New: Run Live Queries Continuously

Ever write a useful Live Query and wish you could run it continuously to keep the results up-to-date? With the newly released Continuous Live Query option, you can now run those queries on a scheduled interval so you can always have the latest data.

About Live Query

When we launched Live Query last November, it introduced a way for you and your team to quickly run osquery SQL on all the devices in your fleet, and receive an instantaneous response from online devices.

When we launched the feature though, it contained two major limitations:

  1. You could only target specific devices in your fleet
  2. The query would only run once on the devices you targeted

With this update, both of these limitations are eliminated, and Live Query is now a much more powerful tool for regularly collecting device data your organization cares about.

New Target Selector

When you run queries continuously, it is very important to be able to select devices by their platform so that newly enrolled devices will be targeted by the query in future runs.

In anticipation of Continuous Live Query, we have rebuilt the target selector to now make this group selection possible.

Running Queries Continuously

To run write a query that will run continuously, simply write a new query and press Save/Run. Once you are happy the query returns the data you are looking for, you can click the "Draft" button, and in the modal that appears, select Published under visibility options. This should reveal an option where you can choose the desired continuous interval you would like to run the query.


Additional Published Query Protection

When you publish a Live Query, you allow others on your team to see it. Unfortunately, even well-meaning team members may not realize that when they modify that query, they may be erasing/modifying important information that others rely on.

To help mitigate this, users will now notice the Save & Run button turns orange when either the SQL or targets are modified.

If they click the orange Save & Run button, they will now be presented with a helpful dialog that gives them a number of options that clarifies their intent.

Feedback/Questions?

These changes represent just a small portions of the plans we have for improving Live Query this year.

We hope you find these improvements useful, and we welcome any feedback or suggestions on how we can make them even better.

New Structured OS info in Device API

We've added much more granular detail for device operating system information to the /api/v0/devices endpoints. After hearing some feedback regarding the device OS information field, we decided that it made sense to include the device operating system details as a nested object field in the Device schema. The new operating_system_details property included in the device schema looks like this:

      "operating_system_details": {
"device_id": 11111,
"platform": "windows",
"name": "Microsoft Windows 10 Enterprise Evaluation",
"codename": "Microsoft Windows 10 Enterprise Evaluation",
"version": "10.0.17763",
"build": "17763",
"major_version": 10,
"minor_version": 0,
"patch_version": null,
"ubr": 1098,
"release_id": 1809
}
"operating_system_details": {
"device_id": 11,
"platform": "darwin",
"name": "Mac OS X",
"codename": "Catalina",
"version": "10.15.3",
"build": "19D76",
"major_version": 10,
"minor_version": 15,
"patch_version": 3,
"ubr": null,
"release_id": null
}

You can view the documentation for the devices endpoint here: https://kolidek2.readme.io/reference#get_devices-1

We hope that this is helpful, and we'd love to hear feedback or suggestions on this update!

API - Additional Fields for Devices

Ever wish all the output from the Device CSV download was included in the Device API response? Ever wonder why the failures count for devices in the API seemed to never decrease? Well, we've got some exciting news, we've addressed both of these issues in the latest release of the API!

Here is the complete change log.

  • Fixed a bug in the failure_count attribute returned from /api/v0/devices/<ID> . Previously, some ignored failures were included in this number, but only ongoing, unresolved failures were meant to be included. Note any sudden decreases in failures for a device (as reported by the API) may be explained by this update.
  • Added many more attributes to the response returned from /api/v0/devices/<ID>. Of note, the device's serial number is now included in the response, and the device's owner information is embedded directly in the device object. See https://kolidek2.readme.io/v0.1.0/reference#get_devices-id for a complete list of the attributes included.
  • The email for device owners (where applicable) is now included alongside the id and name - see https://kolidek2.readme.io/reference#devicesdeviceidowner for details

If you are interested in trying out our Beta API and you are an administrator, click here to learn more. As always, we'd love to hear any feedback you may have!