Send OSQuery Queries

The New OSQuery query dialog box contains these fields:

• Notebook name: The data collected from the client infrastructure is presented in a notebook. This field indicates the notebook name.

• Description: Describes the type of data collected with the OSQuery query and other information the analyst might want to add.

• Computers: Indicates the computers from which the data is collected:

  • All computers of the following clients: Use the icon to select the names or IDs of the clients whose computers will receive the OSQuery statement. You cannot specify individual computers.

  • The following computers: Use the icon to select the IDs (MUIDs) of the computers that will will receive the OSQuery statement You can add computers belonging to multiple clients.

• Maximum wait time: OSQuery queries can affect computers that are turned off. As such, it will not be possible to collect the requested information. Cytomic Orion tries to collect the requested information within the period you specify in the Maximum wait time field. After this time, all requests are canceled and the process is considered complete.

• Query: The SQL statement in OSQuery format. For more information about the data schema, see https://osquery.io/schema/4.2.0/ .