elastic · nastasha-solomon · Jun 27, 2022 · Jun 21, 2022 · Jun 21, 2022 · Jun 21, 2022
@@ -13,8 +13,9 @@ You must complete the following to access Osquery and run searches against your
 ============
 
 
-. Click the *View details* button from the Alerts table to open the Alert details flyout.
-. Click *Take action*, then select *Run Osquery*.
+. Do one of the following from the Alerts table:
+** Click the *View details* button to open the Alert details flyout, then click *Take action -> Run Osquery*.
+** Select the *More actions* menu (*...*), then select *Run Osquery*.
 . Select one or more {agent}s or groups to query. Start typing in the search field to get suggestions for {agent}s by name, ID, platform, and policy.
 
 +
@@ -35,8 +36,15 @@ image::images/setup-query.png[width=80%][height=80%][Shows how to set up the que
 TIP: To save the query for future use, click *Save for later* and define the ID,
 description, and other {kibana-ref}/osquery.html#osquery-manage-query[details].
 
-. Review the results in the table. You can also navigate to *Discover* to dive deeper into the response,
-or use the drag-and-drop *Lens* editor to create visualizations.
+. Review the results in the table. You can also:
+** Navigate to *Discover* to dive deeper into the response.
+** Use the drag-and-drop *Lens* editor to create visualizations.
+** Click the *Timeline* button (image:images/timeline-button-osquery.png[Click markdown icon,20,20]) to investigate a single query result in Timeline or *Add to timeline investigation* to investigate all results.
+
++
+TIP: An `action_ID` is generated when you run an Osquery query. The `action_ID` field and value pair is passed to the Timeline's KQL filter when you select the option to open all results in Timeline.
++
+
 . To view more information about the request, such as failures, open the *Status* tab in the results table.
 +
 [role="screenshot"]