[DOCS] Update osquery page for changes in 7.16 #117031
Merged
+161
−233
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…s, and ECS mapping
melissaburpo
added
release_note:skip
…tom tables, and other copy edits
|
Hi @aleksmaus, @patrykkopycinski, @james-elastic - this is an early draft of doc changes for 7.16. Can you all please do a technical review, before we pass it off to the docs team for some more general edits? Thanks for any feedback! |
…e other minor copy edits
|
Hi @gchaps - There may be a few more minor changes coming, but overall, I think this is ready for review! A few questions:
Thanks for any tips! |
|
Pinging @elastic/kibana-docs (Team:Docs) |
|
@elasticmachine merge upstream |
gchaps
reviewed
Nov 11, 2021
|
|
||
| * Run live queries for one or more agents | ||
| * Schedule queries to capture changes to OS state over time | ||
| * Schedule query packs to capture changes to OS state over time | ||
| * View a history of past queries and their results | ||
| * Save queries and build a library of queries for specific use cases |
There was a problem hiding this comment.
This sentence appears after the bulleted list. but it doesn't seem to fit in with the flow of the text. Can it be removed?
Osquery results are stored in Elasticsearch, so that you can search, analyze, and visualize Osquery data in Kibana.
There was a problem hiding this comment.
I think it's an important thing to note somewhere, because we've received some questions about it. But I definitely see your point. I'll try to find a better spot for it.
There was a problem hiding this comment.
I ended up moving it to the "Osquery results" section - seems like a better fit there.
docs/osquery/osquery.asciidoc
Outdated
| @@ -51,14 +51,15 @@ and you'll get suggestions for agents by name, ID, platform, and policy. | |||
| [role="screenshot"] | |||
| image::images/enter-query.png[Select saved query dropdown name showing query name and description] | |||
|
|
|||
| . (Optional) Expand the **Advanced** section to view or set <<osquery-map-fields,mapped ECS fields>>. The results from the live query include the mapped fields. | |||
|
|
|||
| . Click **Submit**. | |||
|
|
|||
| . Review the results in a table, or navigate to *Discover* to dive deeper into the response, | |||
| or to the drag-and-drop *Lens* editor to create visualizations. | |||
| . To view more information about the request, such as failures, open the *Status* tab. | |||
| . To optionally save the query for future use, click *Save for later* and define the ID, | |||
There was a problem hiding this comment.
Let's remove "optionally" from this sentence for consistency.
docs/osquery/osquery.asciidoc
Outdated
| . Click **Submit**. | ||
|
|
||
| . Review the results in a table, or navigate to *Discover* to dive deeper into the response, | ||
| or to the drag-and-drop *Lens* editor to create visualizations. | ||
| . To view more information about the request, such as failures, open the *Status* tab. | ||
| . To optionally save the query for future use, click *Save for later* and define the ID, | ||
| description, and other | ||
| <<osquery-manage-query,details>>. | ||
| description, and other <<osquery-manage-query,details>>. | ||
|
|
||
| To view a history of the past queries you have run, open the *Live queries history*. |
There was a problem hiding this comment.
I ended up making it an independent sub-section, because I think it's a bit of a separate process from running a live query. Take a look and let me know whether you think the latest update works.
docs/osquery/osquery.asciidoc
Outdated
|
|
||
| . To save changes to the query, click *Save*. | ||
| ** **Osquery value**: Select an Osquery field. The fields available are based on the SQL query entered, and only include fields that the query returns. When the query runs, the ECS field is set dynamically to the value of the osquery field selected. |
There was a problem hiding this comment.
osquery field selected > Osquery field selected?
docs/osquery/osquery.asciidoc
Outdated
|
|
||
| * The unique identifier. | ||
| Note: |
There was a problem hiding this comment.
Use our NOTE format. Instructions are here.
gchaps
reviewed
Nov 11, 2021
docs/osquery/osquery.asciidoc
Outdated
| you can create roles for users who can only run live or saved queries, but who cannot save or schedule queries. | ||
| This is useful for teams who need in-depth and detailed control. | ||
|
|
||
| [float] | ||
| == Upgrade Osquery versions | ||
| === Customize Osquery configuration | ||
| By default, all Osquery Manager integrations share the same osquery configuration. However, you can customize how osquery is configured by editing the Osquery Manager integration for each agent policy |
There was a problem hiding this comment.
osquery is lowercase here. Is that ok?
There was a problem hiding this comment.
I decided to just be consistent throughout and use caps in all instances.
docs/osquery/osquery.asciidoc
Outdated
|
|
||
| * Some fields are protected and cannot be set. A warning is displayed with details about which fields should be removed. | ||
|
|
||
| * (Optional) To load a full configuration file, drag and drop an osquery `.conf` file into the area at the bottom of the page. |
Co-authored-by: gchaps <[email protected]>
|
@elasticmachine merge upstream |
gchaps
approved these changes
Nov 19, 2021
docs/osquery/osquery.asciidoc
Outdated
| Optionally, set the minimum Osquery version and platform, | ||
| or <<osquery-map-fields,map ECS fields>>. When you add a saved query to a pack, this adds a copy of the query. A connection is not maintained between saved queries and packs. | ||
|
|
||
| * To upload queries from a .conf query pack, drag the pack to the drop zone under the query table. To explore the community packs that Osquery publishes, click *Example packs*. |
There was a problem hiding this comment.
should conf be in a different font: .conf?
