Pivot queries
Pivot queries let you quickly run new queries based on Live Discover results.
A pivot query lets you select a significant piece of data in your query results and use it as the basis for a new query.
You can see where pivot queries are available by looking for the ellipsis icon next to cells in your query results table.
Here's an example:
-
You run a query to find Sophos PID and reputation of all running processes.
Sophos PID is a unique process ID.
In the results, you see a suspicious process.
-
To see where else that process is running, you look for identifying data you can base a new query on.
- In the SHA-256 column, you see the ellipsis icon and click it.
-
In the pivot menu, the available pivot queries are listed. You click Process activity for a SHA-256 (Data Lake).
When you pivot, you can move from a Data Lake query to an endpoint query or the other way about.
A new query is created that will show all running processes that share that SHA-256.