Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] Add the 7.16 Osquery docs #116969

Closed
melissaburpo opened this issue Nov 1, 2021 · 4 comments
Closed

[DOCS] Add the 7.16 Osquery docs #116969

melissaburpo opened this issue Nov 1, 2021 · 4 comments
Assignees
@melissaburpo
Labels
enhancement New value added to drive a business result Feature:Osquery Security Solution Osquery feature Team:Asset Management Security Asset Management Team Team:Docs v7.16.0

Comments

@melissaburpo
Copy link
Contributor

melissaburpo commented Nov 1, 2021
edited
Loading

Summary

Osquery has several changes in 7.16 that require a doc update, including:

  • Only one Osquery Manager integration can be added per agent policy (change from previous versions)
  • Update scheduled query groups to packs; packs can be scheduled for multiple agent policies; packs are only scheduled once you assign agent policies; and other related info.
  • Custom integration namespaces are now supported (previously, only default was supported). This impacts the data stream name.
  • Saved query changes:
    • Can now define ECS mappings for saved queries
    • When you add a saved query with ECS mappings to a query pack, the mappings are copied in. There is not a connection to the original saved query (i.e. if you later change the copy in the query pack, that won't impact the original saved query)
    • Can now test saved queries while defining them
  • Notes for ECS mapping in general:
    • Support for mapping static values to ECS fields (e.g. for event.category, tags, and others where static values are useful)
    • Some fields are restricted and can't be mapped (e.g. see this list)
    • Describe how to handle mapping osquery date fields to ECS. Osquery dates can have different types (e.g. integer, text, bigint), which may lead to issues with mapping. One way to handle this is with use of SQL operators in the query in some cases. Ideally the docs can include instructions about how (and when) to adjust sql statements to get a proper ES compatible timestamp.
  • Describe the new advanced Osquery configuration via JSON config. Note the options not supported (e.g. these protected fields + others)
  • Add info about the extension we've added to the osquery we install via our integration; it supports querying some kube-related fields. For more info see Osquerybeat: Implement host_users, host_groups, host_processes tables as a part of our osquery_extension. beats#28434
  • Describe how to import/export saved queries and packs via saved objects
@melissaburpo melissaburpo added Team:Docs enhancement New value added to drive a business result Team:Asset Management Security Asset Management Team Feature:Osquery Security Solution Osquery feature labels Nov 1, 2021
@melissaburpo melissaburpo self-assigned this Nov 1, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-docs (Team:Docs)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-asset-management (Team:Asset Management)

@melissaburpo
Copy link
Contributor Author

FYI @gchaps + @KOTungseth about this docs issue. The team is going to take a first pass to update this content then pass it over to the docs team for a good review.

@melissaburpo melissaburpo mentioned this issue Nov 1, 2021
Merged
@melissaburpo
Copy link
Contributor Author

Closed with #117031

Updates are now live:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@melissaburpo melissaburpo

Labels
enhancement New value added to drive a business result Feature:Osquery Security Solution Osquery feature Team:Asset Management Security Asset Management Team Team:Docs v7.16.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@melissaburpo @elasticmachine @KOTungseth