[[osquery-faq]] == Osquery FAQ This list of frequently asked questions answers common questions about using Osquery in {kib}. [float] [[osquery-differences]] === How is Osquery Manager different from Osquery? The Osquery Manager integration brings https://osquery.io/[Osquery] capabilities to the Elastic Stack and makes it easier to manage Osquery across a large number of hosts. Most Osquery functionality works the same way in {kib} as it does when you deploy Osquery yourself. However, there are a few differences and known issues, outlined below. [float] [[osquery-fda]] === How do I grant Full Disk Access? Full Disk Access (FDA) is required to fully query some tables on MacOS. Granting FDA is not yet supported for Osquery Manager. This impacts a small set of tables that access file directories that are restricted due to heightened permissions from Apple, including https://osquery.io/schema/current#file[file], https://osquery.io/schema/current#file_events[file_events], https://osquery.io/schema/current#es_process_events[es_process_events], and any custom tables configured with https://osquery.readthedocs.io/en/stable/deployment/configuration/#automatic-table-construction[ATC] that require access to these directories. When querying these tables, you won't get results from the restricted directories. [float] [[osquery-carves]] === Why can't I query the carves table? File carving is not yet supported in the Elastic Stack, and https://osquery.io/schema/current#carves[carves] table queries do not return results. [float] [[osquery-help-command]] === Does the Osquery `.help` command work in {kib}? The https://osquery.readthedocs.io/en/stable/introduction/sql/#shell-help[Osquery `.help` command] is not available when running live queries in {kib}. Instead, refer to the https://osquery.io/schema/[Osquery schema] for all available tables, fields, and supported Operating Systems for each. [float] [[osquery-extensions]] === Can I use Osquery extensions in {kib}? Osquery Manager does not currently support https://osquery.readthedocs.io/en/stable/deployment/extensions/[Osquery extensions]. [float] [[osquery-fim]] === Can I do File Integrity Monitoring (FIM)? Yes, you can set up https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/[Osquery FIM] using the Advanced configuration option for Osquery Manager (see <>). However, Elastic also provides a https://docs.elastic.co/en/integrations/fim[File Integrity Monitoring] integration for Elastic Agent, which might prove to be easier to configure than the current options available for Osquery Manager. [float] [[osquery-syntax]] === Where can I get help with osquery syntax? Osquery uses a superset of SQLite for queries. To get started with osquery SQL, refer to the https://osquery.readthedocs.io/en/stable/introduction/sql/[Osquery documentation]. For help with more advanced questions, the Osquery community has an active Slack workspace and GitHub project. You can find links for both at https://osquery.io/[osquery.io]. [float] [[osquery-updates]] === How often is Osquery updated for Osquery Manager? When a new https://github.com/osquery/osquery/releases[version of Osquery is released], it is included in a subsequent Elastic Agent release and applied when the agent is upgraded. After that, when running queries from Osquery Manager in {kib}, the updated Osquery version is used. Refer to the Fleet and Elastic Agent Guide for help with {fleet-guide}/upgrade-elastic-agent.html[upgrading Fleet-managed Elastic Agents]. To check what Osquery version is installed on an Elastic Agent, you can run `SELECT version FROM osquery_info;` as a live query in {kib}. The `version` in the response is the Osquery version installed on the agent.