updated osquery

misc/threat_intelligence/osquery.md

@@ -1,18 +1,22 @@
 # Osquery
 
 * [Documentation](https://osquery.readthedocs.io/en/stable/)
-* [Schema Docs](https://osquery.io/schema/4.7.0/)
+* [Schema Docs](https://osquery.io/schema/5.5.1/)
 
 ## Usage
-* `.help` is the overiew
+
+* `osqueryi .help` is the overiew
 
 ### List available tables
+
+List an overview of all available topics which can be queried.
 ```sh
 .tables
 ```
 * Specify via `.tables <tablename>`
 
 ### Show schema
+
 ```sh
 .schema <table_name>
 ```
@@ -33,6 +37,11 @@ select * <attr>,<attr>  from <table>;
 SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
 ```
 
+* Where
+```sql
+select * from programs where name = 'paint';
+```
+
 * Where clause operators
     * `=` [equal]
     * `<>`  [not equal]
@@ -49,14 +58,28 @@ SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
     * `%abc`: Match all within-level ending in "abc".
     * `abc%`: Match all within-level starting with "abc". 
 
+* Table 'userassist' stores executed processes
+
+## Modes
+
+There are multiple modes to select from to show the data
+
+```sh
+osqueryi 
+osqueryi> .mode .help
+```
+
 ## Remote Queries via Frontend
+
 * [Repo](https://github.com/fleetdm/fleet.git)
 
 ## Extensions
+
 * [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
 * [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)
 
 ### Yara
+
 ```sql
 select * from yara where sigfile='<sigfile>' and path like '/home/%%';
 ```