Osquery scheduled results

Scheduled queries can be run at a given interval. This can be quite useful for example, checking that configuration of an asset hasn’t changed.

• Code Once clicked will show you a preview of the running query.

• Name The name of the query.

• Results The total number of results that have been returned.

• Interval The time in seconds between each run of the query.

• Active? Shows whether the query is running or not. The query can be disabled and resumed at any time just by clicking this button.

• Created The date of when the query was created.

• Updated The date of when the query was last updated. This may be due to the active state being changed or the queries name.

• Last event The date and time of the last event we saw for this query. This field is updated in real-time.

• Actions These are changes that can be applied to the query.

  • CLONE Clones they query including its current state. Note that the results of the cloned query are not copied over.

  • DELETE Removes the query. Please note that queries are not deleted immediately. However, the results are. Queries will remain within the system for 30 days and are then deleted thereafter.