Live Query
The Live Query interface provides a terminal-style environment for executing real-time queries against endpoints. It combines pre-built query templates for common investigations with a custom command input for power users.
Query Templates
| Template | Query Type | Description |
|---|---|---|
| Process List | process_list | All running processes with details |
| Open Ports | open_ports | Active network connections and listening ports |
| Scheduled Tasks | scheduled_tasks | Cron jobs, systemd timers, scheduled tasks |
| Recent Files (24h) | recent_files | Files modified in the last 24 hours |
| DNS Cache | dns_cache | Cached DNS entries |
| Environment Vars | env_vars | Process environment variables |
| Loaded Modules | loaded_modules | Loaded kernel modules / DLLs |
| User Accounts | user_accounts | Local user accounts |
| Running Services | running_services | Active system services |
| Network Interfaces | network_interfaces | Network interface configuration |
Usage
Template-Based Query
- Navigate to the Live Query tab on an endpoint detail page
- Click a template button (e.g., "Process List")
- Results appear as structured JSON in the terminal output
Custom Query
- Type a command in the input field
- Press Enter or click the Execute button
- Results appear in the terminal output
Command History
- Press ↑ to cycle through previous commands
- Press ↓ to cycle forward
- Commands are persisted for the session
Comparison
| Feature | CrowdStrike RTR | Defender KQL | AuroraSOC |
|---|---|---|---|
| Query language required | Yes (RTR commands) | Yes (KQL) | No (templates) |
| Custom commands | Yes | Yes | Yes |
| Visual results | Text only | Tables | Structured JSON |
| History | Yes | Yes | Yes |
| Air-gapped | ❌ | ❌ | ✅ |
API
POST /api/v1/edr/investigation/{sensor_id}/query
{
"query_type": "process_list",
"custom_command": null,
"timeout_seconds": 30
}
Returns a LiveQueryResponse with JSON results.