Generating queries and reports

McAfee ePO comes with its own querying and reporting capabilities.

Included are the Query Builder and Report Builder, which create and run queries and reports that result in user-configured data in user-configured charts and tables. The data for these queries and reports can be obtained from McAfee ePO database.

In addition to the querying and reporting systems, you can use these logs to gather information about activities on your McAfee ePO server and your network:

  • Audit Log
  • Server Task Log
  • Threat Event Log


Queries enable you to poll McAfee ePO data. Information gathered by queries is returned in the form of charts and tables.

A query is used to get an answer right now. Query results are exported to several formats, any of which can be downloaded or sent as an attachment to an email message. Most queries are also used as dashboard monitors, enabling near real-time system monitoring. Queries can be combined into reports, giving a more broad and systematic look at your McAfee ePO software system.

The default dashboards and predefined queries shipped with McAfee ePO can't be changed or deleted. But you can duplicate them, then rename and change them as needed.

  • Query results are actionable — Query results displayed in tables have actions available for selected items. Actions are available at the bottom of the results page.
  • Queries as dashboard monitors — Most queries are used as a dashboard monitor (except those using a table to display the initial results). Dashboard monitors are refreshed automatically on a user-configured interval (five minutes by default).
  • Exported results — Query results are exported to four formats. Exported results are historical data and are not refreshed like other monitors when used as dashboard monitors. Like query results and query-based monitors displayed in the console, you drill down into the HTML exports for more detailed information. Unlike query results in the console, you can't select an action when viewing exported data. You export to these file formats: .csv, .xml, .html, and .pdf.
  • Combining queries in reports — Reports contain any number of queries, images, static text, and other items. They are run on demand or on a regular schedule, and produce PDF output for viewing outside McAfee ePO.
  • Sharing queries between servers — Any query can be imported and exported, allowing you to share queries between servers. In a multi-server environment, you only have to create a query once.
  • Retrieving data from different sources — Queries retrieve data from any registered server, including databases external to McAfee ePO.


Reports package query results into a PDF document, enabling offline analysis.

Generate reports to share information about your network environment, such as threat events and malware activity, with security administrators and other stakeholders.

Reports are configurable documents that display data from one or more queries, drawing data from one or more databases. The most recently run result for every report is stored in the system and is readily available for viewing.

You can restrict access to reports by using groups and permission sets in the same manner you restrict access to queries. Reports and queries can use the same groups, and because reports primarily consist of queries, this allows for consistent access control.