Results

Queries can be run on the fly as live queries. They can also be saved as scheduled queries to be run on a regular, predetermined basis with the results sent to an application or a specified data store.

Results Page

The Results page provides information about one or more query’s results in your Organization; you can also view information about live queries from within the page displayed in the figure below.

Results

Note: Query result rows are kept for 48 hours. Assign a remote data store to store results older than 48 hours.

The Results page displays a list of all the scheduled queries for your organization, with a toggle to change the view to live queries. The page provides a high-level summary of the current status, endpoints returned, number of results, the name of the catalog query used, if any, and more. You can also access the details of each query’s results directly from this page. You can also download the results' tables in a json format.

Results Page Fields

Scheduled Query Run Time Display

While a scheduled query is running, the Status column of the Results page will display a progress indicator, as shown in the figure below.

Scheduled Query Progress Indicator

This indicator shows that the query is still running and is actively returning results. On the right side of this status display is the Time Remaining display, shown in the figure below.

Scheduled Query Run Time Display

This display shows the time remaining before the query finishes. The format it takes is: dd:hh:mm:ss,

where:

Viewing Query Result Details

To view the detailed query results, click the query’s Name link, shown in the figure below.

Name Column of Results page

This will display the query’s Results Details page, as shown in the figure below.

Query Results

Query Results Detail Controls

The main area is similar to the live query view. The list of hosts is located in the left column, and the details are listed in the results panel on the right. Each page will show up to 25 host results. If there are more, pagination is available at the bottom of the page.

Depending on the type of query, the details will include Pivot Menus. Pivot menus are available in the results next to observable types in catalog queries or in custom queries if the column name exactly matches an observable type. Click the pivot menu to access the icons to Copy or Add the value to a new case (in a casebook). The pivot menu contents depend on your Cisco Security product integrations as well as the specific type of data. The menu options may include Investigate in Threat Response, Create Judgement, Search in Secure Endpoint, Submit to Secure Malware Analytics, and more.

Expired Results

IMPORTANT: Remember that results is only retained in Orbital for 48 hours. If the results are expired past that point, you can’t use these fields to select a different time to make the results visible again. This is why the data is sent to a data store, so it is available past the expiration date.

If you need to see results that are expired, you will need to duplicate the scheduled query with a new name, or recreate the query and save it.

More Info

Return to Table of Contents