OSQuery Statement Results

The results of running an OSQuery statement are presented in a closed-format notebook as shown below:

Notebook with an OSQuery statement results

For more information about how to manage and use notebooks in Cytomic Orion, see Investigations with Notebooks.

  • Notebook information (1): Contains the data provided by the analyst at the time they created the OSQuery statement: statement name, description, duration, scope, and the statement in SQL language.

  • Progress information (2): Contains multiple data series indicating the number of computers that completed the operation successfully:

    • Finished: Number of computers that completed the operation successfully and sent data.

    • Error: Number of computers that returned an error.

    • Pending: Number of computers that still have not returned data.

    • Canceled: Number of computers that did not return data within the time specified in the Maximum wait time field.

  • OSQuery statement results (3): Contains a table that shows the data returned by the OSQuery statement, as well as filter and download tools.

  • Data download controls (4): Download two files with comma-separated data, one file with data reported by computers and another file with query status information.

  • Filter (5): Show data table rows that match the search terms you enter. You can type only a partial string. Searches are performed on all fields in the table.

  • Data table (6): Contains a table that shows the fields requested by the analyst in the OSQuery statement. The maximum number of entries shown is 10,000. When this number is exceeded, a warning message is shown and the analyst is prompted to download the table (4). All result tables show three additional fields:

    • Customer Id: This is the identifier of the client to whom the information belongs.

    • Device Id: This is the identifier used in Cytomic EDR or Cytomic EPDR to designate the computer to which the information belongs.

    • Hostname: Name of the computer to which the information belongs.

Run Statements in the Background and Presentation Mode

For more information about this notebook run mode, see Presentation Mode Persistence.

Because OSQuery queries can take a long time to complete if the Maximum wait time field is set to a long time period and computers are slow to respond, an analyst might close the notebook before the query is complete. However, because OSQuery libraries run in the background, the statement continues to run even if you have closed the notebook. With presentation mode, when you reopen the notebook, it shows the results collected until just before it was closed, not the data collected from the time the notebook was closed until it was reopened. To refresh the information, click Update result table or Update progress in the notebook, or the icon in the toolbar to update the entire notebook content.