Views:

Run SQL-based queries on the specified endpoints to support threat investigation and incident response. Use this task from Forensics workspaces or the context menus in Workbench, Observed Attack Techniques, and XDR Data Explorer.

After creating a workspace and adding endpoints to the workspace in the Forensics app, you can collect detailed evidence from potentially compromised endpoints for internal investigations into critical incidents that occurred on your network and may require further attention.
The following services support this task:
  • Trend Vision One
    • Linux agent
    • macOS agent
    • Windows agent
This task uses osquery 5.7.0. For more information about the SQL syntax used in osquery 5.7.0, see osquery documentation.

Procedure

  1. In the Trend Vision One console, go to Agentic SIEM & XDRForensics.
  2. Click the name of the workspace that has the endpoints you want to triage.
  3. Select one or more endpoints from the list. Selected endpoints must all use the same operating system.
  4. Click Run osquery.
    Note
    Note
    You can also perform this response action from the context menu in XDR Data Explorer, Workbench, and Observed Attack Techniques.
  5. Configure the task.
    • Click Select a query, pause on a query to view its details, select a query, and click Continue.
    • To add a new query to the selection list, go to osquery on the Response Scripts tab of Response Management. Click Add query to specify the operating system, type a new query, and validate the query syntax.
    • Click Input a query, type a query, and click Validate query.
      Tip
      Tip
      Use Companion to generate osquery queries by clicking Generate osquery Query (companion_icon=ebfb1301-169d-4687-b329-7c6b4e235192.png).
    1. Specify a Description for the response or event.
    2. Click Create.
    3. In the Multi-factor authentication (MFA) window, paste the verification code and click Submit.
      MFA is required for every osquery task even if Response Management approval settings allow auto‑approval.
      If authentication succeeds, the task appears in the Response Management Task List.
      Tip
      Tip
      For response tasks created from the context menu in XDR Data Explorer, click the View details in Forensics icon (export_icon=GUID-88c87c83-f1e1-465e-9d60-9ba4a60f6849.jpg) in the Response Management Task List to go directly to ForensicsQuery Results.
  6. Monitor the task status.
    1. In the workspace that has the endpoints you are triaging, click View Query Results
    2. Select osquery.
    3. Use Task name to locate the task.
    4. View the task status.
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): Trend Vision One sent the command and is waiting for a response.
      • Queued (queued=GUID-65C0DF81-E50D-4D51-9602-2E9B7A0E5F14=1=en-us=Low.jpg): The managing server queued the command because the agent was offline.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.
    5. If the task is successful, click download_icon=5c7476c2-cf15-4572-b7cd-5fc67a57d22f.png to copy and retain the password, then click Download to obtain the task archive file.