There was a problem hiding this comment.
agreed - updated
docs/osquery/osquery.asciidoc
Outdated
|
|
||
| . Click *Test configuration* to test the query and any mapped fields: | ||
|
|
||
| * From the *Test query* panel, select agents or groups to test the query, then click *Submit*. This runs a live query. Result columns that are mapped are marked with image:images/mapped-icon.png[mapping icon]. Hover over the icon to see the mapped ECS field. |
There was a problem hiding this comment.
The period after to icon wraps to the next line. Not sure how to fix other than to remove a word. You could do "then click Submit to run a live query.
There was a problem hiding this comment.
@gchaps - did the update commit fix what you were seeing? Thanks!
Co-authored-by: gchaps <[email protected]>
|
@elasticmachine merge upstream |
💚 Build Succeeded
History
To update your PR or re-run it, just comment with: |
gchaps
added a commit
to gchaps/kibana
that referenced
this pull request
Nov 22, 2021
* update usage section for changes to live queries, saved queries, packs, and ECS mapping * add info about custom configuration, ECS mapping for date fields, custom tables, and other copy edits * address pr comment, add info about static values for ecs mapping, make other minor copy edits * add more info about the new k8s tables * Apply suggestions from code review Co-authored-by: gchaps <[email protected]> * update per code review comments * Update docs/osquery/osquery.asciidoc Co-authored-by: gchaps <[email protected]> * address review comments Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: gchaps <[email protected]>
gchaps
added a commit
to gchaps/kibana
that referenced
this pull request
Nov 22, 2021
* update usage section for changes to live queries, saved queries, packs, and ECS mapping * add info about custom configuration, ECS mapping for date fields, custom tables, and other copy edits * address pr comment, add info about static values for ecs mapping, make other minor copy edits * add more info about the new k8s tables * Apply suggestions from code review Co-authored-by: gchaps <[email protected]> * update per code review comments * Update docs/osquery/osquery.asciidoc Co-authored-by: gchaps <[email protected]> * address review comments Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: gchaps <[email protected]>
gchaps
added a commit
that referenced
this pull request
Nov 22, 2021
* update usage section for changes to live queries, saved queries, packs, and ECS mapping * add info about custom configuration, ECS mapping for date fields, custom tables, and other copy edits * address pr comment, add info about static values for ecs mapping, make other minor copy edits * add more info about the new k8s tables * Apply suggestions from code review Co-authored-by: gchaps <[email protected]> * update per code review comments * Update docs/osquery/osquery.asciidoc Co-authored-by: gchaps <[email protected]> * address review comments Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: gchaps <[email protected]> Co-authored-by: Melissa Burpo <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
gchaps
added a commit
that referenced
this pull request
Nov 22, 2021
* update usage section for changes to live queries, saved queries, packs, and ECS mapping * add info about custom configuration, ECS mapping for date fields, custom tables, and other copy edits * address pr comment, add info about static values for ecs mapping, make other minor copy edits * add more info about the new k8s tables * Apply suggestions from code review Co-authored-by: gchaps <[email protected]> * update per code review comments * Update docs/osquery/osquery.asciidoc Co-authored-by: gchaps <[email protected]> * address review comments Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: gchaps <[email protected]> Co-authored-by: Melissa Burpo <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
dmlemeshko
pushed a commit
that referenced
this pull request
Nov 29, 2021
* update usage section for changes to live queries, saved queries, packs, and ECS mapping * add info about custom configuration, ECS mapping for date fields, custom tables, and other copy edits * address pr comment, add info about static values for ecs mapping, make other minor copy edits * add more info about the new k8s tables * Apply suggestions from code review Co-authored-by: gchaps <[email protected]> * update per code review comments * Update docs/osquery/osquery.asciidoc Co-authored-by: gchaps <[email protected]> * address review comments Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: gchaps <[email protected]>
TinLe
pushed a commit
to TinLe/kibana
that referenced
this pull request
Dec 22, 2021
* update usage section for changes to live queries, saved queries, packs, and ECS mapping * add info about custom configuration, ECS mapping for date fields, custom tables, and other copy edits * address pr comment, add info about static values for ecs mapping, make other minor copy edits * add more info about the new k8s tables * Apply suggestions from code review Co-authored-by: gchaps <[email protected]> * update per code review comments * Update docs/osquery/osquery.asciidoc Co-authored-by: gchaps <[email protected]> * address review comments Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: gchaps <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates the Osquery doc for the 7.16 release. For details of the updates, see the related issue below.
Preview:
https://kibana_117031.docs-preview.app.elstc.co/guide/en/kibana/master/osquery.html
Related issue