MDM Query (OSQuery)

Overview

MDM Query provides a powerful interface for running OSQuery commands across your device fleet. Get detailed system information, troubleshoot issues, and gather compliance evidence.

What is OSQuery?

OSQuery exposes the operating system as a relational database:

Query system state with SQL-like syntax
Cross-platform support (Windows, macOS, Linux)
Real-time and historical data
Low performance impact

Query Interface

Running Queries

Navigate to Devices → MDM Query
Select target devices:
- Single device
- Device group
- All devices
Enter or select query
Click Run Query
View results

Query Syntax

Queries use SQL-like syntax:

SELECT * FROM users WHERE uid > 500;

SELECT name, version FROM programs
WHERE name LIKE '%chrome%';

SELECT pid, name, cmdline FROM processes
WHERE on_disk = 0;

Common Queries

System Information

OS Version:

SELECT * FROM os_version;

Hardware Info:

SELECT * FROM system_info;

Uptime:

SELECT * FROM uptime;

Security

Running Processes:

SELECT pid, name, path, cmdline
FROM processes;

Listening Ports:

SELECT pid, port, protocol, address
FROM listening_ports;

Installed Certificates:

SELECT * FROM certificates;

Firewall Status:

SELECT * FROM alf; -- macOS
SELECT * FROM windows_firewall_rules; -- Windows

Software

Installed Programs:

SELECT name, version, install_date
FROM programs; -- Windows

SELECT name, bundle_version
FROM apps; -- macOS

Browser Extensions:

SELECT * FROM chrome_extensions;
SELECT * FROM firefox_addons;

Users

Local Users:

SELECT * FROM users;

Logged In Users:

SELECT * FROM logged_in_users;

Last Login:

SELECT * FROM last;

Query Library

Saved Queries

Save frequently used queries:

Write or run query
Click Save Query
Enter name and description
Assign to category
Save

Pre-built Queries

Bastion includes pre-built queries for:

Category	Examples
Security	Open ports, suspicious processes
Compliance	Encryption status, AV installed
Inventory	Hardware, software, users
Troubleshooting	Disk space, memory, network

Query Scheduling

Scheduled Queries

Run queries automatically:

Create or select query
Click Schedule
Configure:
- Frequency (hourly, daily, weekly)
- Target devices
- Data retention
Enable schedule

Use Cases

Daily inventory collection
Hourly security checks
Weekly compliance verification
Change detection

Live Queries

Real-Time Execution

For immediate results:

Select devices
Run query
Results stream in real-time
View per-device results

Timeout Handling

Scenario	Behavior
Device online	Returns results
Device offline	Marked as unavailable
Query timeout	Partial results + timeout indicator

Query Results

Viewing Results

Results displayed in table format:

Sort by any column
Filter results
Export to CSV/Excel
Compare across devices

Result Actions

Action	Description
Export	Download as CSV
Save	Store results historically
Compare	Compare to previous results
Alert	Create alert based on results

Device-Specific Queries

Single Device

Query one device for troubleshooting:

Go to Devices → Device List
Select device
Click Query
Run query against that device

Query History

View past queries for a device:

Previous queries run
Results returned
Timestamp
Query source (manual, scheduled)

Security Considerations

Query Permissions

Permission	Access
Read	View results only
Execute	Run pre-built queries
Custom	Write custom queries
Admin	All query capabilities

Query Auditing

All queries are logged:

User who ran query
Query content
Target devices
Timestamp
Results (optional)

Best Practices

Start with Pre-built

Use pre-built queries as starting points. They're tested and optimized.

Test on Single Device

Test new queries on one device before running fleet-wide.

Mind Performance

Complex queries on many devices can impact performance. Use appropriate filters.

Schedule Wisely

Don't over-schedule. Running queries too frequently wastes resources.

OSQuery Reference

Useful Tables

Table	Description	Platform
`processes`	Running processes	All
`users`	User accounts	All
`listening_ports`	Open network ports	All
`programs`	Installed software	Windows
`apps`	Installed applications	macOS
`deb_packages`	Installed packages	Debian/Ubuntu

Documentation

For complete OSQuery documentation:

Next Steps

Web Browsing

Configure browser security

Security Checks

Create device policies

Overview​

What is OSQuery?​

Query Interface​

Running Queries​

Query Syntax​

Common Queries​

System Information​

Security​

Software​

Users​

Query Library​

Saved Queries​

Pre-built Queries​

Query Scheduling​

Scheduled Queries​

Use Cases​

Live Queries​

Real-Time Execution​

Timeout Handling​

Query Results​

Viewing Results​

Result Actions​

Device-Specific Queries​

Single Device​

Query History​

Security Considerations​

Query Permissions​

Query Auditing​

Best Practices​

OSQuery Reference​

Useful Tables​

Documentation​

Next Steps​