Edit or create queries

You can edit a pre-prepared Live Discover query or create your own query.

The query is written in osquery, which uses basic Structured Query Language (SQL) commands. You must be familiar with osquery or SQL to edit the query.

For help with osquery, see osquery schema.

You also need to check the Sophos schemas:

To edit or create a query, do as follows:

  1. In Live Discover, expand Query.
    1. To edit a query, ensure that you have selected it. Then click Edit.
    2. To create a query, look at the list of query categories. Then click Create new query.
    Screenshot of query details dialog
  2. Enter a new name for the query.
  3. Enter a category for the query and a description.
  4. Select a source to query:
    • Data Lake.
    • Live Endpoint. This only gives results for endpoints that are connected.

    If you selected Live Endpoint, select the operating systems to include.

  5. In the SQL box, enter the changes that you want to make to the existing query or enter the new query.

    A query must contain at least 15 characters to run on the selected devices.

    For information about the tables and data available, see osquery schema.

  6. You can add a variable to the query and assign a value to it. You can then use the value, for example in a conditional statement. To do this, do as follows:
    1. Expand the variable editor.
    2. Click + Add variable.
    3. Enter a name for the variable.

      You can include spaces in the name but not dollar symbols.

    4. Specify the variable type and the value that you want to use when the query runs.
    5. In the SQL box, enter the SQL variable name, including the dollar symbols, where you want to use the variable.

    For example, if you enter File path for the variable name, SQL variable name becomes $$File path$$.

    Enter $$File path$$ in the SQL box:

    SELECT * FROM processes
    WHERE filepath = $$File path$$
  7. Click Save.
    The query is saved to the category that you specified.