As a more advanced SQL user, you can use the open text SQL Builder to get more granular in running your queries. Also, you can run recommended queries directly or after modifying them according to your environment.

Prerequisites

Refer to these resources for writing a valid SQL query:

Procedure

  1. Navigate to the Live Query > New Query page and define a query under the SQL Query tab.
  2. Select a policy that contains endpoints or a specific endpoint for the query to run against it.
    If you select a policy with no endpoints, a warning text displays.
  3. Enter a SQL string into the SQL configuration field.
    You can copy the SQL from a Recommended Query, the Query Exchange or write it based on the Osquery schema.
  4. Execute your live query in either way.
    • To start a one-time query, click Run.
    • To schedule a query to run daily, weekly, or monthly, select Schedule query.