Queries and Reports

Queries and Reports Overview

ePO ships with its own querying and reporting capabilities, which are highly customizable, flexible, and easy to use.

The data for queries and reports come from any registered internal or external database in your ePO system. The most recently run result, for every report, is stored in the system and readily available for viewing.

Queries & Reports Page

The Queries and Reports page gives you access to ePO’s robust reporting features. Use it to create, edit, and run queries and reports. You can access the Queries & Reports page from the Reporting category on the main menu page or from the Queries & Reports icon on the Navigation bar as shown below.

Query Builder and Report Builder

ePO provides an easy, four-step wizard, called the Query Builder, that you use to create and edit custom queries. The wizard allows you can configure which data is retrieved and displayed and how it is displayed. ePO also provides a Report Builder, which is used to create and edit your report, including name, contents, and layout or structure.

Groups and permission sets control access to queries and reports. All queries and reports must belong to a group: access to that query or report is controlled by the permission level of the group.

Logs

In addition to queries and reports, you can use these logs to gather information about activities that occur on your ePO server and throughout your network:

• Audit log

• Server Task log

• Threat Event log

• Exploit Prevention Events

Query and Report Permissions

Use query and report permissions to assign specific levels of query functionality to permission sets, which are assigned to individual users.

Available permissions include:

No permissions+Use public queries and the shared groups+Use public groups, and the shared groups; create and edit private queries/reports+Edit public groups and the shared groups; create and edit private queries/reports; make private queries/reports public+

No permissions

The Query tab is unavailable to a user with no permissions.

Use public queries and the shared groups

Grants permission to use any queries that have been created and made public by users with the same permissions

Use public groups, and the shared groups; create and edit private queries/reports

Grants permission to use any queries that have been created and made public by users with the same permissions, as well as the ability to use the Query Builder wizard to create and edit personal queries

Edit public groups and the shared groups; create and edit private queries/reports; make private queries/reports public

Grants permission to use and edit any public queries, create and edit any personal queries, as well as the ability to make any personal query available to anyone with access to public queries

To run some queries, you also need permissions to the feature sets associated with their result types. Also, in a query’s results pages, the available actions to take on the resulting items depend on the feature sets a user has permission to.

Queries

Queries are configurable objects that retrieve and display data from the database.

• Displayed in charts/tables

• Actionable

• Exportable to four formats:

  • CSV: Use with spreadsheets

  • XML: Transform data

  • HTML: View as a web page

  • PDF: Obtain printable results

• Can use as dashboard monitors

• Can run manually or on schedule

• Can share between servers using import/export

Basic Query Page Controls

The figure below highlights the basic controls used to create and manage queries.

Click on the information (i) icons for additional information.

1. 
2. 
3. 
4. 
5. 

Using Queries as Dashboard Monitors

You can use almost any query (except those using a table to display the initial results) as a dashboard monitor. For example, you can use a chart-based query as a dashboard that refreshes at a user-configured frequency. Use your most useful queries on a live dashboard.

Public and Private Queries

Queries can be private or public.

• Private queries exist in the user’s Private Group list and are only available to the creator.

• Public queries exist in the Shared Groups list and are available to everyone who has permissions to use public queries.

Administrators and users with appropriate permissions can make their private queries public. Use query permissions to assign specific levels of query functionality to permission sets, which are assigned to individual users.

Using the Query Builder

• Step 1

  Choose Feature Group/Result Type

  What do you want to query?

  
• Step 2

  Choose Chart or Table Type

  How do you want your data to display?

  
• Step 3

  Add Additional Table Columns for Drill Down

  What do you want to see in your query?

  
• Step 4

  Apply Filters

  Narrow the results.

  

Unsaved Query

After you have made all of your query selections, click the Run button to view the results. At this point, your query has not been saved.

• If you are satisfied with the results, then click the Save button and name your new query.

• If you have the appropriate permissions, you can make this query public at this time by saving it to the Public Group (Shared Groups).

After you create the reports and display the output, you can fine-tune your report without starting from the beginning again. To do this, click Edit. Clicking Edit allows you to go back and adjust your report and run it again in seconds.

When you have made all changes to your report, click Save on the Unsaved Query page, then click Save again on the Save Query page to save it permanently. Now, this query is included with your dashboards, and you can run it any time.

Default Queries

ePO provides over 50 pre-defined queries. All are read-only. As product extensions are added to ePO, the default available queries increase. To view available queries, click the Queries tab on the Queries & Reports page.

Actionable Queries

Clicking the results of any query will access the additional details of the data. This drill-down data has available actions, based on the type of query that was run. For example, deploy agents to systems in a table of results. To view available actions for a query, select the Actions button from the column view.

Preconfigured Queries: Examples

ePO includes preconfigured queries you can use to report on and manage your network, including these types of information:

• Managed products deployed throughout your network Example: the Trellix Agent or Trellix Endpoint Security

• User actions on your ePO server Example: how many failed login attempts have occurred on your server in the last 30 days

• Policy assignment Example: which policies are assigned to each system in your network

The preconfigured queries available to you depend on which managed products you have installed. They use a variety of chart types to display query results and can be modified to suit your needs.

Create a duplicate of a preconfigured query before modifying it, so you can retain the original functionality of each query.

Query Groups

There are three pre-defined query groups in ePO, which contain all queries:

• Private Groups

• Shared Groups

• Trellix Groups

The queries in these groups are further organized into subgroups. All preconfigured queries appear in the Trellix Groups category on the Queries page. By default, queries in the Shared Groups category are accessible to any user with the appropriate permissions. Users without the appropriate permissions can see the query, but are not able to run the query. Queries in Private Groups are available only to the user who creates them (the query owner).

Example: If a user has full permissions to use queries but has no permissions for Endpoint Security, the user cannot run any ENS queries.

All preconfigured queries are included in the Shared Groups category. Preconfigured queries that appear in the Shared Groups category by default are organized into subgroups by functionality and managed product dependencies.

Automatic Query Actions

A server task is used to run a query regularly. Queries can have sub-actions that allow you to perform various tasks, such as emailing the query results or working with tags. The sub-action configuration is dependent upon the Sub-Action selected from the pull-down. The page updates automatically when a new Sub-Action is chosen.

• Automatically act based upon the results of a query

• Select from the Sub-Actions menu when creating a Run Query Server Task