Skip to main content

CLOUD SOLUTIONS

Live Search

Overview

With Live Search you can retrieve information about events and system statistics directly from online endpoints using OSquery, an operating system instrumentation framework that uses the SQLite query language.

Note

For more information on OSquery, check the official documentation following the links below:

Activating Live Search on your endpoints

For the feature to be available on a specific endpoint, the policy applied to it needs to have the module activated. To activate Live Search for a specific policy follow these steps:

  1. Go to the Policies page and select the policy you want to edit.

  2. Go to the Live Search section.

  3. Select the Live Search option to enable the feature for all endpoints the policy is applied to.

    msp_cl_livesearch_policy_en.png

Using Live Search

After enrolling in the early access program you can access the feature by going to Incidents > Search and selected the Live tab.

214525_1.png

The page contains the following elements:

msp_cl_livesearch_en.png
  1. Queries panel, comprised of:

    • Search option - you can use this to search by title.

    • Recent - displays the last 25 queries that were performed.

    • Saved - a list of all the queries that have been saved for this user.

    • Predefined - a list of queries that are available by default for all customers.

  2. Company filter - perform a query on endpoints from a specific company.

  3. Query text - write your query.

  4. Query results - the results of the performed query.

  5. Metadata Details - provides additional details on the level of success of the query run. This section will always be displayed at the bottom, even if no results are present.

Create a new query

You can create a new query by using one of the methods below:

  • By typing in the query instructions

    When first displaying the Live tab after logging in to GravityZone, a blank query will be displayed by default.

    1. Type in the query instructions.

    2. Select the Save button on the upper right side of the screen.

    3. Type in a name for the new query.

    4. Select Save.

      The query is now displayed under Saved queries.

  • By editing an already existing query

    1. Select the query you want to modify.

    2. Change the instructions assigned to the query.

    3. Select the Save as button on the upper right side of the screen.

    4. Type in a name for the new query.

    5. Select Save.

    The query is now displayed under Saved queries.

Run a query

To run a query follow the steps below:

  1. Locate and click the query you want to run on the left side of the screen, under Saved queries.

  2. Select Run query.

    214525_5.png

    Depending on the complexity of the query and the size of your network, it may take a few minutes to return all of the results. For the duration of the data gathering, the message In progress and a timer is displayed and the Run query button is disabled until all data is gathered.

    Note

    Query results will be gathered from each endpoint for a maximum of 2 minutes, after which they will be timed out and no more results will be gathered. If all endpoints respond with valid data before the the time-out, the query will be completed sooner. The Run Query button and the Metadata section will not be available while the query is running.

    Results are returned depending on your query:

    214525_6.png

    Only the first results are automatically displayed. The grid will automatically check for new results every 5 seconds until the query run completes. To manually refresh the results, you can use the Refresh button. When refreshing the results grid, the Metadata will also refresh.

    214525_8.png

    The query results are available for 35 minutes. Once the time has passed, the results are deleted. A timer is available just below the query instructions, which changes colors during the last 10 minutes of the countdown.

    214525_9.png

Note

You can use the 214525_7.png button on the upper right side of the screen to download the query results as a .CSV file.

Reading Metadata Details

msp_cl_livesearch_metadata_en.png

This section is collapsed by default, and contains the following data:

  • Status - the status of the query:

    • In progress - query is currently running.

    • Finalized - the query has been completed and valid results have been returned.

    • N/A - no query has been ran or the results have expired.

  • Respondents - the number of endpoints that have responded to the query.

  • Total endpoints - the number of endpoints that have been queried.

When expanded, the following information is displayed:

  • Name - the endpoint name.

  • Query execution time - the time the query ran on this endpoint (milliseconds).

  • Available rows - the total number of rows returned by the query for this endpoint.

  • Sent rows - the number of rows that have been included in the results.

  • Status - the status of the query for this specific endpoint. Possible values:

    • Success - the endpoint returned a response and no error.

    • Error - the endpoint returned an error.

    • Time out - the endpoint did not respond and timed out.

  • Error message - the error message returned by the endpoint when queried.

Edit a query

To edit a query follow the steps below:

  1. Select the query you want to modify.

  2. Change the instructions assigned to the query.

  3. Select the Save button on the upper right side of the screen.

    Note

    Predefined queries can not be modified. Use the Save as button to create a new query.

  4. Click Save.

The modifications to the query have been saved.

Delete a query

To delete a query follow the steps below:

  1. Locate the query on the left side of the screen, under Saved queries.

  2. Click the vertical ellipsis button for the query you want to remove.

  3. Select Delete.

    214525_3.png

Rename a query

To rename a query follow the steps below:

  1. Locate the query on the left side of the screen, under Saved queries.

  2. Click the vertical ellipsis button for the query you want to rename.

  3. Select Rename.

    214525_3.png
  4. Type in the new name for the query.

  5. Click the OK button.

    214525_4.png

Query results limitations

The following limitations apply to all query results:

  • Queries return a maximum of 100 000 rows per run.

  • Queries return a maximum of 1000 rows for each endpoint per run.

  • Individual endpoint row results are not redistributed to other endpoint results that have not reached their row count limit.

Eligibility

The program will be available to any cloud company that is licensed for GravityZone Business Security Enterprise or the GravityZone a la carteEDR Cloud.

Submitting feedback

You can submit feedback by sending an email to xdr-eap@bitdefender.com.