github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Osquery 8.3 updates (#134965)

Browse source 
* note that query history list shows past 30 days

* revise query timeout note

* describe new saved queries available out of the box

* update images for UI changes in 8.3

* add osquery FAQ

* revise per team feedback

* simplify version check query

* add clarification about version updates

* describe how to enable the curl table

* fix link

* fix code block

* Apply suggestions from code review

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* address pr feedback

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
This commit is contained in:
Melissa Burpo 2022-06-24 14:02:54 -05:00 committed by GitHub
parent 8c94def73e
commit b57ee29b66
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 195 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
docs/osquery/images/enter-query.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 204 KiB

After

Width:  |  Height:  |  Size: 58 KiB

Before After
Before After

BIN
docs/osquery/images/live-query-check-results.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 152 KiB

After

Width:  |  Height:  |  Size: 140 KiB

Before After
Before After

BIN
docs/osquery/images/scheduled-pack.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 82 KiB

Before After
Before After

40
docs/osquery/manage-integration.asciidoc
View file

@ -35,6 +35,7 @@ you can create roles for users who can only run live or saved queries, but who c
This is useful for teams who need in-depth and detailed control.
[float]
[[osquery-custom-config]]
=== Customize Osquery configuration
experimental[] By default, all Osquery Manager integrations share the same osquery configuration. However, you can customize how Osquery is configured by editing the Osquery Manager integration for each agent policy
you want to adjust. The custom configuration is then applied to all agents in the policy.
@ -76,8 +77,41 @@ As an example, the following configuration disables two tables.
+
```ts
{
"options":{
"disable_tables":"curl,process_envs"
"options": {
"disable_tables":"file,process_envs"
}
}
```
[float]
[[enable-curl-table]]
==== Enabling the `curl` table
By default, the https://osquery.io/schema/#curl[curl table] is disabled.
If preferred, you can enable it using the Advanced *Osquery config*.
*Why is the `curl` table disabled?*
When you query the https://osquery.io/schema/#curl[curl table], this results in an HTTP request.
The query results include the response to the request. As a simple example, if you run the query
`SELECT * FROM curl WHERE url='https://www.elastic.co/';`, the `result` field contains the
webpage content.
This table can be misused in some environments, for example, when used to issue HTTP requests
to an AWS metadata service or to services on your internal network.
Out of an abundance of caution, we have opted to disable access to this table by default.
However, if you need access to the table for your own monitoring purposes, you can enable it
as needed.
*How to enable the `curl` table:*
For each agent policy where you want to allow `curl` table queries, edit the
Osquery Manager integration to add the following Advanced *Osquery config*:
```ts
{
"options": {
"enable_tables":"curl"
}
}
```
@ -88,7 +122,7 @@ As an example, the following configuration disables two tables.
The https://github.com/osquery/osquery/releases[Osquery version] available on an Elastic Agent
is associated to the version of Osquery Beat on the Agent.
To get the latest version of Osquery Beat,
https://www.elastic.co/guide/en/fleet/master/upgrade-elastic-agent.html[upgrade your Elastic Agent].
{fleet-guide}/upgrade-elastic-agent.html[upgrade your Elastic Agent].
[float]
=== Debug issues

