« Run Osquery from alerts Use placeholder fields in Osquery queries »
Elastic Docs Serverless Elastic Security serverless Investigation tools Osquery

Examine Osquery results

edit

Examine Osquery results

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Osquery provides relevant, timely data that you can use to better understand and monitor your environment. When you run queries, results are indexed and displayed the Results table, which you can filter, sort, and interact with.

Results table
edit

The Results table displays results from single queries and query packs.

Single query resultsedit

Results for single queries appear on the Results tab. When you run a query, the number of agents queried and query status temporarily display in a status bar above the results table. Agent responses can be Successful, Not yet responded (pending), and Failed.

Shows query results
Query pack resultsedit

Results for each query in the pack appear in the Results tab. Click the expand icon (Markdown) at the far right of each query row to display query results. The number of agents that were queried and their responses are shown for each query. Agent responses are color-coded. Green is Sucessful, Not yet responded (pending) is gray, and Failed is red.

Shows query results
Investigate query results
edit

From the results table, you can:

  • Click View in Discover (View in Discover app) to explore the results in Discover.
  • Click View in Lens (View in Lens app) to navigate to Lens, where you can use the drag-and-drop Lens editor to create visualizations.

  • Click Timeline (Timeline) to investigate a single query result in Timeline or Add to timeline investigation to investigate all results. This option is only available for single query results.

    When you open all results in Timeline, the events in Timeline are filtered based on the action_ID generated by the Osquery query.

  • Click Add to Case (Cases) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments.
  • Click the view details icon (View details) to examine the query ID and statement.
  • View more information about the request, such as failures, by opening the Status tab.
« Run Osquery from alerts Use placeholder fields in Osquery queries »