Use placeholder fields in Osquery queries

edit

Use placeholder fields in Osquery queries

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and reusable queries.

Placeholder fields work in single queries or query packs. They’re also supported in the following features:

Placeholder field syntax and requirements
edit

Placeholder fields use mustache syntax and must be wrapped in double curly brackets ({{example.field}}). You can use any field within an event or alert document as a placeholder field.

Queries with placeholder fields can only run against alerts or events. Otherwise, they will lack the necessary values and the query status will be error.

Example query with a placeholder fieldedit

The following query uses the {{host.name}} placeholder field:

SELECT * FROM os_version WHERE name = {{host.os.name}}

When you run the query, the value that’s stored in the alert or event’s host.name field will be transferred to the {{host.os.name}} placeholder field.