Access OSQuery

To retrieve information about the IT infrastructure, you must send SQL statements to the platform from one of these areas of the console:

• From the Indicators sub-panel of an investigation:

  • In the top menu, select Investigations. In the list, select an investigation.

  • Select one or more indicators. In the toolbar, select OSQuery query. You can also click the context menu icon for an indicator and select OSQuery query.

  • The New OSQuery query dialog box opens. The Computers field is automatically populated with the MUIDs of the relevant computers.

• From the tab bar of an Investigation:

  • In the top menu, select Investigations. In the list, select an investigation.

  • In the tab bar, click the icon. Select OSQuery query.

• From the Files sub-panel of an investigation:

  • In the top menu, select Investigations. In the list, select an investigation.

  • In the Files sub-panel, click the icon. Select OSQuery query.

Regardless of the option you select, the New OSQuery query dialog box opens. See Send OSQuery Queries.

Additionally, you can also access the OSQuery feature through the Cytomic Orion integration API. For more information about the OSQuery specific methods and how to use the API, see OSQuery Access API.