[DOCS] Users can set up Osquery to run from a rule's investigation guide #2522
Description
Description
Investigation guides provide helpful information for analysts who are responding to detection alerts. These guides appear on the rule details page and in timelines (as notes) created from detection alerts generated by the rule.
Often, analysts need to gather more information about a host as part of their investigation, and the guide may include recommended queries to run to help with their inquiry. Currently, to run these in osquery, users would need to copy the query to run, go to Osquery, then run the query from there. It would improve the analyst workflow if they were able to run osquery directly from the investigation guide instead.
Related issues/PRs
Acceptance Test Criteria
Users can add queries to a prebuilt rule's investigation guide by editing alert details.
Pre-reqs:
- Need the integration installed, the appropriate role privs, and a healthy agent. All pre-reqs are outlined here.
- The prebuilt rule must be a custom query type
Steps:
- Select a rule and view its details.
- Edit rule settings.
- Go to the Actions tab.
- Under the Response Actions section, click Osquery.
- Choose to run a single query or a query pack.
- Optional. Add more queries by clicking the osquery icon.
- Click Save changes.
- On the rule's details page, click the Investigation guide tab. An Osquery option should appear at the end of the rule's investigation guide.
Notes
- As of 8.5, users can only add Osquery queries to prebuilt rules that are the custom query type.
- Users can view the attached queries from the rule's details page or the Alert details flyout (at the bottom).
- Verify that Osquery results are stored in the Osquery tab of an alert.
- Check where users can access query results if no alerts are generated.