fleet/docs/01-Using-Fleet/standard-query-library/README.md

# Standard query library

Fleet's [standard query library](https://fleetdm.com/queries) includes a growing collection of useful policies and miscellaneous queries for organizations deploying Fleet and osquery.

## Importing the queries in Fleet

### After cloning the fleetdm/fleet repo, import the queries using fleetctl:
```
fleetctl apply -f docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
```

## Contributors

Want to add your own query?

1. Please copy the following yaml section and paste it at the bottom of the [`standard-query-library.yml`](./standard-query-library.yml) file.

  ```yaml
  ---
  apiVersion: v1
  kind: query
  spec:
    name: What is your query called? Please use a human readable query name.
    platforms: What operating systems support your query? This can usually be determined by the osquery tables included in your query. Heading to the https://osquery.io/schema webpage to see which operating systems are supported by the tables you include.
    description: Describe your query. What does information does your query reveal? (optional)
    query: Insert query here
    purpose: What is the goal of running your query? Ex. Detection
    remediation: Are there any remediation steps to resolve the detection triggered by your query? If not, insert "N/A."
    contributors: zwass,mike-j-thomas
    tags: Keywords that can help users find other relevant queries, each tag should be seperated by a comma. (e.g., "foo,bar")
  ```

2. Replace each field and submit a pull request to the fleetdm/fleet GitHub repository.

3. If you want to contribute multiple queries, please open one pull request that includes all your queries.

For instructions on submitting pull requests to Fleet check out [the Committing Changes
section](../../Contributing/Committing-Changes.md#committing-changes) in the Contributors
documentation.


## Additional resources

Listed below are great resources that contain additional queries.

- Osquery (https://github.com/osquery/osquery/tree/master/packs)
- Palantir osquery configuration (https://github.com/palantir/osquery-configuration/tree/master/Fleet)
Convert standard query library to YAML format (#749) - Create `/configuration-files/` directory inside of `/1-Using-Fleet` directory. This directory contains example Fleet configuration files in yaml format. Replaces the `/examples` directory. - Create `/standard-query-library/` directory inside of `/1-Using-Fleet` directory. This directory contains the new `standard-query-library.yml`. This file will act as the source of community contributions to the standard query library. - Edit references to `/examples` directory 2021-05-14 17:38:33 +00:00			`# Standard query library`

docs: Add link to standard query library (#4851) 2022-03-29 04:39:20 +00:00			`Fleet's [standard query library](https://fleetdm.com/queries) includes a growing collection of useful policies and miscellaneous queries for organizations deploying Fleet and osquery.`
Convert standard query library to YAML format (#749) - Create `/configuration-files/` directory inside of `/1-Using-Fleet` directory. This directory contains example Fleet configuration files in yaml format. Replaces the `/examples` directory. - Create `/standard-query-library/` directory inside of `/1-Using-Fleet` directory. This directory contains the new `standard-query-library.yml`. This file will act as the source of community contributions to the standard query library. - Edit references to `/examples` directory 2021-05-14 17:38:33 +00:00
			`## Importing the queries in Fleet`

Perform early session check on `fleetctl` commands (#2620) * Perform early session check on fleetctl * Add fleetctl test for the early session check 2021-10-22 18:41:17 +00:00			`### After cloning the fleetdm/fleet repo, import the queries using fleetctl:`
Convert standard query library to YAML format (#749) - Create `/configuration-files/` directory inside of `/1-Using-Fleet` directory. This directory contains example Fleet configuration files in yaml format. Replaces the `/examples` directory. - Create `/standard-query-library/` directory inside of `/1-Using-Fleet` directory. This directory contains the new `standard-query-library.yml`. This file will act as the source of community contributions to the standard query library. - Edit references to `/examples` directory 2021-05-14 17:38:33 +00:00			```
Fix broken link on QueriesListWrapper and in docs to std query lib docs (#2614) 2021-10-20 23:53:01 +00:00			`fleetctl apply -f docs/01-Using-Fleet/standard-query-library/standard-query-library.yml`
Convert standard query library to YAML format (#749) - Create `/configuration-files/` directory inside of `/1-Using-Fleet` directory. This directory contains example Fleet configuration files in yaml format. Replaces the `/examples` directory. - Create `/standard-query-library/` directory inside of `/1-Using-Fleet` directory. This directory contains the new `standard-query-library.yml`. This file will act as the source of community contributions to the standard query library. - Edit references to `/examples` directory 2021-05-14 17:38:33 +00:00			```

