Osquery scheduled results

Scheduled queries can be run at a given interval. This can be quite useful for example, checking that configuration of an asset hasn’t changed.

• Code Once clicked will show you a preview of the running query.
• Name The name of the query.
• Results The total number of results that have been returned.
• Interval The time in seconds between each run of the query.
• Active? Shows whether the query is running or not. The query can be disabled and resumed at any time just by clicking this button.
• Created The date of when the query was created.
• Updated The date of when the query was last updated. This may be due to the active state being changed or the queries name.
• Last event The date and time of the last event we saw for this query. This field is updated in real-time.
• Actions These are changes that can be applied to the query.
  • CLONE Clones they query including its current state. Note that the results of the cloned query are not copied over.
  • DELETE Removes the query. Please note that queries are not deleted immediately. However, the results are. Queries will remain within the system for 30 days and are then deleted thereafter.