fleet/schema/tables/userassist.yml

name: userassist
examples: >-
  The User Assist featureset allows Windows to keep track of most recently used applications. Because of that, it is a useful datasource to pull from during investigations and incident response. The following example queries the userassist table and converts the last_execution_time into a human readable format (using UTC) and then sorts the results by this column, descending. It also joins the users table to change the user SID into a human readable username.  The output from this query displays most recently used applications, sorted by most recent timestamp as well as the username of who ran it.
  
  ```
     
    SELECT userassist.path, datetime(userassist.last_execution_time, 'unixepoch') AS timestamp_of_last_exec, userassist.count as execution_count, users.username FROM userassist join users ON users.uuid = userassist.sid  ORDER BY timestamp_of_last_exec DESC;

  ```
Add additional Windows tables to schema (#8817) * Add dns_cache * Add ntdomains * Add userassist * add shimcache * Spacing 2022-11-28 15:00:23 +00:00			`name: userassist`
			`examples: >-`
			The User Assist featureset allows Windows to keep track of most recently used applications. Because of that, it is a useful datasource to pull from during investigations and incident response. The following example queries the userassist table and converts the last_execution_time into a human readable format (using UTC) and then sorts the results by this column, descending. It also joins the users table to change the user SID into a human readable username. The output from this query displays most recently used applications, sorted by most recent timestamp as well as the username of who ran it.

			```

			`SELECT userassist.path, datetime(userassist.last_execution_time, 'unixepoch') AS timestamp_of_last_exec, userassist.count as execution_count, users.username FROM userassist join users ON users.uuid = userassist.sid ORDER BY timestamp_of_last_exec DESC;`

			```