			`## Contributors`

			`Want to add your own query?`

			1. Please copy the following yaml section and paste it at the bottom of the [`standard-query-library.yml`](./standard-query-library.yml) file.
fix code block and indentation (#2672) 2021-10-28 15:24:52 +00:00
			```yaml
			`---`
			`apiVersion: v1`
			`kind: query`
			`spec:`
			`name: What is your query called? Please use a human readable query name.`
			`platforms: What operating systems support your query? This can usually be determined by the osquery tables included in your query. Heading to the https://osquery.io/schema webpage to see which operating systems are supported by the tables you include.`
New query and new policy: Identify optional fields to users (#5167) 2022-04-20 12:48:47 +00:00			`description: Describe your query. What does information does your query reveal? (optional)`
fix code block and indentation (#2672) 2021-10-28 15:24:52 +00:00			`query: Insert query here`
			`purpose: What is the goal of running your query? Ex. Detection`
			`remediation: Are there any remediation steps to resolve the detection triggered by your query? If not, insert "N/A."`
			`contributors: zwass,mike-j-thomas`
Add tags to standard query library and fleetdm.com/queries (#3970) * handle query tags in build-static-content script, update query readme * show tags in query library, add ability to filter by tags * fix lint errors * update mobile styles * fix CTA link * update mobile layout * remove tag line-height and font size * Update build-static-content.js * Style update * remove margin from selected tag, adjust OS logo placement * requested changes from code review Co-authored-by: Mike Thomas <mthomas@fleetdm.com> 2022-02-03 21:49:36 +00:00			`tags: Keywords that can help users find other relevant queries, each tag should be seperated by a comma. (e.g., "foo,bar")`
fix code block and indentation (#2672) 2021-10-28 15:24:52 +00:00			```

Convert standard query library to YAML format (#749) - Create `/configuration-files/` directory inside of `/1-Using-Fleet` directory. This directory contains example Fleet configuration files in yaml format. Replaces the `/examples` directory. - Create `/standard-query-library/` directory inside of `/1-Using-Fleet` directory. This directory contains the new `standard-query-library.yml`. This file will act as the source of community contributions to the standard query library. - Edit references to `/examples` directory 2021-05-14 17:38:33 +00:00			`2. Replace each field and submit a pull request to the fleetdm/fleet GitHub repository.`

Update instructions for contributing multiple queries to the standard query library (#3207) 2021-12-06 15:15:05 +00:00			`3. If you want to contribute multiple queries, please open one pull request that includes all your queries.`

			`For instructions on submitting pull requests to Fleet check out [the Committing Changes`
Remove numbers from documentation filenames in Fleet repo (#4313) * Renaming files and a lot of find and replace * pageRank meta tags, sorting by page rank * reranking * removing numbers * revert changing links that are locked to a commit * update metatag name, uncomment github contributers * Update basic-documentation.page.js * revert link change * more explicit errors, change pageOrderInSection numbers, updated sort * Update build-static-content.js * update comment * update handbook link * handbook entry * update sort * update changelog doc links to use fleetdm.com * move standard query library back to old location, update links/references to location * revert unintentional link changes * Update handbook/community.md Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com> Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2022-02-23 18:17:55 +00:00			`section](../../Contributing/Committing-Changes.md#committing-changes) in the Contributors`
Update instructions for contributing multiple queries to the standard query library (#3207) 2021-12-06 15:15:05 +00:00			`documentation.`

Convert standard query library to YAML format (#749) - Create `/configuration-files/` directory inside of `/1-Using-Fleet` directory. This directory contains example Fleet configuration files in yaml format. Replaces the `/examples` directory. - Create `/standard-query-library/` directory inside of `/1-Using-Fleet` directory. This directory contains the new `standard-query-library.yml`. This file will act as the source of community contributions to the standard query library. - Edit references to `/examples` directory 2021-05-14 17:38:33 +00:00
			`## Additional resources`

			`Listed below are great resources that contain additional queries.`

			`- Osquery (https://github.com/osquery/osquery/tree/master/packs)`
Add "contributors" to YAML format to enable attribution (#780) 2021-05-18 15:33:40 +00:00			`- Palantir osquery configuration (https://github.com/palantir/osquery-configuration/tree/master/Fleet)`