# Osquery

* [Documentation](https://osquery.readthedocs.io/en/stable/)
* [Schema Docs](https://osquery.io/schema/4.7.0/)

## Usage
* `.help` is the overiew

### List available tables
```sh
.tables
```
* Specify via `.tables <tablename>`

### Show schema
```sh
.schema <table_name>
```
* Show schema for foreign operating systems via `--enable_foreign`

### Queries

* Select
```sql
select * from <table>;
select * <attr>,<attr>  from <table>;
```

* UPDATE and DELETE is possible on run-time tables

* JOIN
```sql
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
```

* Where clause operators
    * `=` [equal]
    * `<>`  [not equal]
    * `>, >=` [greater than, greater than or equal to]
    * `<, <=` [less than or less than or equal to] 
    * `BETWEEN` [between a range]
    * `LIKE` [pattern wildcard searches]
    * `%` [wildcard, multiple characters]
    * `_` [wildcard, one character]

* Matching wildcard rules
    * `%`: Match all files and folders for one level.
    * `%%`: Match all files and folders recursively.
    * `%abc`: Match all within-level ending in "abc".
    * `abc%`: Match all within-level starting with "abc". 

## Remote Queries via Frontend
* [Repo](https://github.com/fleetdm/fleet.git)

## Extensions
* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)

### Yara
```sql
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
```
* [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)