GitHub
Sign in
Start for free
View Categories

Queries

Quick guide #

XOAP Queries are SQL-based queries that run directly on managed devices to collect inventory and operational data. When the XOAP Connector is installed, it also deploys osquery, and XOAP Queries use this osquery engine to execute SQL statements on the endpoint and return the results to XOAP.

Create a new Query #

  1. In Inventory → Queries, click + Add Query.
  2. Enter a Query name.
  3. Select the target OS.
  4. (Optional) Add Tags and a Description.
  5. In Command, paste the SQL query to be executed on the device.
  6. Click Add to create the query.

Edit a Query #

  1. Open the query details (for example, via the Details option/icon).
  2. Click Edit.
  3. Update the query metadata (name, OS, tags, description) and/or the Command.
  4. Save your changes.

Delete a Query #

  1. In the Queries list, select the query (or multiple queries).
  2. Delete it using the Delete option/icon.
  3. Confirm the deletion.

Additional useful information #

OS compatibility #

Not all queries work on every operating system. As a best practice, indicate OS scope in the query name (e.g., WIN_, LINUX_, MAC_, or ALL_) so it’s clear whether a query is OS-specific or universal.

Keep queries efficient #

Prefer targeted filters and limit result size where possible. Heavy queries (large tables, many joins, or broad scans) can increase endpoint load and slow down data collection.

Technical documentation #

Queries in XOAP are SQL statements executed on endpoints to retrieve inventory and security-relevant information (software, users, processes, services, browser extensions, local groups, etc.). XOAP uses these queries to collect structured data from devices and present it centrally in the Inventory module.

osquery is an open-source endpoint agent that exposes operating system data through a SQL interface. Internally, it maps OS information to virtual “tables” (for example processes, users, services, programs, chrome_extensions) that you can query using standard SQL syntax. The result is a consistent, queryable inventory layer across supported platforms.

When the XOAP Connector is installed on a device, osquery is deployed as part of the installation. XOAP then triggers the configured SQL query on the endpoint via the Connector and collects the results back into XOAP for reporting and analysis.

High-level flow:

  1. You define a Query (SQL + target OS metadata) in XOAP.
  2. XOAP triggers execution on selected endpoints through the XOAP Connector.
  3. osquery runs the SQL locally and returns rows (results).
  4. XOAP ingests and displays the returned data in Inventory.

Here are a few simple osquery SQL examples you can use as templates:

Basic system info #

SELECT hostname, cpu_type, cpu_subtype, physical_memory

FROM system_info;

List local users #

SELECT username, uid, description

FROM users

ORDER BY username;

Installed software (Windows-focused) #

SELECT name, version, install_location, publisher

FROM programs

ORDER BY name;

The schema of the osquery tables can be found on https://osquery.io/schema/5.21.0/

Powered by BetterDocs

Scroll to Top