whether the query was Scheduled or Ad Hoc. |
| Source | Indicates whether the query is a custom query or a stock (catalog) query. |
| Created | Date and time the query was created. |
| Creator | The user who scheduled the query. |
Scheduled Query Run Time Display
While a scheduled query is running, the Status column of the Results page will display a progress indicator, as shown in the figure below.
This indicator shows that the query is still running and is actively returning results. On the right side of this status display is the Time Remaining display, shown in the figure below.
This display shows the time remaining before the query finishes. The format it takes is: dd:hh:mm:ss,
where:
- dd = number of days remaining in the query’s run.
- hh = number of hours remaining in the query’s run.
- mm = number of minutes remaining in the query’s run.
- ss = number of seconds remaining in the query’s run.
Query Result Details
Orbital’s Results Details page, shown in the figure below, provides detailed information on a single query’s results. This page can be accessed by clicking the query’s Name link from the Results page.
This page consists of four main information panes:
- The Result Details Controls pane.
- The General Query Information pane.
- The Results Details Node List pane.
- The Results Node Details pane.
The Query Result Details Controls Pane
The Result Details Controls pane, shown below, is used to control the information displayed on the Results Details page.
It displays the following seven user interface elements:
| Element | Description |
|---|---|
| Results link | This link will return you to the Results page. |
| Query Name | This displays the name of the query that was run. The action menu located at the right end of the query’s name contains the following four commands: |
| * Link Query | |
| * Copy Link | |
| * Copy Query ID | |
| * Reuse | |
| MITRE ATT&CK Indicator | This display identifies which MITRE ATT&CK tactics and techniques the query adheres to. Refer to The MITRE ATT&CK Adherence section in the Investigate topic for more information on MITRE ATT&CK. |
| Note: The MITRE ATT&CK Indicator will only be displayed if the query was a stock query. Refer to the Query Catalog topic for more information on Stock Queries. | |
| Latest results | This dropdown, shown below, is used to filter the displayed results: |
 |
|
| The Latest results dropdown command displays the last result received from each endpoint. | |
The Custom dropdown command is used to define the date range of the results that will be displayed on the Results Details page. The From and To time input fields take on the format YYYY-MM-DD HH:mm:ss, where: |
|
| YYYY represents the year. | |
| MM represents the month. | |
| DD represents the day. | |
| HH represents the hour. | |
| MM represents the minute. | |
| SS represents the second. | |
| Show empty rows | This toggle will allow you to include or exclude rows that have not returned queried information, for whatever reason, to the query results. The default setting for this toggleswitch is off. |
| Refreshed | Click Refreshed to display any new results that were collected from endpoints that were non-responsive during the query’s previous run. Any changes are displayed immediately, assuming the data is still available. |
| Download | Clicking the Download icon will display the File Type Selector, shown in the figure below. Select the file format, either JSON or CSV to download the host information in. |
 |
The General Query Information Pane
The General Query Information pane, shown in the figure below, displays specific information regarding the query whose results are being displayed.
This pane displays the following 14 user interface elements:
| Element | Description |
|---|---|
| Show/Hide Arrow | This arrow will either show or hide the General Query Information pane. If this pane is displayed, clicking the Show/Hide arrow once will hide the pane. If the pane is hidden, clicking the Show/Hide arrow once will display the pane. |
| Name | This field displays the name assigned to the query. |
| Status | This field displays the current status of the query. If the query is in progress, a progress indicator will be displayed, as shown in the figure below. |
 |
|
| If the query has finished execution, the date and time that the query finished executing is displayed. | |
| Catalog | This field displays the name of the query, as it is listed in the Query Catalog. If the query has been created by the user, the value for this field will be Custom. |
| Endpoints | This field displays the number of endpoints that have returned query results. |
| Results | This field displays the total number of times that Orbital has received a response from all of the endpoints targeted by the query over the duration of the query. |
| Result Rows | This field displays the total number of rows of results that have been returned for the query. |
| Frequency | This field displays whether the query is a scheduled or non-scheduled query. |
| Source | This field displays the name of the Cisco service where the query originated, such as Threat Response or Secure Endpoint. |
| Note: If the query originates from Orbital itself, this field will be left blank. | |
| Errors | This field displays the number of query results that are returned containing errors. |
| Created | This field displays the date and time that the query was started. This can be the date and time that the user created and ran a custom query or the date and time that the user started running a stock query. |
| Creator | This field displays the name of the name of the user that created and/or ran the query. |
| Interval | This field will only display a value if the query is a scheduled query. If the query is a scheduled query, this field displays the schedule’s frequency value. This value is discussed in greater detail in the Schedule Orbital Query Popup section of the Schedule Orbital Queries topic. |
| Remote Data Store | This field displays the name of the remote data store that the query has sent the results to. This field will only display a value if the remote data store has been set. |
The Query Results Details Node List Pane
The Results Details Node List pane, shown in the figure below, displays a list of the endpoints that have returned results. This pane is similar to the Results pane on the Query page. Each page will show up to 25 results. If more results are returned, pagination buttons are available at the bottom of the page.
The result details for each endpoint listed is listed in the Results Node Details pane, discussed in The Results Node Details Pane section below. Clicking an endpoint listing will display that endpoint’s results in the Results Node Details pane.
The Query Results Node Details Pane
The Results Node Details pane, shown in the figure below, displays the detailed results that have been returned by the highlighted endpoint.
Depending on the query that was run, the columns displayed in the Results Node Details pane will change. These columns reflect the columns that have been identified as the target columns from the osquery database, located on the endpoint.
More Info
- Orbital Results - A description of Orbital results.
- Orbital Query - A description of Orbital queries.
- Schedule Orbital Query - How to schedule a query.