elastic · natasha-moore-elastic · Mar 11, 2025 · Mar 11, 2025 · Mar 11, 2025
@@ -733,7 +733,7 @@ For Osquery (`.osquery`), use a single query, a saved query, or a query pack:
 * `saved_query_id` (string, optional): To run a saved query, use the `saved_query_id` field and specify the saved query ID. Example: `"saved_query_id":  "processes_elastic"`
 * `packId` (string, optional): To specify a query pack, use the `packId` field. Example: `"packId": "processes_elastic"`
 * `ecs_mapping` (object, required): Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: `"ecs_mapping": {"process.pid": {"field": "pid"}}`
-* `timeout` (number, optional): A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `900`. Example: `"timeout": 120`.
+* `timeout` (number, optional): A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `86400` (24 hours). Example: `"timeout": 120`.
 
 NOTE: Refer to {kibana-ref}/osquery-manager-live-queries-api-create.html[Create live query API] for more information about running Osquery queries and packs.
 

@@ -24,7 +24,7 @@ NOTE: The host associated with the alert is automatically selected. You can spec
 . Specify the query or pack to run:
 ** *Query*: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. 
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours). 
 +
 TIP: Use <<osquery-placeholder-fields,placeholder fields>> to dynamically add existing alert data to your query. 
 

@@ -30,7 +30,7 @@ TIP: Use <<osquery-placeholder-fields,placeholder fields>> to dynamically add ex
 
 .. Expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`.
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours).
 +
 [role="screenshot"]
 image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows results from running a query from an investigation guide]
@@ -48,7 +48,7 @@ image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows
 .. Select one or more {agent}s or groups to query. Start typing in the search field to get suggestions for {agent}s by name, ID, platform, and policy.
 .. Expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional).
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`.
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours).
 
 . Click *Submit* to run the query. Query results display in the flyout.
 +

@@ -36,7 +36,7 @@ NOTE: If the rule's investigation guide is using an Osquery query, you'll be ask
 . Specify whether you want to set up a single live query or a pack:
 ** *Query*: Select a saved query or enter a new one. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional). 
 +
-NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`.
+NOTE: Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `86400` (24 hours).
 +
 TIP: You can use <<osquery-placeholder-fields,placeholder fields>> to dynamically add alert data to your query.