# Osquery * [Documentation](https://osquery.readthedocs.io/en/stable/) * [Schema Docs](https://osquery.io/schema/5.5.1/) ## Usage * `osqueryi .help` is the overiew ### List available tables List an overview of all available topics which can be queried. ```sh .tables ``` * Specify via `.tables ` ### Show schema ```sh .schema ``` * Show schema for foreign operating systems via `--enable_foreign` ### Queries * Select ```sql select * from ; select * , from
; ``` * UPDATE and DELETE is possible on run-time tables * JOIN ```sql SELECT pid, name, path FROM osquery_info JOIN processes USING (pid); ``` * Where ```sql select * from programs where name = 'paint'; ``` * Where clause operators * `=` [equal] * `<>` [not equal] * `>, >=` [greater than, greater than or equal to] * `<, <=` [less than or less than or equal to] * `BETWEEN` [between a range] * `LIKE` [pattern wildcard searches] * `%` [wildcard, multiple characters] * `_` [wildcard, one character] * Matching wildcard rules * `%`: Match all files and folders for one level. * `%%`: Match all files and folders recursively. * `%abc`: Match all within-level ending in "abc". * `abc%`: Match all within-level starting with "abc". * Table 'userassist' stores executed processes ## Modes There are multiple modes to select from to show the data ```sh osqueryi osqueryi> .mode .help ``` ## Remote Queries via Frontend * [Repo](https://github.com/fleetdm/fleet.git) ## Extensions * [osquery-extensions](https://github.com/trailofbits/osquery-extensions) * [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin) ### Yara ```sql select * from yara where sigfile='' and path like '/home/%%'; ``` * [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)