kibana/docs/osquery/osquery-faq.asciidoc

[[osquery-faq]]
== Osquery FAQ

This list of frequently asked questions answers common questions about
using Osquery in {kib}.

[float]
[[osquery-differences]]
===  How is Osquery Manager different from Osquery?

The Osquery Manager integration brings https://osquery.io/[Osquery] capabilities to the Elastic Stack and 
makes it easier to manage Osquery across a large number of hosts.
Most Osquery functionality works the same way in {kib} as it does when you deploy Osquery yourself.
However, there are a few differences and known issues, outlined below.

[float]
[[osquery-fda]]
=== How do I grant Full Disk Access?

Full Disk Access (FDA) is required to fully query some tables on MacOS. Granting FDA is
not yet supported for Osquery Manager. This impacts a small set
of tables that access file directories that are restricted due to heightened permissions from Apple, 
including https://osquery.io/schema/current#file[file], 
https://osquery.io/schema/current#file_events[file_events], 
https://osquery.io/schema/current#es_process_events[es_process_events],
and any custom tables configured with 
https://osquery.readthedocs.io/en/stable/deployment/configuration/#automatic-table-construction[ATC] 
that require access to these directories.
When querying these tables, you won't get results from the restricted directories. 

[float]
[[osquery-carves]]
=== Why can't I query the carves table?

File carving is not yet supported in the Elastic Stack, and 
https://osquery.io/schema/current#carves[carves] table queries do not return results.

[float]
[[osquery-help-command]]
=== Does the Osquery `.help` command work in {kib}?

The https://osquery.readthedocs.io/en/stable/introduction/sql/#shell-help[Osquery `.help` command] 
is not available when running live queries in {kib}. Instead, refer to the 
https://osquery.io/schema/[Osquery schema] for all available tables, fields, 
and supported Operating Systems for each.

[float]
[[osquery-extensions]]
===  Can I use Osquery extensions in {kib}?

Osquery Manager does not currently support 
https://osquery.readthedocs.io/en/stable/deployment/extensions/[Osquery extensions].

[float]
[[osquery-fim]]
===  Can I  do File Integrity Monitoring (FIM)?
Yes, you can set up 
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/[Osquery FIM] using 
the Advanced configuration option for Osquery Manager (see <<osquery-custom-config>>).
However, Elastic also provides a https://docs.elastic.co/en/integrations/fim[File Integrity Monitoring] integration for Elastic Agent, which might prove
to be easier to configure than the current options available for Osquery Manager.

[float]
[[osquery-syntax]]
===  Where can I get help with osquery syntax?

Osquery uses a superset of SQLite for queries.
To get started with osquery SQL, refer to the
https://osquery.readthedocs.io/en/stable/introduction/sql/[Osquery documentation].
For help with more advanced questions, the Osquery community has an active
Slack workspace and GitHub project. You can find links for both at https://osquery.io/[osquery.io].

[float]
[[osquery-updates]]
===  How often is Osquery updated for Osquery Manager?
When a new https://github.com/osquery/osquery/releases[version of Osquery is released], 
it is included in a subsequent Elastic Agent release and applied when the agent is upgraded.
After that, when running queries from Osquery Manager in {kib}, the updated Osquery version is used. 
Refer to the Fleet and Elastic Agent Guide for help with 
{fleet-guide}/upgrade-elastic-agent.html[upgrading Fleet-managed Elastic Agents].

To check what Osquery version is installed on an Elastic Agent, you can run
`SELECT version FROM osquery_info;` as a live query in {kib}. The `version` in the
response is the Osquery version installed on the agent.