Applies To: WatchGuard Advanced EPDR
The Advanced SQL Query tool enables you to find specific events for a selected computer or any other computer on your network. You can use the Advanced SQL Query tool to review the telemetry recorded in the previous seven days.
To use the Advanced SQL Query tool, you must know how to use structured query language (SQL) and understand the database schema used by Endpoint Security.
To open the Advanced SQL Query tool, from the Endpoint Security management UI:
- To open computer details, select Computers, then select a computer.
- On the Investigation tab, click
. - Select Advanced SQL Query.
The Advanced SQL Query tool opens.
The Advanced SQL Query tool is divided into these sections:
- Queries — Enables you to view and select tables and the data model.
- Advanced SQL Query — Enables you to create queries.
- Results — Shows the results of the queries.
Queries Section
The Queries section of the tool shows the data model used to organize information collected from the monitoring of processes.
You can use the tables and fields shown in this section to create queries. Click a field to copy it to the Advanced SQL Query section in the position indicated by the cursor.
Advanced SQL Query Section
The Advanced SQL Query section includes an editor that enables you to create and run advanced SQL queries.
To run advanced SQL queries:
- In the query editor, specify the SQL query that you want to run.
- To run the query, click
.
For information on SQL syntax, go to Advanced Query SQL Syntax.
Results Section
The Results section shows the results of your SQL query in table format.
In the Results section, you can perform these actions:
View Event Details
In the Results section, you can view the telemetry for a computer in the results table.
To view event details for any item in the list:
- Click
, then select Investigate Computer.
The Investigate Computer dialog box opens. - Select the check box of the identifier you want to use to identify the computer, then enter the required value in the text box:
- MUID
- MD5
- MUID + MD5
- Computer Name
- Click OK.
A new page opens with event details for the specified computer.
Set Row Groups
In the Results section, to help analyze details, you can create groups of items based on values in a selected column.
To create groups:
- Drag a column to the Drag Here to Set Row Groups bar. For example, you could drag the Date column.
Groups are created for the selected column.
- (Optional) To create groups for other columns within the existing groups, drag additional columns to the Drag Here to Set Row Groups bar. For example, drag the Action column next to the Date column.
Sub-groups are created within the existing groups.
Search and Filter Results
In the Results section, you can search for a specific parameter in the Results table. You can also filter the results based on the data in a specific column.
To search for a specific parameter:
- Enter text in the Search box. Search matches the text in all information returned by the SQL query.
To filter the Results table:
- Click Filters.
Filter options appear. - Expand the option you want to use to filter the table.
- Select and clear check boxes for the data you want to show or hide in the Results table. By default, all check boxes are selected.
The Results table refreshes and filtered results appear in the list.
For information about the type of events, go Fields in the Events Received by Cytomic Orion (external link).