Osquery FAQ
Serverless Security Stack
This list of frequently asked questions answers common questions about using Osquery in Kibana.
The Osquery Manager integration brings Osquery capabilities to the Elastic Stack and makes it easier to manage Osquery across a large number of hosts. Most Osquery functionality works the same way in Kibana as it does when you deploy Osquery yourself. However, there are a few differences and known issues, outlined below.
Full Disk Access (FDA) is required to fully query some tables on MacOS. Granting FDA is not yet supported for Osquery Manager. This impacts a small set of tables that access file directories that are restricted due to heightened permissions from Apple, including file, file_events, es_process_events, and any custom tables configured with ATC that require access to these directories. When querying these tables, you won’t get results from the restricted directories.
File carving is not yet supported in the Elastic Stack, and carves table queries do not return results.
The Osquery .help command is not available when running live queries in Kibana. Instead, refer to the Osquery schema for all available tables, fields, and supported Operating Systems for each.
Osquery Manager does not currently support Osquery extensions.
Yes, you can set up Osquery FIM using the Advanced configuration option for Osquery Manager (see Customize Osquery configuration). However, Elastic also provides a File Integrity Monitoring integration for Elastic Agent, which might prove to be easier to configure than the current options available for Osquery Manager.
Osquery uses a superset of SQLite for queries. To get started with osquery SQL, refer to the Osquery documentation. For help with more advanced questions, the Osquery community has an active Slack workspace and GitHub project. You can find links for both at osquery.io.
When a new version of Osquery is released, it is included in a subsequent Elastic Agent release and applied when the agent is upgraded. After that, when running queries from Osquery Manager in Kibana, the updated Osquery version is used. Refer to the Fleet and Elastic Agent Guide for help with upgrading Fleet-managed Elastic Agents.
To check what Osquery version is installed on an Elastic Agent, you can run SELECT version FROM osquery_info; as a live query in Kibana. The version in the response is the Osquery version installed on the agent.