Osquery adhoc results

Table view

../_images/osquery_live.png
  • Code Once clicked will show you a preview of the running query.
  • Name The name of the query.
  • Results The total number of results that have been returned.
  • Active? Shows whether the query is running or not. The query can be disabled and resumed at any time just by clicking this button.
  • Created The date of when the query was created.
  • Updated The date of when the query was last updated. This may be due to the active state being changed or the queries name.
  • Last event The date and time of the last event we saw for this query. This field is updated in real-time.
  • Actions These are changes that can be applied to the query.
    • CLONE Clones they query including its current state. Note that the results of the cloned query are not copied over.
    • DELETE Removes the query. Please note that queries are not deleted immediately. However, the results are. Queries will remain within the system for 30 days and are then deleted thereafter.

Query results

Once you’ve clicked on a running query you’ll get the following view to display the results returned by the query.

../_images/osquery_results.png