updated osquery
This commit is contained in:
parent
c5770dee83
commit
41af4b5b9a
|
@ -1,18 +1,22 @@
|
|||
# Osquery
|
||||
|
||||
* [Documentation](https://osquery.readthedocs.io/en/stable/)
|
||||
* [Schema Docs](https://osquery.io/schema/4.7.0/)
|
||||
* [Schema Docs](https://osquery.io/schema/5.5.1/)
|
||||
|
||||
## Usage
|
||||
* `.help` is the overiew
|
||||
|
||||
* `osqueryi .help` is the overiew
|
||||
|
||||
### List available tables
|
||||
|
||||
List an overview of all available topics which can be queried.
|
||||
```sh
|
||||
.tables
|
||||
```
|
||||
* Specify via `.tables <tablename>`
|
||||
|
||||
### Show schema
|
||||
|
||||
```sh
|
||||
.schema <table_name>
|
||||
```
|
||||
|
@ -33,6 +37,11 @@ select * <attr>,<attr> from <table>;
|
|||
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
|
||||
```
|
||||
|
||||
* Where
|
||||
```sql
|
||||
select * from programs where name = 'paint';
|
||||
```
|
||||
|
||||
* Where clause operators
|
||||
* `=` [equal]
|
||||
* `<>` [not equal]
|
||||
|
@ -49,14 +58,28 @@ SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
|
|||
* `%abc`: Match all within-level ending in "abc".
|
||||
* `abc%`: Match all within-level starting with "abc".
|
||||
|
||||
* Table 'userassist' stores executed processes
|
||||
|
||||
## Modes
|
||||
|
||||
There are multiple modes to select from to show the data
|
||||
|
||||
```sh
|
||||
osqueryi
|
||||
osqueryi> .mode .help
|
||||
```
|
||||
|
||||
## Remote Queries via Frontend
|
||||
|
||||
* [Repo](https://github.com/fleetdm/fleet.git)
|
||||
|
||||
## Extensions
|
||||
|
||||
* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
|
||||
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)
|
||||
|
||||
### Yara
|
||||
|
||||
```sql
|
||||
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue