- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Add Osquery Response Actions
editAdd Osquery Response Actions
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Osquery Response Actions allow you to add live queries to custom query rules so you can automatically collect data on systems the rule is monitoring. Use this data to support your alert triage and investigation efforts.
Requirements
- Osquery Response Actions require the Endpoint Protection Complete project feature.
- The Osquery manager integration must be installed.
-
Elastic Agent’s status must be
Healthy. Refer to Fleet Troubleshooting if it isn’t. - You must have the appropriate user role to use this feature.
- You can only add Osquery Response Actions to custom query rules.
Add Osquery Response Actions to rules
editYou can add Osquery Response Actions to new or existing custom query rules. Queries run every time the rule executes.
-
Choose one of the following:
- New rule: When you are on the last step of custom query rule creation, go to the Response Actions section and click the Osquery icon.
-
Existing rule: Edit the rule’s settings, then go to the Actions tab. In the tab, click the Osquery icon under the Response Actions section.
If the rule’s investigation guide is using an Osquery query, you’ll be asked if you want to add the query as an Osquery Response Action. Click Add to add the investigation guide’s query to the rule’s Osquery Response Action.
-
Specify whether you want to set up a single live query or a pack:
-
Query: Select a saved query or enter a new one. After you enter the query, you can expand the Advanced section to set a timeout period for the query, and view or set mapped ECS fields included in the results from the live query. Mapping ECS fields is optional.
Overwriting the query’s default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the Timeout field is
60. The maximum supported value is900.You can use placeholder fields to dynamically add alert data to your query.
-
Pack: Select from available query packs. After you select a pack, all of the queries in the pack are displayed.
Refer to prebuilt packs to learn about using and managing Elastic prebuilt packs.
-
- Click the Osquery icon to add more live queries (optional).
- Click Create & enable rule (for a new rule) or Save changes (for existing rules) to finish adding the queries.
Edit Osquery Response Actions
editIf you want to choose a different query or query pack for the Osquery Response Action to use, edit the rule to update the Response Action.
If you edited a saved query or query pack that an Osquery Response Action is using, you must reselect the saved query or query pack on the related Osquery Response Action. Query changes are not automatically applied to Osquery Response Actions.
- Edit the rule’s settings, then go to the Actions tab.
- Modify the settings for Osquery Response Actions you’ve added.
- Click Save changes.
Find query results
editWhen a rule generates an alert, Osquery automatically collects data on the host. Query results are displayed within the Response Results tab in the Alert details flyout. The number next to the Response Results tab represents the number of queries attached to the rule, in addition to endpoint response actions run by the rule.
Refer to Examine Osquery results for more information about query results.
