Views:

Run SQL-based queries on the specified endpoints to support threat investigation and incident response.

Important
Important
  • This task is supported by the following services:
  • Trend Vision One
    • Windows agent
    • Linux agent
  • This task uses osquery 5.7.0. For more information about the SQL syntax used in osquery 5.7.0, see the osquery documentation.
After creating a workspace and add endpoints to the workspace in the Forensics app, you can collect detailed evidence from potentially compromised endpoints for internal investigations into critical incidents that occurred on your network and may require further attention.

Procedure

  1. In the Trend Vision One console, go to XDR Threat InvestigationForensics.
  2. Click the name of the workspace that has the endpoints you want to triage.
    Note
    Note
    This task automatically adds all collected evidence to the workspace.
  3. Select one or more endpoints from the list. Selected endpoints must all use the same operating system.
  4. Click Run osquery.
  5. Select the operating system of your endpoints.
  6. Configure the task.
    1. Specify a task name.
    2. In the Query field, specify your SQL query.
    3. Validate your query by clicking Validate Query.
    4. Specify a Description for the response or event.
    5. Click Create.
  7. Monitor the task status.
    1. In the workspace that has the endpoints you are triaging, click View Query Results
    2. Select osquery.
    3. Locate the task using the Task name menu.
    4. View the task status.
      • In progress (in-progress.jpg): Trend Vision One sent the command and is waiting for a response.
      • Queued (queued.jpg): The managing server queued the command because the agent was offline.
      • Successful (successful_001.jpg): The command was successfully executed.
      • Unsuccessful (error.jpg): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.