84
docs/osquery/osquery-faq.asciidoc Normal file
View file

@ -0,0 +1,84 @@
[[osquery-faq]]
== Osquery FAQ
This list of frequently asked questions answers common questions about
using Osquery in {kib}.
[float]
[[osquery-differences]]
=== How is Osquery Manager different from Osquery?
The Osquery Manager integration brings https://osquery.io/[Osquery] capabilities to the Elastic Stack and
makes it easier to manage Osquery across a large number of hosts.
Most Osquery functionality works the same way in {kib} as it does when you deploy Osquery yourself.
However, there are a few differences and known issues, outlined below.
[float]
[[osquery-fda]]
=== How do I grant Full Disk Access?
Full Disk Access (FDA) is required to fully query some tables on MacOS. Granting FDA is
not yet supported for Osquery Manager. This impacts a small set
of tables that access file directories that are restricted due to heightened permissions from Apple,
including https://osquery.io/schema/current#file[file],
https://osquery.io/schema/current#file_events[file_events],
https://osquery.io/schema/current#es_process_events[es_process_events],
and any custom tables configured with
https://osquery.readthedocs.io/en/stable/deployment/configuration/#automatic-table-construction[ATC]
that require access to these directories.
When querying these tables, you won't get results from the restricted directories.
[float]
[[osquery-carves]]
=== Why can't I query the carves table?
File carving is not yet supported in the Elastic Stack, and
https://osquery.io/schema/current#carves[carves] table queries do not return results.
[float]
[[osquery-help-command]]
=== Does the Osquery `.help` command work in {kib}?
The https://osquery.readthedocs.io/en/stable/introduction/sql/#shell-help[Osquery `.help` command]
is not available when running live queries in {kib}. Instead, refer to the
https://osquery.io/schema/[Osquery schema] for all available tables, fields,
and supported Operating Systems for each.
[float]
[[osquery-extensions]]
=== Can I use Osquery extensions in {kib}?
Osquery Manager does not currently support
https://osquery.readthedocs.io/en/stable/deployment/extensions/[Osquery extensions].
[float]
[[osquery-fim]]
=== Can I do File Integrity Monitoring (FIM)?
Yes, you can set up
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/[Osquery FIM] using
the Advanced configuration option for Osquery Manager (see <<osquery-custom-config>>).
However, Elastic also provides a File Integrity Monitoring integration for Elastic Agent, which might prove
to be easier to configure than the current options available for Osquery Manager.
[float]
[[osquery-syntax]]
=== Where can I get help with osquery syntax?
Osquery uses a superset of SQLite for queries.
To get started with osquery SQL, refer to the
https://osquery.readthedocs.io/en/stable/introduction/sql/[Osquery documentation].
For help with more advanced questions, the Osquery community has an active
Slack workspace and GitHub project. You can find links for both at https://osquery.io/[osquery.io].
[float]
[[osquery-updates]]
=== How often is Osquery updated for Osquery Manager?
When a new https://github.com/osquery/osquery/releases[version of Osquery is released],
it is included in a subsequent Elastic Agent release and applied when the agent is upgraded.
After that, when running queries from Osquery Manager in {kib}, the updated Osquery version is used.
Refer to the Fleet and Elastic Agent Guide for help with
{fleet-guide}/upgrade-elastic-agent.html[upgrading Fleet-managed Elastic Agents].
To check what Osquery version is installed on an Elastic Agent, you can run
`SELECT version FROM osquery_info;` as a live query in {kib}. The `version` in the
response is the Osquery version installed on the agent.

