Posted on July 26, 2022
EDR Live Query exposes an operating system as a high-performance relational database, which enables you to write SQL-based queries that explore operating system data. These queries allow you to gain a better understanding of your environment, analyze security vulnerabilities, and identify anomalies like unencrypted disks or processes running without a binary on disk.
Live Query is based on osquery, which is an open-source project that uses a SQLite interface. The Live Query API allows you to execute queries against the operating system via API call and analyze the results outside of the EDR console.
The Live Query API is available in EDR Server versions 7.7 and above.