You can view the status and results of queries in the Query Results page. The results are available when devices start to respond.

The wait time for results depends on the query type and complexity, if devices are online, and the last time each sensor checked in. Results are available for 30 days.

Queries run for up to 7 days, unless scheduled to run more frequently. They are grouped by One-Time and Scheduled queries.

One-time queries display their start-time, name, devices responded, the user executing the query, and the status. You can click the icon next to the query name and view more details.

Scheduled queries display the last run time/date, query name, policy/endpoints, frequency, and run time. You can click the arrow to the left of the query name and view scheduled queries that are still running or complete. Each query displays the query start-time, devices responded, and status.

Note:

The following procedure relates to one-time queries only.

Procedure

  1. Navigate to Live Query > Query Results page.
  2. Locate a one-time query and click its hyperlinked name.
    The Results and Devices views appear.

    The query progress status displays in the upper-right:

    • Total Devices: This represents the aggregate number of devices targeted when the query was run. If specific policies or endpoints were targeted, the total number of devices is based on that list. If targeting all endpoints, the total number of devices is derived from the number of devices that have checked in during the previous 7 days.
    • Responded: These devices have run the query and returned results back to the cloud by successfully matching the query (one or more results returned), not matching the query (zero results returned), or returning with an error.
    • In Progress: These devices have received the query and are in the process of running it and uploading results.
    • Not Started: These devices have not yet received the query. This can include devices that are offline or that have not checked in since the query was started.
    Note: A query is completed when all devices have responded or if seven days have elapsed.
  3. In the Results view, filter the results for that query and optionally, export them.
    1. Use the filter options on the left to locate vital responses and devices associated with the query.
      The Response and Device filters are always present. Other filters are generated based on your query.
    2. Optionally, click Export.
      An exported CSV file downloads as a zipped file on your computer. It contains all of the filtered query data. CSV preparation time varies based on the number of results.
  4. In the Devices view, use the Status filter on the left to locate the state of your query on each device.
    The Status, Device, and Time columns on the right are always present. Other columns are generated based on your query.
  5. Optionally, click the Live Response symbol >_ located to the right of a device's name.
    You can remotely access a user's device and directly remediate threats through Live Response
    Note: If the icon is grayed out, the device is not connected to the network and cannot be accessed by Live Response.