Skip to content

[EDR Workflows] Add About tab UI for osquery query details #264867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
szwarckonrad wants to merge 21 commits into
base: main
Choose a base branch
from
Draft

[EDR Workflows] Add About tab UI for osquery query details #264867

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
8449b80
Add result_counts to live query details API behind feature flag
szwarckonrad Apr 20, 2026
4edf4ce
Merge branch 'main' into osquery-about-tab-api
szwarckonrad Apr 20, 2026
e798e71
Address code review feedback: logging, OpenAPI pack fields, and test …
szwarckonrad Apr 20, 2026
10e6b33
Remove vacuous result_counts FTR test
szwarckonrad Apr 20, 2026
dea275d
Changes from yarn openapi:generate
kibanamachine Apr 20, 2026
fa7dcee
Changes from yarn openapi:bundle
kibanamachine Apr 20, 2026
4525e5e
Changes from node scripts/eslint_all_files --no-cache --fix
kibanamachine Apr 20, 2026
4fead25
Merge branch 'main' into osquery-about-tab-api
szwarckonrad Apr 20, 2026
4f5c676
Changes from make api-docs
kibanamachine Apr 20, 2026
4140bc3
Merge branch 'main' into osquery-about-tab-api
szwarckonrad Apr 21, 2026
b1d2e93
Fix eslint naming-convention error and revert OpenAPI examples to 3.0…
szwarckonrad Apr 21, 2026
aed7c2b
Changes from yarn openapi:bundle
kibanamachine Apr 21, 2026
3a3ba64
Merge branch 'main' into osquery-about-tab-api
szwarckonrad Apr 21, 2026
5e8fd5b
Remove internal feature flag reference from OpenAPI schema description
szwarckonrad Apr 21, 2026
6eb3a08
Merge branch 'main' into osquery-about-tab-ui
szwarckonrad Apr 21, 2026
c7c63d3
Add About tab UI for live query and scheduled execution details
szwarckonrad Apr 21, 2026
6c249df
Changes from make api-docs
kibanamachine Apr 22, 2026
4820982
Changes from yarn openapi:generate
kibanamachine Apr 22, 2026
7fdceff
Merge branch 'main' into osquery-about-tab-ui
szwarckonrad Apr 22, 2026
1e9ceed
Merge branch 'osquery-about-tab-ui' of https://github.com/szwarckonra…
szwarckonrad Apr 22, 2026
a876f84
Merge branch 'main' into osquery-about-tab-ui
szwarckonrad Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 41 additions & 2 deletions oas_docs/output/kibana.serverless.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62218,7 +62218,7 @@ paths:

Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.

Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp).
Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp, and optionally queryInterval when the resultCountsEnabled experimental feature is enabled).
operationId: OsqueryGetScheduledActionResults
parameters:
- description: The schedule ID of the scheduled query.
Expand Down Expand Up @@ -62292,6 +62292,7 @@ paths:
executionCount: 3
packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
packName: My Pack
queryInterval: 3600
queryName: uptime
queryText: select * from uptime;
scheduleId: pack_my_pack_uptime
Expand Down Expand Up @@ -113529,6 +113530,11 @@ components:
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
result_counts:
error_agents: 0
responded_agents: 1
successful_agents: 1
total_rows: 42
status: completed
user_id: elastic
type: object
Expand Down Expand Up @@ -113595,6 +113601,26 @@ components:
description: Number of successful agents.
type: integer
type: array
result_counts:
description: |
Aggregated result count statistics for the query. May be omitted when aggregation data is unavailable. Single-query actions include responded_agents; pack actions include queries_with_results and queries_total instead.
type: object
properties:
error_agents:
type: integer
queries_total:
description: Total number of sub-queries in the pack (pack actions only).
type: integer
queries_with_results:
description: Number of sub-queries that returned at least one row (pack actions only).
type: integer
responded_agents:
description: Number of agents that responded (single-query actions only).
type: integer
successful_agents:
type: integer
total_rows:
type: integer
status:
description: Global status of the live query (completed, running).
enum:
Expand Down Expand Up @@ -113683,12 +113709,20 @@ components:
type: string
type: array
result_counts:
description: Result count statistics (present when withResultCounts is true).
description: |
Result count statistics (present when withResultCounts is true). Single-query actions include responded_agents; pack actions include queries_with_results and queries_total instead.
type: object
properties:
error_agents:
type: integer
queries_total:
description: Total number of sub-queries in the pack (pack actions only).
type: integer
queries_with_results:
description: Number of sub-queries that returned at least one row (pack actions only).
type: integer
responded_agents:
description: Number of agents that responded (single-query actions only).
type: integer
successful_agents:
type: integer
Expand Down Expand Up @@ -114105,6 +114139,7 @@ components:
executionCount: 3
packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
packName: My Pack
queryInterval: 3600
queryName: uptime
queryText: select * from uptime;
scheduleId: pack_my_pack_uptime
Expand Down Expand Up @@ -114424,6 +114459,10 @@ components:
packName:
description: The name of the pack containing the query.
type: string
queryInterval:
description: |
Interval in seconds from the pack saved object query definition. Present only when the resultCountsEnabled experimental feature is enabled and the pack query defines an interval.
type: integer
queryName:
description: The name of the query within the pack.
type: string
Expand Down
43 changes: 41 additions & 2 deletions oas_docs/output/kibana.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65485,7 +65485,7 @@ paths:

Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.

Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp).
Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp, and optionally queryInterval when the resultCountsEnabled experimental feature is enabled).
operationId: OsqueryGetScheduledActionResults
parameters:
- description: The schedule ID of the scheduled query.
Expand Down Expand Up @@ -65559,6 +65559,7 @@ paths:
executionCount: 3
packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
packName: My Pack
queryInterval: 3600
queryName: uptime
queryText: select * from uptime;
scheduleId: pack_my_pack_uptime
Expand Down Expand Up @@ -125029,6 +125030,11 @@ components:
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
result_counts:
error_agents: 0
responded_agents: 1
successful_agents: 1
total_rows: 42
status: completed
user_id: elastic
type: object
Expand Down Expand Up @@ -125095,6 +125101,26 @@ components:
description: Number of successful agents.
type: integer
type: array
result_counts:
description: |
Aggregated result count statistics for the query. May be omitted when aggregation data is unavailable. Single-query actions include responded_agents; pack actions include queries_with_results and queries_total instead.
type: object
properties:
error_agents:
type: integer
queries_total:
description: Total number of sub-queries in the pack (pack actions only).
type: integer
queries_with_results:
description: Number of sub-queries that returned at least one row (pack actions only).
type: integer
responded_agents:
description: Number of agents that responded (single-query actions only).
type: integer
successful_agents:
type: integer
total_rows:
type: integer
status:
description: Global status of the live query (completed, running).
enum:
Expand Down Expand Up @@ -125183,12 +125209,20 @@ components:
type: string
type: array
result_counts:
description: Result count statistics (present when withResultCounts is true).
description: |
Result count statistics (present when withResultCounts is true). Single-query actions include responded_agents; pack actions include queries_with_results and queries_total instead.
type: object
properties:
error_agents:
type: integer
queries_total:
description: Total number of sub-queries in the pack (pack actions only).
type: integer
queries_with_results:
description: Number of sub-queries that returned at least one row (pack actions only).
type: integer
responded_agents:
description: Number of agents that responded (single-query actions only).
type: integer
successful_agents:
type: integer
Expand Down Expand Up @@ -125605,6 +125639,7 @@ components:
executionCount: 3
packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
packName: My Pack
queryInterval: 3600
queryName: uptime
queryText: select * from uptime;
scheduleId: pack_my_pack_uptime
Expand Down Expand Up @@ -125924,6 +125959,10 @@ components:
packName:
description: The name of the pack containing the query.
type: string
queryInterval:
description: |
Interval in seconds from the pack saved object query definition. Present only when the resultCountsEnabled experimental feature is enabled and the pack query defines an interval.
type: integer
queryName:
description: The name of the query within the pack.
type: string
Expand Down
39 changes: 37 additions & 2 deletions x-pack/platform/plugins/shared/osquery/common/api/live_query/find_live_query.gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,14 +82,26 @@ export const FindLiveQueryResponse = z.object({
)
.optional(),
/**
* Result count statistics (present when withResultCounts is true).
*/
* Result count statistics (present when withResultCounts is true). Single-query actions include responded_agents; pack actions include queries_with_results and queries_total instead.

*/
result_counts: z
.object({
total_rows: z.number().int().optional(),
/**
* Number of agents that responded (single-query actions only).
*/
responded_agents: z.number().int().optional(),
successful_agents: z.number().int().optional(),
error_agents: z.number().int().optional(),
/**
* Number of sub-queries that returned at least one row (pack actions only).
*/
queries_with_results: z.number().int().optional(),
/**
* Total number of sub-queries in the pack (pack actions only).
*/
queries_total: z.number().int().optional(),
})
.optional(),
})
Expand Down Expand Up @@ -119,6 +131,29 @@ export const FindLiveQueryDetailsResponse = z.object({
* Global status of the live query (completed, running).
*/
status: z.enum(['completed', 'running']).optional(),
/**
* Aggregated result count statistics for the query. May be omitted when aggregation data is unavailable. Single-query actions include responded_agents; pack actions include queries_with_results and queries_total instead.

