The Query area integration allows you to run queries directly against your registered devices, providing dynamic filtering and reporting across all registered devices.

Define queries #

You can centrally define reusable queries for either ALL operating systems or specific queries for Windows, Linux or Mac.

Check the supported queries per OS here: https://www.osquery.io/schema/5.19.0/

Once you have saved a query, you can use it with the connected devices. Queries are versioned in the same way resources are versioned inside your Workspace. You can either accept the version or insert your own specification.

Query details #

The details view shows you the version history and change history of the query, as well as access to edit the query and download it.

Example queries #

List the users

SELECT * FROM users;

Check the processes that have a deleted executable:

SELECT * FROM processes WHERE on_disk = 0;

Get the process name, port, and PID, for processes listening on all interfaces:

SELECT DISTINCT processes.name, listening_ports.port, processes.pid
  FROM listening_ports JOIN processes USING (pid)
  WHERE listening_ports.address = '0.0.0.0';

Find every macOS LaunchDaemon that launches an executable and keeps it running:

SELECT name, program || program_arguments AS executable
  FROM launchd
  WHERE (run_at_load = 1 AND keep_alive = 1)
  AND (program != '' OR program_arguments != '');

Check for ARP anomalies from the host’s perspective:

SELECT address, mac, COUNT(mac) AS mac_count
  FROM arp_cache GROUP BY mac
  HAVING count(mac) > 1;