Pivot queries

Pivot queries let you quickly run new queries based on Live Discover results.

A pivot query lets you select a significant piece of data in your query results and use it as the basis for a new query.

You can see where pivot queries are available by looking for the ellipsis icon Ellipsis icon next to cells in your query results table.

Here's an example:

  1. You run a query to find Sophos PID and reputation of all running processes.

    Sophos PID is a unique process ID.

    In the results, you see a suspicious process.
  2. To see where else that process is running, you look for identifying data you can base a new query on.
  3. In the SHA-256 column, you see the ellipsis icon Ellipsis iconand click it.
  4. In the pivot menu, the available pivot queries are listed. You click Process activity for a SHA-256 (Data Lake).

    When you pivot, you can move from a Data Lake query to an endpoint query or the other way about.

    Screenshot of pivot query options

A new query is created that will show all running processes that share that SHA-256.