130
docs/osquery/osquery.asciidoc
View file

@ -62,9 +62,10 @@ description, and other <<osquery-manage-query,details>>.
[[osquery-view-history]]
== View or rerun previous live queries
From the *Live queries history* section on the *Live queries* tab:
The *Live queries history* section on the *Live queries* tab shows a log of queries run over the last 30 days.
Each query has the following options:
* Click image:images/play-icon.png[Right-pointing triangle] to replay a query.
* Click image:images/play-icon.png[Right-pointing triangle] to rerun a query.
* Click image:images/table-icon.png[Table icon] to view the query <<osquery-results,results>> and <<osquery-status,status>>.
+
@ -119,53 +120,6 @@ image::images/scheduled-pack.png[Shows queries in the pack and details about eac
. View scheduled query results in <<discover,*Discover*>> or the drag-and-drop <<lens,*Lens*>> editor.
[float]
[[osquery-prebuilt-packs]]
== Prebuilt Elastic packs
The Osquery Manager integration includes a set of prebuilt Osquery packs that you can optionally load. Once added, you can then activate and schedule the packs.
You can modify the scheduled agent policies for a prebuilt pack, but you cannot edit queries in the pack. To edit the queries, you must first create a copy of the pack.
For information about the prebuilt packs that are available, refer to <<prebuilt-packs>>.
[float]
[[load-prebuilt-packs]]
=== Load and activate prebuilt Elastic packs
. Go to *Packs*, and then click *Load Elastic prebuilt packs*.
+
NOTE: This option is only available if new or updated prebuilt packs are available.
. For each pack that you want to schedule:
* Enable the option to make the pack *Active*.
* Click the pack name, then *Edit*.
* Update the *Scheduled agent policies* to specify the policies where this pack should run.
. Click *Update pack*.
[float]
[[copy-prebuilt-packs]]
=== Copy prebuilt Elastic packs
To modify queries in prebuilt packs, you must first make a copy of the pack.
. Go to *Stack Management* -> *Saved Objects*.
. Search for the Osquery packs you want to modify by name.
. Select the checkboxes of the packs to export.
. Click *Export x objects*.
. Click *Import*.
. Select the import option *Create new objects with random IDs*, then click *Import* to import the pack. This creates a copy of the pack that you can edit.
[float]
[[osquery-manage-query]]
== Save queries
@ -173,11 +127,9 @@ To modify queries in prebuilt packs, you must first make a copy of the pack.
You can save queries in two ways:
* After running a live query, click the *Save for later* link.
* From the *Saved queries* tab, click the **Add saved query** button.
* From the *Saved queries* tab, click **Add saved query**.
Once you save a query, you can only edit it from the *Saved queries* tab.
To add or edit saved queries from the *Saved queries* tab:
Once you save a query, you can only edit it from the *Saved queries* tab:
. Go to *Saved queries*, and then click **Add saved query** or the edit icon.
. Provide the following fields:
@ -204,6 +156,71 @@ To add or edit saved queries from the *Saved queries* tab:
. Click *Save* or *Update*.
[float]
[[osquery-prebuilt-packs-queries]]
== Prebuilt Elastic packs and queries
Osquery Manager includes a set of prebuilt Osquery packs and saved queries
that can help you get started using the integration.
[float]
[[osquery-prebuilt-queries]]
=== Prebuilt queries
A set of saved queries are included with the integration and available to run as a live query.
Note the following about the prebuilt queries:
* The queries are not editable.
* Several of the queries include default ECS mappings to standardize the results.
* The prebuilt Elastic queries all follow the same naming convention and identify
what type of information is being queried, what operating system it supports if it's limited to one or more,
and that these are Elastic queries. For example, `firewall_rules_windows_elastic`.
[float]
[[osquery-prebuilt-packs]]
=== Prebuilt packs
The prebuilt Osquery packs are included with the integration and can be optionally loaded.
Once added, you can then activate and schedule the packs.
You can modify the scheduled agent policies for a prebuilt pack, but you cannot edit queries in the pack. To edit the queries, you must first create a copy of the pack.
For information about the prebuilt packs that are available, refer to <<prebuilt-packs>>.
[float]
[[load-prebuilt-packs]]
==== Load and activate prebuilt Elastic packs
. Go to *Packs*, and then click *Load Elastic prebuilt packs*.
+
NOTE: This option is only available if new or updated prebuilt packs are available.
. For each pack that you want to schedule:
* Enable the option to make the pack *Active*.
* Click the pack name, then *Edit*.
* Update the *Scheduled agent policies* to specify the policies where this pack should run.
. Click *Update pack*.
[float]
[[copy-prebuilt-packs]]
==== Copy prebuilt Elastic packs
To modify queries in prebuilt packs, you must first make a copy of the pack.
. Go to *Stack Management* -> *Saved Objects*.
. Search for the Osquery packs you want to modify by name.
. Select the checkboxes of the packs to export.
. Click *Export x objects*.
. Click *Import*.
. Select the import option *Create new objects with random IDs*, then click *Import* to import the pack. This creates a copy of the pack that you can edit.
[float]
[[osquery-map-fields]]
@ -276,9 +293,8 @@ A query can have the following status:
|===
NOTE: If an agent is offline, the request status remains **pending** as {kib} retries the request.
By default, a query request times out after five minutes. The time out applies to the time it takes
to deliver the action request to an agent to run a query. If the action completes after the timeout period,
the results are still returned.
By default, a query request times out after one minute. An action timeout error is returned when
the query does not complete within that interval.
[float]
@ -314,3 +330,5 @@ include::manage-integration.asciidoc[]
include::exported-fields-reference.asciidoc[]
include::prebuilt-packs.asciidoc[]
include::osquery-faq.asciidoc[]