Run Osquery

edit

Osquery allows you to run live queries against an alert’s host to learn more about your infrastructure and operating systems. For example, with Osquery, you can search your system for indicators of compromise that might have contributed to the alert. You can then use this data to form your investigation and alert triage efforts.

You must complete the following to access Osquery and run searches against your hosts:

  1. Do one of the following from the Alerts table:

    • Click the View details button to open the Alert details flyout, then click Take action → Run Osquery.
    • Select the More actions menu (…​), then select Run Osquery.
  2. Select one or more Elastic Agents or groups to query. Start typing in the search field to get suggestions for Elastic Agents by name, ID, platform, and policy.

    The host associated with the alert is automatically selected. You can specify additional hosts to query.

  3. Enter a new query or select a saved query.

    setup query
  4. (Optional) Expand the Advanced section to view or set mapped ECS fields included in the results from the live query.
  5. Click Submit.

    To save the query for future use, click Save for later and define the ID, description, and other details.

  6. Review the results in the table. You can also:

    • Navigate to Discover to dive deeper into the response.
    • Use the drag-and-drop Lens editor to create visualizations.
    • Click the Timeline button (Click markdown icon) to investigate a single query result in Timeline or Add to timeline investigation to investigate all results.

    An action_ID is generated when you run an Osquery query. The action_ID field and value pair is passed to the Timeline’s KQL filter when you select the option to open all results in Timeline.

  7. To view more information about the request, such as failures, open the Status tab in the results table.

    query results