elastic · natasha-moore-elastic · Jun 3, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -45,13 +45,9 @@ Results for each query in the pack appear in the **Results** tab. Click the expa
 
 From the results table, you can:
 
-* Click **View in Discover** (![View in Discover button](/solutions/images/security-discover-button-osquery.png "title =20x20")) to explore the results in Discover.
-* Click **View in Lens** (![View in Lens button](/solutions/images/security-lens-button-osquery.png "title =20x20")) to navigate to Lens, where you can use the drag-and-drop **Lens** editor to create visualizations.
-* Click **Timeline** (![Timeline button](/solutions/images/security-timeline-button-osquery.png "title =20x20")) to investigate a single query result in Timeline or **Add to timeline investigation** to investigate all results. This option is only available for single query results.
 
-    When you open all results in Timeline, the events in Timeline are filtered based on the `action_ID` generated by the Osquery query.
-
-* Click **Add to Case** (![Add to Case button](/solutions/images/security-case-button-osquery.png "title =20x20")) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments.
+* {applies_to}`stack: ga 9.5+` {applies_to}`serverless: ga` Click **Export results** to download the results in CSV, NDJSON, or JSON format. For query pack results, use a query row's actions menu to export that query's results.
+* Click **Add to Case** to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments.
 
     ::::{note}
     If you add the results to a *new* case, you are prompted to specify the solution that you want the create the case within. Ensure you select the correct solution. From {{elastic-sec}}, you cannot access cases created in {{observability}} or Stack Management.
@@ -60,6 +56,13 @@ From the results table, you can:
 
     ::::
 
-* Click the view details icon (![View details icon](/solutions/images/security-view-osquery-details.png "title =20x20")) to examine the query ID and statement.
+* {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` Add or remove tags to organize and label the queries for future use.
+* Click the **View Details** icon {icon}`expand` to examine the query ID and statement.
+* Click the **View in Discover** {icon}`product_discover` icon to explore the results in Discover.
+* Click the **View in Lens** {icon}`app_lens` icon to navigate to Lens, where you can use the drag-and-drop **Lens** editor to create visualizations.
+* Click the **Timeline** {icon}`timeline` icon to investigate a single query result in Timeline or **Add to timeline investigation** to investigate all results. This option is only available for single query results.
+
+    When you open all results in Timeline, the events in Timeline are filtered based on the `action_ID` generated by the Osquery query.
+
 * View more information about the request, such as failures, by opening the **Status** tab.
 
@@ -78,13 +78,7 @@ To inspect hosts, run a query against one or more agents or policies, then view
     To save a single query for future use, click **Save for later** and define the ID, description, and other [details](../../../solutions/security/investigate/osquery.md#osquery-manage-query).
     ::::
 
-7. Review the results and do any of the following:
-
-    * Click **View in Discover** ({icon}`app_discover`) to explore the results in **Discover**.
-    * Click **View in Lens** ({icon}`app_lens`) to navigate to **Lens**, where you can use the drag-and-drop **Lens** editor to create visualizations.
-    * Click **Add to Case** ({icon}`app_cases`) to add the query results to a new or existing case.
-    * Click the view details icon ({icon}`expand`) to examine the query ID and statement.
-    * {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` Add or remove tags to organize and label the queries for future use.
+7. Review the results. For the actions you can take from the results table, refer to [Examine Osquery results](/solutions/security/investigate/examine-osquery-results.md#investigate-osquery-results).
 
 8. To view more information about the request, such as failures, open the **Status** tab.