Deploy osquery with Elastic Agent, then run and schedule queries in Kibana
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
With this integration, you can centrally manage Osquery deployments to Elastic Agents in your Fleet and query host data through distributed SQL.
This integration adds an Osquery UI in Kibana where you can:
Osquery results are stored in Elasticsearch, so that you can use the power of the stack to search, analyze, and visualize Osquery data.
For information about using Osquery, see the Osquery Kibana documentation. This includes information about required privileges; how to run, schedule, and save queries; how to map osquery fields to ECS; and other useful information about managing Osquery with this integration.
For a full list of fields that can be returned in osquery results, see the Exported Fields reference in the Kibana documentation.
| Version | Details |
|---|---|
1.7.3 | Enhancement View pull request Resolve mapping conflicts for user.id, user.group.id, group.id |
1.7.2 | Enhancement View pull request Fix mapping conflicts |
1.7.1 | Enhancement View pull request Added categories and/or subcategories. |
1.7.0 | Enhancement View pull request Update schema for osquery 5.7.0 |
1.6.0 | Enhancement View pull request Fix osquery_manager data_stream values for 8.6.0 with ingest pipeline |
1.5.1 | Enhancement View pull request Update kibana constraint to ^8.6 |
1.5.0 | Enhancement View pull request Update schema for osquery 5.5.1 |
1.4.1 | Enhancement View pull request Add prebuilt DFIR-related saved queries |
1.4.0 | Enhancement View pull request Update schema for osquery 5.4.0 |
1.3.2 | Bug fix View pull request Fix field mapping conflicts Enhancement View pull request Update to ECS v8.3.0 |
1.3.1 | Enhancement View pull request Update prebuilt saved queries objects |
1.3.0 | Enhancement View pull request Add prebuilt saved queries |
1.2.1 | Enhancement View pull request Update readme to remove exported fields |
1.2.0 | Enhancement View pull request Add packs and dashboards |
1.1.0 | Enhancement View pull request Upgrade schema and readme to match osquery 5.2.2. |
1.0.0 | Enhancement View pull request GA |
0.8.1 | Enhancement View pull request Add explicit mapping for the text fields |
0.8.0 | Enhancement View pull request Add 8.0.0 version constraint |
0.7.4 | Enhancement View pull request Update fields and readme with host_users, host_groups, host_processes tables. |
0.7.3 | Enhancement View pull request Update team owner. |
0.7.2 | Enhancement View pull request Update description. |
0.7.1 | Enhancement View pull request Update ecs.yml to include all date and ip ECS 1.12.0 fields types. |
0.7.0 | Enhancement View pull request Update to ECS 1.12.0 |
0.6.1 | Enhancement View pull request Upgrade schema and readme to match osquery 5.0.1. |
0.6.0 | Enhancement View pull request Change the package to adopt the native osquery configuration better. |
0.5.3 | Enhancement View pull request Updates readme and adds link to Kibana docs |
0.5.2 | Enhancement View pull request Updates host.ip field mapping from keyword to ip data type |
0.5.1 | Enhancement View pull request Updates mapping and readme for osquery 4.9.0 |
0.5.0 | Enhancement View pull request Update integration description |
0.4.1 | Enhancement View pull request Update ECS mapping format based on the latest developers feedback |
0.4.0 | Enhancement View pull request ECS mapping configuration support for queries/streams |
0.3.2 | Enhancement View pull request Updates Osquery Manager readme for 7.14 Release |
0.3.1 | Enhancement View pull request Updates Osquery Manager mapping and readme for osquery 4.8.0 |
0.3.0 | Enhancement View pull request Add platform and version fields to the streams configuration |
0.2.4 | Enhancement View pull request Update schema fields description and README |
0.2.3 | Enhancement View pull request Update manifest and README |
0.2.2 | Enhancement View pull request Update docs |
0.2.1 | Enhancement View pull request change to beta |
0.2.0 | Enhancement View pull request Explicit mappings |
0.1.0 | Enhancement View pull request initial release |