Building a Query
Overview
The Query Builder is a querying tool used to search for for assets and telemetry events with attributes meeting conditions specified in rules defined by the user. In this article, we will review the steps for building simple and complex queries.
Building a Simple Query
The Query Builder has three to four parameters that can be used to assemble a query, depending on what area of the platform you are in. In this example, we will be using the Query Builder in the Live Inventory page to construct our query.
Click here for an in-depth review of query parameters and attributes across the Sevco platform.
Defining Query Parameters
Source Attributes
This field is only available on Live Inventory pages. Query builders on the Source Inventory and Telemetry pages only allow you to specify attributes in queries and do not support cross-asset search.
The Attribute parameters allow you to select the what data attribute(s) you would like to build your query around. Select the Attribute field to begin defining this parameter.
The attributes menu is broken down into several areas:
-
At the top of the menu, there are Devices and User tabs, The tab corresponding to the Live Inventory page you are on is selected by default. These tabs are primarily used for cross-asset searches, which will be covered in a later section.
-
The left-panel contains a list Sources. If needed, use this section to specify if you would only like to include assets from a specific Source in your rule's condition.
-
The right-panel is where you will select the what data Attribute(s) you would like to build your query around.
In this example, we'll be selecting Crowdstrike
as our Device Source and Last Activity
as our Attribute.
Click here for a full list of query attributes.
Condition
The Condition field is used to define the conditions your selected attribute must meet for an asset or telemetry event to appear in your query results.
Because we selected Last Activity
as our Attribute, we'll select is after
from the list of available Conditions for that attribute. Learn more about attribute conditions here.
Value
Once you've selected an attribute and condition, you will need to define the Value you will be using to determine if a condition is satisfied. Please note that this field will not display when the Exists
or Does not exist
Condition is selected, as the value is already defined in the condition itself.
In some instances, you may be asked to select a value from a pre-defined list of values. This is dependant on the attribute you have chosen. In this example, we will be using the Date Picker to define the cutoff date for a device's Last Activity
in Crowdstrike
.
Running a Query
Now that you have finished constructing your query, select the Apply button to run your query.
Once the the query has been applied, you should see a filtered list of assets or telemetry events meeting the conditions of your rule. If you do not see this, check your query for accuracy and rerun it.
Building Complex Queries
For more complex queries, you will want to take advantage of the Add Rule and Add Group options. In this example, we will be adding additional rules
Adding a Rule
The Rule option allows you to add additional search criteria to your query. Once you've added a rule, you can use the and
/ or
conditions to decide if the rule must be met in addition to your previous rule or if the system can include assets meeting either set of conditions in your results.
Referring back to our last example, we are going to be using an and
condition to add a rule where the Scope is Crowdstrike
the Attribute is Agent Version
and the Condition is exists
. We will use the and
Condition to specify that both rule must be met.
Adding a Group
Groups are not automatically created when the query builder is opened. Select the Reset button followed by the Add Group button to create a new group if you have two or more rules that you'd like to compare against another group.
Once you have selected and
or or
as a Condition for two rules, all subsequent rules in that group must also use that condition. The Group option allows you to group rules in complex queries.
The and
/ or
conditions function exactly the same for groups as they do rules. Once you have selected a condition, all groups must use that condition.
Continuing where we left off, we are going to add one group and select the or
Condition. This will tell system to generate a list of devices meeting the conditions in either group.
Once the Apply button has been selected, you will notice that the device list is longer. This is because there are additional devices meeting the second group's conditions that didn't meet the first group's.
Cross-asset Search Queries
Cross-asset Search queries allow users to run queries that take correlations between Device and User assets into account. For example, you may wish to run a query that searches across assets to:
- View Devices that have associated Users who are in an Active Directory Group
- Determine what Users have one or more Devices that do not have an Endpoint Protection agent installed
- Identify recently-observed Devices with associated Users that have no recent activity reported
Example Cross-asset Query
In this example, we will be running two queries:
- The first query will ask Sevco to identify any Users associated with a Device (
ID
) that does not have the Source, MalwareBytes Nebula installed on it. - The second query will ask Sevco to show all Devices belonging to a User so that we can determine which device(s) are missing Malware Bytes
Query 1: User Live Inventory
We will start from the User Live Inventory page, as we are searching for Users who meet a certain criteria.
Next, select the Attribute field in the query builder. As stated above, the attribute menu will default to the Users page. Select the Devices tab, we will be using attributes from Device Sources to determine whether or not Users meet the criteria for our search.
For the first rule in our query, we will select Device ID
as our Attribute without specifying a Source. Next, we will set its Condition to exists
. This will tell Sevco to only show users associated with at least one Device.
For the second rule in our query, we will return to the Devices tab, select MalwareBytes Nebula
as our Source, Source
as our Attribute, and does not exist
as our Condition.
Once we Apply the query, the user list will only display Users with devices that do not have Malware Bytes installed.
Query 2: Device Live Inventory
After running your last query, the next logical step could be to reach out to each user and ask them to install MalwareBytes Nebula. But let's say you have a User with multiple devices who is having trouble figuring out which are missing the installation.
For our second Query, lets look at a User, Roman Mertz
from our results list and see what Device(s) are missing MalwareBytes Nebula
.
Because names and usernames can change, we are going to use the User's Asset ID
to perform our search. This can be found on the User Details page for the User.
After obtaining the Asset ID
, we are going to head over to the Device Live Inventory Page.
To begin, we are going to select the Attribute field followed by the Users tab in the attribute menu.
For our first rule, we will select User ID
as our Attribute, equals
as our Condition, then paste the Asset ID
we copied earlier into the Value field.
For our second rule, we will select MalwareBytes Nebula
as our Device Source from the Devices tab, Source
as our Attribute, and does not exist
as our Condition.
Once we apply the query, the device list will only display Devices belonging to the User that do not have Malware Bytes installed. Fortunately for Roman, there appears to only be one!!
___
Query Building Tips
The following are some query-building tips to help improve your workflow:
- For complex queries, list out the conditions for your query ahead of time to prevent having to reset the query builder over a misplaced rule or
and
/or
Condition. - Disable rules using the disable toggle (
) to troubleshoot queries that are producing unexpected results.
- Save queries to your My Queries list that you run regularly. For queries run by multiple members in your organization, save them to the Org-wide Queries list. Learn more
- Set up email notifications for your saved queries. Learn more
- Promote queries from My Queries or Org-wide Queries lists to the Query Reports page, so you can track them from the Dashboard without having to rerun them. Learn more
Updated 17 days ago