[DOCS] New option to add Osquery results to a timeline investigation

[melissaburpo]

Description

After running Osquery from an Alert, users now have the option to add the results to an investigation in timeline. There are two ways to add the results:

• Add a single row of results to timeline.
• Add all results to timeline.

Both options are shown in the screenshot below.

If you select the "Add to timeline investigation" option from the top of the Results, this will add all results. If you select the single row option (hover shown below), this adds just that row of data to Timeline.

Related PR

This change was implemented with elastic/kibana#128596 and is targeted for the 8.3 release.

Acceptance Test Criteria

The Run Osquery page is updated with this new option. This likely impacts the options related to step 7 and the screenshot in step 8.

Here's a more zoomed in screenshot of just the Results section with the new timeline buttons.

Other notes

It may not be worth noting the docs, but in case it's useful info: this option is only available when running osquery within the Security solution. Users won't see this option if they run a live query in the main Kibana > Osquery > Live query page.

[nastasha-solomon]

Thanks for filing this @melissaburpo ! I have some initial questions about these changes and some general questions:

• Are each of these results considered "events" and are they represented as events in Timeline?

• When I added an individual Osquery result to Timeline, the Timeline query showed a single ID. What is that ID? What does it represent?

• I tested the option to add all Osquery results to Timeline and noticed that the KQL query bar at the top of the Timeline page gets automatically populated with a query. A few questions about this query:
  • How is it formed? Is there a base query that gets formed when users click on the option to add all Osquery results to Timeline? What fields are included in the query and are these ECS fields?
  • I also noticed the query sometimes changes. For example, in the handful of times I've tested this, the query will adjust to include additional action_ids (example below). What dictates the contents of the query?

[melissaburpo]

Hi @nastasha-solomon, all great questions! I think @tomsonpl might be the best able to answer these for you; he worked on the feature and is most familiar with how it works :)

[tomsonpl]

Hey, thanks for reaching out, I'll try to help the best I can :)

1. Are each of these results considered "events" and are they represented as events in Timeline?

• From how I understand - YES, I consider them events. When we add action_id to timeline by clicking the bigger button in the results table then all the rows in the osquery results table (events) are added. But if we click the add to timeline Icon on the left of the row, then we send the eventId, and filter only that one row.

2.When I added an individual Osquery result to Timeline, the Timeline query showed a single ID. What is that ID? What does it represent?

• This is the _id of an event - in our case the id of the row in results.

3. I tested the option to add all Osquery results to Timeline and noticed that the KQL query bar at the top of the Timeline page gets automatically populated with a query. A few questions about this query:
How is it formed? Is there a base query that gets formed when users click on the option to add all Osquery results to Timeline? What fields are included in the query and are these ECS fields?
I also noticed the query sometimes changes. For example, in the handful of times I've tested this, the query will adjust to include additional action_ids (example below). What dictates the contents of the query?

• What we do is only add either _id or action_id to filters. Unfortunately, I am not sure what else are you referring to, so probably we will have to meet up on Monday just to clarify this quickly :)
• We keep adding to the timelines filters - it may contain multiple _ids, as well as action_ids, if the user keeps running osquery queries, each of them get new action_id, and adding them to timeline - multiple action_ids in filters will be the result of this.

I hope this helps, if not fully - I'll be happy to meet to figure stuff out together :)

[nastasha-solomon]

Thanks for the follow-up meeting today @tomsonpl ! I created an ESTEC test instance to test both options and got the expected outcomes. When I added a single result, only the event ID filter (_id) was passed to Timeline. When I added all results to Timeline, only the action_ID (the ID that's generated when users run an Osquery query) was passed to Timeline. I checked both options in the 8.3.0 BC5 test deployment we're using for doc testing and observed the same behavior which makes me think I encountered a bug when I left my initial questions for you. Anyways, glad it works the way we discussed!

Adding a single result to Timeline:

Adding all results to Timeline:

[tomsonpl]

Thanks @nastasha-solomon, that's great news :) Thanks for sharing - I'll try to remember about the other filter fields, just in case it happens again in the future! 👍 Let me know if you need anything else, I will try to help, or find out if I don't know it yet.