From c00ea2ad17bac378b915a04691568df8a3f30951 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Tue, 11 Mar 2025 16:41:47 +0000
Subject: [PATCH] Increase maximum Osquery timeout (#6590)

(cherry picked from commit b713d8228314d3c18c0aee309d180ce07074e9e3)
---
 docs/detections/api/rules/rules-api-create.asciidoc | 2 +-
 docs/osquery/alerts-run-osquery.asciidoc            | 2 +-
 docs/osquery/invest-guide-run-osquery.asciidoc      | 4 ++--
 docs/osquery/osquery-response-action.asciidoc       | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
index 78958696fb..c00704fae5 100644
--- a/docs/detections/api/rules/rules-api-create.asciidoc
+++ b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -733,7 +733,7 @@ For Osquery (`.osquery`), use a single query, a saved query, or a query pack:
 * `saved_query_id` (string, optional): To run a saved query, use the `saved_query_id` field and specify the saved query ID. Example: `"saved_query_id":  "processes_elastic"`
 * `packId` (string, optional): To specify a query pack, use the `packId` field. Example: `"packId": "processes_elastic"`
 * `ecs_mapping` (object, required): Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: `"ecs_mapping": {"process.pid": {"field": "pid"}}`
-* `timeout` (number, optional): A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `900`. Example: `"timeout": 120`.
+* `timeout` (number, optional): A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `86400` (24 hours). Example: `"timeout": 120`.
 
 NOTE: Refer to {kibana-ref}/osquery-manager-live-queries-api-create.html[Create live query API] for more information about running Osquery queries and packs.
 
diff --git a/docs/osquery/alerts-run-osquery.asciidoc b/docs/osquery/alerts-run-osquery.asciidoc
index 4107b8e084..b467c0f50e 100644
--- a/docs/osquery/alerts-run-osquery.asciidoc
+++ b/docs/osquery/alerts-run-osquery.asciidoc
@@ -24,7 +24,7 @@ NOTE: The host associated with the alert is automatically selected. You can spec
 . Specify the query or pack to run:
 ** *Query*: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. 
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours). 
 +
 TIP: Use <<osquery-placeholder-fields,placeholder fields>> to dynamically add existing alert data to your query. 
 
diff --git a/docs/osquery/invest-guide-run-osquery.asciidoc b/docs/osquery/invest-guide-run-osquery.asciidoc
index ceac0931ac..6a0126c148 100644
--- a/docs/osquery/invest-guide-run-osquery.asciidoc
+++ b/docs/osquery/invest-guide-run-osquery.asciidoc
@@ -30,7 +30,7 @@ TIP: Use <<osquery-placeholder-fields,placeholder fields>> to dynamically add ex
 
 .. Expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`.
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours).
 +
 [role="screenshot"]
 image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows results from running a query from an investigation guide]
@@ -48,7 +48,7 @@ image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows
 .. Select one or more {agent}s or groups to query. Start typing in the search field to get suggestions for {agent}s by name, ID, platform, and policy.
 .. Expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`.
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours).
 
 . Click *Submit* to run the query. Query results display in the flyout.
 +
diff --git a/docs/osquery/osquery-response-action.asciidoc b/docs/osquery/osquery-response-action.asciidoc
index 4f5fac0bff..f339c4dad0 100644
--- a/docs/osquery/osquery-response-action.asciidoc
+++ b/docs/osquery/osquery-response-action.asciidoc
@@ -36,7 +36,7 @@ NOTE: If the rule's investigation guide is using an Osquery query, you'll be ask
 . Specify whether you want to set up a single live query or a pack:
 ** *Query*: Select a saved query or enter a new one. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional). 
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`.
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours).
 +
 TIP: You can use <<osquery-placeholder-fields,placeholder fields>> to dynamically add alert data to your query.