You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Osquery provides relevant, timely data that you can use to better understand and monitor your environment. When you run queries, results are indexed and displayed the Results table, which you can filter, sort, and interact with.
17
10
@@ -26,7 +19,7 @@ The Results table displays results from single queries and query packs.
26
19
Results for single queries appear on the **Results** tab. When you run a query, the number of agents queried and query status temporarily display in a status bar above the results table. Agent responses can be `Successful`, `Not yet responded` (pending), and `Failed`.
@@ -36,7 +29,7 @@ Results for single queries appear on the **Results** tab. When you run a query,
36
29
Results for each query in the pack appear in the **Results** tab. Click the expand icon (![Click markdown icon](../../../images/security-pack-expand-button-osquery.png"")) at the far right of each query row to display query results. The number of agents that were queried and their responses are shown for each query. Agent responses are color-coded. Green is `Successful`, `Not yet responded` (pending) is gray, and `Failed` is red.
@@ -45,13 +38,13 @@ Results for each query in the pack appear in the **Results** tab. Click the expa
45
38
46
39
From the results table, you can:
47
40
48
-
* Click **View in Discover** (![Click the View in Discover button](../../../images/security-discover-button-osquery.png"")) to explore the results in Discover.
49
-
* Click **View in Lens** (![Click the View in Lens button](../../../images/security-lens-button-osquery.png"")) to navigate to Lens, where you can use the drag-and-drop **Lens** editor to create visualizations.
50
-
* Click **Timeline** (![Click Timeline button](../../../images/security-timeline-button-osquery.png"")) to investigate a single query result in Timeline or **Add to timeline investigation** to investigate all results. This option is only available for single query results.
41
+
* Click **View in Discover** (![View in Discover button](../../../images/security-discover-button-osquery.png"title =20x20")) to explore the results in Discover.
42
+
* Click **View in Lens** (![View in Lens button](../../../images/security-lens-button-osquery.png"title =20x20")) to navigate to Lens, where you can use the drag-and-drop **Lens** editor to create visualizations.
43
+
* Click **Timeline** (![Timeline button](../../../images/security-timeline-button-osquery.png"title =20x20")) to investigate a single query result in Timeline or **Add to timeline investigation** to investigate all results. This option is only available for single query results.
51
44
52
45
When you open all results in Timeline, the events in Timeline are filtered based on the `action_ID` generated by the Osquery query.
53
46
54
-
* Click **Add to Case** (![Click Add to Case button](../../../images/security-case-button-osquery.png"")) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments.
47
+
* Click **Add to Case** (![Add to Case button](../../../images/security-case-button-osquery.png"title =20x20")) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments.
55
48
56
49
::::{note}
57
50
If you add the results to a *new* case, you are prompted to specify the solution that you want the create the case within. Ensure you select the correct solution. From {{elastic-sec}}, you cannot access cases created in {{observability}} or Stack Management.
0 commit comments