Run SQL-based queries on the specified endpoints to support threat investigation and incident response.
Important
|
After creating a workspace and adding endpoints to the workspace in the
Forensics app, you can collect
detailed evidence from potentially compromised endpoints for internal investigations
into critical incidents that occurred on your network and may require further
attention.
Procedure
- In the Trend Vision One console, go to .
- Click the name of the workspace that has the endpoints you want to triage.
Note
This task automatically adds all collected evidence to the workspace. - Select one or more endpoints from the list. Selected endpoints must all use the same operating system.
- Click Run osquery.
Note
You can also run this response task from the context menu in the Trend Vision One Search app.The Run osquery Task window appears. - Configure the task.
- Use the radio buttons either to select an existing SQL query or to input a new query.
-
Choose Select a query: Click Select a query, select an existing query, and click Continue.To add a new query to the selection list, go to osquery on the Response Scripts tab of Response Management. Click Add query to select an operating system, type a new query, and validate the query syntax.
-
Choose Input a query: Type a query and click Validate query.
Tip
Use Companion to generate osquery queries by clicking Generate osquery Query ().
-
- Specify a Description for the response or event.
- Click Create.
- In the Multi-factor authentication (MFA) required window, paste the verification code and click Submit.If authentication succeeds, the task appears in the Response Management Task List.
Tip
For response tasks created from the context menu in the Search app, click the View details in Forensics icon () in the Response Management Task List to go directly to .
- Use the radio buttons either to select an existing SQL query or to input a new query.
- Monitor the task status.
- In the workspace that has the endpoints you are triaging, click
- Select osquery.
- Locate the task using the Task name menu.
- View the task status.
-
In progress (): Trend Vision One sent the command and is waiting for a response.
-
Queued (): The managing server queued the command because the agent was offline.
-
Successful (): The command was successfully executed.
-
Unsuccessful (): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.
-
- If the task is successful, click the icon to open the Download File window, copy and retain the password, and click Download to obtain the task archive file.