Device Query
Run a query from the Query Library
Device360 provides 45 pre-canned queries to collect attributes that may not be available during authentication (e.g., running processes, installed third-party software, chrome extensions, etc.). These attributes can help you identify any misconfigurations or potential vulnerabilities in your system, enabling you to manage policies and assess impacts. Additionally, they can help you keep track of your fleet inventory. You can use also use these queries as a basis for creating a new query.
-
Click Inventory > Device Query > Query Library tab.
-
Click a query card from the list. To use this query as-is, continue to Step 4.
To create a new query based on this query, follow the steps below.
-
Modify the query name, description, and tags.
-
Edit the SQL query.
-
Click on Save as new query. You'll be returned to the Query Library with the newly saved query as the first card on the page.
-
Click the newly created card.
-
Continue to Step 3.
-
-
(Optional) Select how frequently to run the query under the Run once now dropdown.
-
Click on Run Now in the top right.
-
Option Description Previous Runs By default, the latest run displays on this page. You can select a previous date and time in the left pane to view previous runs of the same query as you begin threat hunting. As you resolve misconfigurations and mitigate risks, you can compare runs to track progress from where you started to where you are now. For example, your initial run of a query could return 15 devices with 100 rows of data. Later runs of the same query should result in fewer devices and rows of data as you resolve issues for those devices. Successes This tab displays a list of devices that provided an update for the query. If a device doesn't have a name provided, it displays as "Not Available" in this table. To add a device name, see "Renaming a device". Failures This tab displays a list of devices that didn't respond because they were offline or there was a query error. All results This tab displays a row for each result returned for a device. For example, if you run a query that looks for executable files stored in temp directories, a single device could have 100s of executable files in temp directories so one device could have 100+ rows.
Example: Use a query from the Query Library as-is
Example: Create a query based on an existing one
Create a new query
Use this feature to create a query from scratch. If you want to modify an existing query and save it, see Use a query from the Query Library above.
-
Click Inventory > Device Query > Create Query.
-
Enter a query name, description, and select applicable tags.
-
Type the query.
-
Click on Save as new query.
Edit a custom query
After creating a new query, you can make updates to it.
-
Click Inventory > Device Query > Query Library.
-
Click an updated query card.
-
Modify the query or details, then click on Library Options > Save changes to the existing query.
Delete a query
-
Click Inventory > Device Query > Query Library.
-
Click an updated query card.
noteYou can only delete queries you've saved as a new query.
-
Click on Library Options > Delete query from library.
-
When prompted, confirm the deletion.
View query results
After running a query, you can view results and begin threat hunting and improve your device posture and security.
-
Click **Inventory > Device Query **. The Queries tab displays a list of all queries that are running, have ran, or are scheduled to run.
Note that until a query runs for the first time, this page will be blank.
-
You can view the following information in the Query table:
Option Description Query Name Displays the name of the query. Run Status Displays the status of a query.
Note: At this time, a total of 5 queries can run in parallel and/or be scheduled to run per tenant. If needed, locate a scheduled query and select Cancel all future runs under the Actions column or cancel a running query.Device Target Displays the type of devices targeted in the query. Device Response Displays the number of devices that met the conditions in the query. Device Data Rows Displays the number of rows containing details for each result returned from this query.
For example, if you run a query that looks for executable files stored in temp directories, a single device could have 100s of executable files in temp directories so a single device could have 100+ result rows.Run Schedule Displays how often the query is scheduled to run. Actions Provides a set of actions available based on the status of a query:
- Re-run query: Applies to queries with a status of Run Complete or Cancelled.
- Cancel run: Applies to queries with a status of Now running.
- Cancel this run: Applies to a scheduled query that is currently running.
- Cancel all future runs: Applies to queries that are scheduled to run.
- Cancel this and all future runs: Applies to a scheduled query that is currently running. -
Click a query name in the table to view results and begin threat hunting.
Option Description Previous Runs By default, the latest run displays on this page. You can select a previous date and time in the left pane to view previous runs of the same query as you begin threat hunting. As you resolve misconfigurations and mitigate risks, you can compare runs to track progress from where you started to where you are now. For example, your initial run of a query could return 15 devices with 100 rows of data. Later runs of the same query should result in fewer devices and rows of data as you resolve issues for those devices. Successes This tab displays a list of devices that provided an update for the query. If a device doesn't have a name provided, it displays as "Not Available" in this table. To add a device name, see "Renaming a device". Failures This tab displays a list of devices that didn't respond because they were offline or there was a query error. All results This tab displays a row for each result returned for a device. For example, if you run a query that looks for executable files stored in temp directories, a single device could have 100s of executable files in temp directories so one device could have 100+ rows.