[DOCS] Osquery response action

[nastasha-solomon]

Description

When an alert condition is triggered, an analyst’s first step is often to manually collect data about the system that triggered the alert. Automating this process at detection time would improve the analyst’s workflow: it would reduce the amount of time spent investigating alerts and accelerate identification of possible issues on osquery-enabled agents.

Users can add an Osquery response option in the following scenarios:

• When creating a custom query rule
  • The Actions section now has two parts: Actions and Response Actions. Osquery is under Response Actions
  • Note that actions and response actions run on separate schedules.
• When editing an existing custom query rule
  • There is a new Response Actions section within the Actions tab
• When editing a prebuilt rule that is of the custom query type (see sub-bullet above)

Related issues/PRs

• https://github.com/elastic/security-team/issues/1103

Testing steps

Testing three tasks:

• Setting up Osquery queries to run/collect information when a query rule is triggered (and an alert is generated)
• Viewing Osquery results on an alert (?)
• Adding Osquery queries to an existing query rule so that it begins collecting data when the rule is triggered:

Setting up Osquery queries to run/collect information when a query rule is triggered

Prereqs
Pre-reqs are included in the note here.

Create a rule and add an Osquery response action

1. Navigate to the rules page in Elastic Security (Security > Manage > Rules.
2. Create a new rule.
3. Click Create new rule.
4. Choose a custom query type.
5. Configure the rule as follows:
6. Under the Response Actions section, click osquery.
7. Choose to run a live query or a query pack. Instructions are here.
   NOTE: You can add one or more Osquery response action to a rule.
8. Save and enable the rule.

Viewing Osquery results on an alert (?)

1. Open the rule and scroll down the page to view it's alerts.
2. Open an alert to view it's details. Go to the Osquery results tab and click on it. The tab displays the number of queries you added to the rule.

Adding Osquery queries to an existing query rule so that it begins collecting data when the rule is triggered:

Prereqs
Prereqs are included in the note here.

Edit a rule and add an Osquery response action

1. Navigate to the rules page in Elastic Security (Security > Manage > Rules.
2. Click on a rule in the table to open its details page.
   NOTE: Can only add an Osquery response action for a custom query rule.
3. Click Edit rule settings.
4. Go to the Actions tab.
5. Under the Response Actions section, click osquery.
6. Choose to run a live query or a query pack. Instructions are here.
   NOTE: You can add one or more Osquery response action to a rule.
7. Save the rules changes.

Notes

• This feature is still in technical preview and requires the Gold license.
• If users update a saved query or query pack that they're using on a rule, they will need to manually re-select the saved query/pack for the rule. Atm, changes made to saved queries and packs are not automatically applied to rules.
• When editing a query rule, the Response Actions section still displays, even if the Osquery manager integration isn't installed. Users still can't run queries though.

Doc updates

• Update steps 3 and 4 in the Set rule's schedule section.
• Need to add a new sub-section to the Set up alert notifications (optional) section for response actions.
  • Can repurpose content for running live queries/packs from these instructions.
• Remember to add tag that this feature is in technical preview and to note the license requirement.