4.6 KiB
Fleet UI
Create a query
Queries in Fleet allow you to ask a multitude of questions to help you manage, monitor, and identify threats on your devices.
If you're unsure of what to ask, head to Fleet's query library. There you'll find common queries that have been tested by members of our community.
How to create a query:
-
In the top navigation, select Queries.
-
Select Create new query to navigate to the query console.
-
In the Query field, enter your query. Remember, you can find common queries in Fleet's library.
-
Select Save, enter a name and description for your query, and select Save query.
Run a query
Run a live query to get answers for all of your online hosts.
Offline hosts won’t respond to a live query because they may be shut down, asleep, or not connected to the internet.
How to run a query:
-
In the top navigation, select Queries.
-
In the Queries table, find the query you'd like to run and select the query's name to navigate to the query console.
-
Select Run query to navigate to the target picker. Select All hosts and select Run. This will run the query against all your hosts.
The query may take several seconds to complete because Fleet has to wait for the hosts to respond with results.
Fleet's query response time is inherently variable because of osquery's heartbeat response time. This helps prevent performance issues on hosts.
Schedule a query
Fleet allows you to schedule queries. Scheduled queries will send data to your log destination automatically.
The default log destination, filesystem, is good to start. With this set, data is sent to the /var/log/osquery/osqueryd.snapshots.log
file on each host’s filesystem. To see which log destinations are available in Fleet, head to the log destinations page.
How to schedule a query:
-
In the top navigation, select Schedule.
-
Select Schedule a query.
-
Select the Select query dropdown and choose the query that you'd like to run on a schedule.
-
Select the Frequency dropdown and choose how often you'd like the query to run and send results to your log destination. Every hour is a good frequency to start. You can change this later.
-
Select Schedule.
With Fleet Premium, you can schedule queries for groups of hosts using the teams feature. This allows you to collect different data for each group.
In Fleet Premium, groups of hosts are called "teams."
How to use teams to schedule queries for a group of hosts:
-
If you haven't already, first create a team and transfer hosts to the team.
-
In the Teams dropdown below the top navigation, select the team.
-
Follow the "How to schedule a query" instructions above.
Update agent options
Fleet allows you to update the settings of the agent installed on all your hosts at once. In Fleet, these settings are called "agent options."
The default agent options are good to start.
How to update agent options:
-
In the top navigation, select your avatar and select Settings. Only users with the admin role can access the pages in Settings.
-
On the Organization settings page, select Agent options on the left side of the page.
-
Use Fleet's YAML editor to configure your osquery options, decorators, or set command line flags.
To see all agent options, head to the agent options documentation.
-
Place your new setting one level below the
options
key. The new setting's key should be below and one tab to the right ofoptions
. -
Select Save.
The agents may take several seconds to update because Fleet has to wait for the hosts to check in. Additionally, hosts enrolled with removed enroll secrets must properly rotate their secret to have the new changes take effect.