[OSquery]when we are running a saved query it's timeout field time changed to default time (60s)

[sukhwindersingh-qasource]

Describe the bug:
when we are running a saved query it's timeout field time changed to default time (60s)

Build Details:

VERSION: 8.12.0
BUILD: 69418
COMMIT: a4aa7117bb04d6ded121237ca7d2cd77c9f93ceb

Preconditions

• Kibana should be running.
• Agent with Osquery manager integration should be installed.
• Saved query should be saved with timeout field value as 600s

Steps to Reproduce

• Navigate to Osquery > Saved queries
• Now click on run button of the saved query mentioned in the preconditions
• Observe when we are running a saved query it's timeout field time changed to default time (60s), Instead of the time we have configured while we saved the query.

Actual result

• when we are running a saved query it's timeout field time changed to default time (60s), Instead of the time we have configured while we saved the query.

Expected Result

• when we are running a saved query it's timeout field time should remain same as we have configured while we saved the query

Screen-Cast

Saved.queries.-.Osquery.-.Elastic.Mozilla.Firefox.2023-11-29.14-48-20.mp4

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[sukhwindersingh-qasource]

@muskangulati-qasource kindly review
Thanks!

[muskangulati-qasource]

Reviewed and assigned to @kevinlog

[szwarckonrad]

Further investigation:
Happens only when running saved query using "play" button, choosing saved query in live query view prevails the timeout.

Screen.Recording.2023-12-01.at.10.15.33.mov

[szwarckonrad]

Merged to main with 8.12 label.

[nicpenning]

Any idea if this is related to OS Query not having a controllable timeout functionality?

https://elasticstack.slack.com/archives/CNEDGGJQ3/p1701811075074549?thread_ts=1701811075.074549&cid=CNEDGGJQ3

[kevinlog]

@sukhwindersingh-qasource this is ready for testing in 8.12 BC or latest snapshot

[szwarckonrad]

@nicpenning

This PR is about a configurable Timeout field when running or scheduling Osquery query. This functionality will be introduced with 8.12 release. It is not related to the long running queries reported in Community Slack. Thanks for keeping an eye out though 🙏

[sukhwindersingh-qasource]

Hi @szwarckonrad

We have validated this ticket on the latest **8.12.0 ** build and found the issue is FIXED. ✔️
But We have also observed that timeout is also not included in Live query run. ❌

Please find below the testing details

Build Details:

VERSION: 8.12.0 BC3
BUILD: 69985
COMMIT: 2a8afed

Screen Recording:
Run from saved query: ✔️

Saved.queries.-.Osquery.-.Elastic.Mozilla.Firefox.2023-12-27.16-42-30.mp4

Run from Live query: ❌

Live.queries.-.Osquery.-.Elastic.Mozilla.Firefox.2023-12-27.16-39-21.mp4

Please let us know if anything else is required from our end.

Thanks!!

[dasansol92]

Hey @sukhwindersingh-qasource , is the live query behaviour the same as before the changes or is the behaviour different because the latest changes? Just want to make sure if this is a 8.12 regression or not. Thanks!
cc: @szwarckonrad

[sukhwindersingh-qasource]

Hi @dasansol92

Behaviour of Live query is same as before this is only related to the Timeout field value as when we click on the Run button of live query. Then the timeout fields value is auto set to 60s , But it should be remain as the earlier value while we run the query.

Screen-Cast

New.-.Live.queries.-.Osquery.-.Elastic.Mozilla.Firefox.2023-12-28.11-26-55.mp4

Please do let us know if anything else is required from our end.
Thanks!

[sukhwindersingh-qasource]

Closing this Ticket and marking it as QA Validated as it is fixed Opened a new ticket for the additional observation shared #174082

[sukhwindersingh-qasource]

Bug Conversion

• Test-Case updated:
  • https://elastic.testrail.io/index.php?/cases/view/271372

Thanks!