Run Osqueryedit

Osquery allows you to run live queries against an alert’s host to learn more about your infrastructure and operating systems. For example, with Osquery, you can search your system for indicators of compromise that might have contributed to the alert. You can then use this data to form your investigation and alert triage efforts.

You must complete the following to access Osquery and run searches against your hosts:

  1. Click the View details button from the Alerts table to open the Alert details flyout.
  2. Click Take action, then select Run Osquery.
  3. Select one or more Elastic Agents or groups to query. Start typing in the search field to get suggestions for Elastic Agents by name, ID, platform, and policy.

    The host associated with the alert is automatically selected. You can specify additional hosts to query.

  4. Enter a new query or select a saved query.

    setup query
  5. (Optional) Expand the Advanced section to view or set mapped ECS fields included in the results from the live query.
  6. Click Submit.

    To save the query for future use, click Save for later and define the ID, description, and other details.

  7. Review the results in the table. You can also navigate to Discover to dive deeper into the response, or use the drag-and-drop Lens editor to create visualizations.
  8. To view more information about the request, such as failures, open the Status tab in the results table.

    query results