View the Results of an Agent Query

The
Agent Query
page displays all saved and applied queries and enables you to review results for applied queries. By expanding the row for the query, you can view additional information about matches including when and on which Windows endpoint the match was found, the file or registry key that matched the search parameter, and metadata details for the file. Use the results you receive after you run an agent query to identify and take additional action, if needed, to secure the endpoint
  1. From the
    Policies
    Forensics
    Agent Query
    page, select the row for the applied query. The row expands to display additional information about the query and includes any matches for the query in the
    Agent Query, Found matches
    section.
    For each applied query, the ESM Console displays the number of endpoints that received the query (
    Applied On
    ), the number of endpoints which successfully executed the search (
    Succeeded
    ), and the number of endpoints which failed to run the query or did not receive the query (
    Failed
    ).
  2. (
    Optional
    ) To view detailed information about the match, click
    Details
    .
    The ESM Console displays up to 50 records of matches.
  3. (
    Optional
    ) To view the full text, hover over cell of the
    Result
    or
    Metadata
    field.
  4. (
    Optional
    ) To save the results to a comma-separated (CSV) file that you can parse, click the action menu at the top of the page and select
    Export Logs
    .
  5. (
    Optional
    ) There are additional tasks you can perform after reviewing the results of the query:
    • Remediate any issues with malicious files on the endpoint.
    • Duplicate
      the query, make any changes as required, and
      Apply
      it to run it again.
    • Delete
      the query and results from the ESM Console.

Recommended For You