Creating Osquery Templates

Creating an osquery template involves creating the osquery itself, and defining the event type attributes for events triggered by the osquery, which includes severity, frequency and event type name. You can also create an osquery template by cloning an existing osquery template using the Clone button and editing it.

• Creating an osquery Template
• Applying Changes to an osquery Template

Creating an osquery Template

Complete these steps to create an osquery template:

1. Navigate to Resources > Osquery.
2. Select the group where you want to add the new template.
3. Click New to create a new osquery template.
   1. In the Name field, enter the name of the osquery template.
   2. In the Description field, enter a description for the osquery template.
   3. In the osquery field, enter the osquery.
      Notes:
      • osquery involving EVENTED TABLE do NOT work with this feature. Example: process_etw_events
      • osquery must be mapped to an event attribute.
        
   4. In the Event Type field, enter the event type name for events that trigger from this osquery.
      Note: All osquery event types start with the following prefix: PH_OSQUERY_WIN_
   5. From the Severity drop-down list, select the severity associated with this event type.
   6. From the Frequency field and Frequency drop-down list, enter the length of time and select the unit of time (Minute(s), Hour(s), Day(s)) for how often Windows Agent runs the osquery template.
   7. Click Test to validate the osquery template.
   8. From the Select Agent drop-down list, select a Windows Agent and click Test.
   9. If Test succeeds, click Save to save the osquery template.
      

Applying Changes to an osquery Template

After a change has been made to an osquery template, you can click Apply to push the osquery template change to all Windows Agent Monitor Templates that have this existing osquery template.