*/
result_counts: z
.object({
total_rows: z.number().int().optional(),
/**
* Number of agents that responded (single-query actions only).
*/
responded_agents: z.number().int().optional(),
successful_agents: z.number().int().optional(),
error_agents: z.number().int().optional(),
/**
* Number of sub-queries that returned at least one row (pack actions only).
*/
queries_with_results: z.number().int().optional(),
/**
* Total number of sub-queries in the pack (pack actions only).
*/
queries_total: z.number().int().optional(),
})
.optional(),
/**
* The queries with their execution status.
*/
Expand Down
44 changes: 43 additions & 1 deletion x-pack/platform/plugins/shared/osquery/common/api/live_query/find_live_query.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,16 +84,28 @@ components:
type: string
result_counts:
type: object
description: 'Result count statistics (present when withResultCounts is true).'
description: >
Result count statistics (present when withResultCounts is true).
Single-query actions include responded_agents; pack actions include
queries_with_results and queries_total instead.
properties:
total_rows:
type: integer
responded_agents:
description: 'Number of agents that responded (single-query actions only).'
type: integer
successful_agents:
type: integer
error_agents:
type: integer
queries_with_results:
description: 'Number of sub-queries that returned at least one row (pack actions only).'
type: integer
queries_total:
description: 'Total number of sub-queries in the pack (pack actions only).'
type: integer
# Single-query example shown below; for pack actions, result_counts uses
# queries_with_results and queries_total instead of responded_agents.
example:
data:
total: 1
Expand Down Expand Up @@ -154,6 +166,29 @@ components:
description: 'Global status of the live query (completed, running).'
type: string
enum: [completed, running]
result_counts:
type: object
description: >
Aggregated result count statistics for the query. May be omitted
when aggregation data is unavailable. Single-query actions include
responded_agents; pack actions include queries_with_results and
queries_total instead.
properties:
total_rows:
type: integer
responded_agents:
description: 'Number of agents that responded (single-query actions only).'
type: integer
successful_agents:
type: integer
error_agents:
type: integer
queries_with_results:
description: 'Number of sub-queries that returned at least one row (pack actions only).'
type: integer
queries_total:
description: 'Total number of sub-queries in the pack (pack actions only).'
type: integer
queries:
description: 'The queries with their execution status.'
type: array
Expand Down Expand Up @@ -193,6 +228,8 @@ components:
description: 'Status of this individual query.'
type: string
enum: [completed, running]
# Single-query example shown below; for pack actions, result_counts uses
# queries_with_results and queries_total instead of responded_agents.
example:
data:
action_id: "3c42c847-eb30-4452-80e0-728584042334"
Expand All @@ -201,6 +238,11 @@ components:
agents: [ "16d7caf5-efd2-4212-9b62-73dafc91fa13" ]
user_id: "elastic"
status: "completed"
result_counts:
total_rows: 42
responded_agents: 1
successful_agents: 1
error_agents: 0
queries:
- action_id: "609c4c66-ba3d-43fa-afdd-53e244577aa0"
id: "6724a474-cbba-41ef-a1aa-66aebf0879e2"
Expand Down
5 changes: 5 additions & 0 deletions ...m/plugins/shared/osquery/common/api/scheduled_results/get_scheduled_action_results.gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,11 @@ export const ScheduledExecutionMetadata = z.object({
* The timestamp of the most recent response for this execution.
*/
timestamp: z.string().optional(),
/**
* Interval in seconds from the pack saved object query definition. Present only when the resultCountsEnabled experimental feature is enabled and the pack query defines an interval.

*/
queryInterval: z.number().int().optional(),
});

export type ScheduledActionResultsAggregations = z.infer<typeof ScheduledActionResultsAggregations>;
Expand Down
7 changes: 7 additions & 0 deletions ...gins/shared/osquery/common/api/scheduled_results/get_scheduled_action_results.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,12 @@ components:
timestamp:
description: 'The timestamp of the most recent response for this execution.'
type: string
queryInterval:
description: >
Interval in seconds from the pack saved object query definition.
Present only when the resultCountsEnabled experimental feature is enabled
and the pack query defines an interval.
type: integer

ScheduledActionResultsAggregations:
type: object
Expand Down Expand Up @@ -86,6 +92,7 @@ components:
queryName: 'uptime'
queryText: 'select * from uptime;'
timestamp: '2024-07-26T09:00:00.000Z'
queryInterval: 3600
edges:
- _id: 'result-001'
fields:
Expand Down
4 changes: 3 additions & 1 deletion ...latform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ paths:
description: >
Get paginated per-agent action results for a specific scheduled query
execution, with success/failure aggregation and execution metadata
(pack name, query name/text, timestamp).
(pack name, query name/text, timestamp, and optionally queryInterval when
the resultCountsEnabled experimental feature is enabled).
operationId: OsqueryGetScheduledActionResults
x-codegen-enabled: true
x-labels: [ serverless, ess ]
Expand Down Expand Up @@ -80,6 +81,7 @@ paths:
queryName: 'uptime'
queryText: 'select * from uptime;'
timestamp: '2024-07-26T09:00:00.000Z'
queryInterval: 3600
edges:
- _id: 'result-001'
fields:
Expand Down
6 changes: 6 additions & 0 deletions x-pack/platform/plugins/shared/osquery/common/experimental_features.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ export const allowedExperimentalValues = Object.freeze({
* adding KQL search, document flyout, per-row actions, and column curation.
*/
unifiedDataTable: true,
/**
* Enables result_counts aggregation in the live query details and list API
* responses, providing total rows, agent success/error breakdowns. Required
* by the upcoming "About" tab on the query details page.
*/
resultCountsEnabled: false,
});

type ExperimentalFeatures = { [K in keyof typeof allowedExperimentalValues]: boolean };
Expand Down
Loading
Loading