Skip to content

Commit

Permalink
First draft
Browse files Browse the repository at this point in the history
  • Loading branch information
@nastasha-solomon
nastasha-solomon committed Jan 12, 2024
1 parent ece87f8 commit 2b77b16
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 4 deletions.
4 changes: 3 additions & 1 deletion docs/osquery/alerts-run-osquery.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,9 @@ To run Osquery from an alert:
NOTE: The host associated with the alert is automatically selected. You can specify additional hosts to query.

. Specify the query or pack to run:
** *Query*: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query. Mapping ECS fields is optional.
** *Query*: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
+
NOTE: The default and minimum value for the **Timeout** field is 60 seconds (s). The maximum value is 9000 seconds.
+
TIP: Use <<osquery-placeholder-fields,placeholder fields>> to dynamically add existing alert data to your query.

Expand Down
Binary file modified docs/osquery/images/setup-single-query.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
9 changes: 7 additions & 2 deletions docs/osquery/invest-guide-run-osquery.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,9 @@ NOTE: You can only add Osquery to investigation guides for custom rules because
+
TIP: Use <<osquery-placeholder-fields,placeholder fields>> to dynamically add existing alert data to your query.

.. Expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
.. Expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
+
NOTE: The default and minimum value for the **Timeout** field is 60 seconds (s). The maximum value is 9000 seconds.
+
[role="screenshot"]
image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows results from running a query from an investigation guide]
Expand All @@ -41,7 +43,10 @@ image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows
. Go to the About section of the rule details page and click *Investigation guide*.
. Click the query. The Run Osquery pane displays with the *Query* field autofilled. Do the following:
.. Select one or more {agent}s or groups to query. Start typing in the search field to get suggestions for {agent}s by name, ID, platform, and policy.
.. Expand the **Advanced** section to view or set the {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] which are included in the live query's results (optional).
.. Expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
+
NOTE: The default and minimum value for the **Timeout** field is 60 seconds (s). The maximum value is 9000 seconds.

. Click *Submit* to run the query. Query results display in the flyout.
+
NOTE: Refer to <<view-osquery-results>> for more information about query results.
Expand Down
4 changes: 3 additions & 1 deletion docs/osquery/osquery-response-action.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@ You can add Osquery Response Actions to new or existing custom query rules. Quer
+
NOTE: If the rule's investigation guide is using an Osquery query, you'll be asked if you want to add the query as an Osquery Response Action. Click *Add* to add the investigation guide's query to the rule's Osquery Response Action.
. Specify whether you want to set up a single live query or a pack:
** *Query*: Select a saved query or enter a new one. After you enter the query, you can expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query. Mapping ECS fields is optional.
** *Query*: Select a saved query or enter a new one. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
+
NOTE: The default and minimum value for the **Timeout** field is 60 seconds (s). The maximum value is 9000 seconds.
+
TIP: You can use <<osquery-placeholder-fields,placeholder fields>> to dynamically add alert data to your query.

Expand Down

0 comments on commit 2b77b16

Please sign in to comment.