empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 09:18:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
07ab5559f7
fleet/frontend/osquery_tables.json
Mike Arpaia ea4ede299a
Add osquery table data from master (#1884) 
This was generated via:

```
python ~/git/osquery/tools/codegen/genapi.py > ~/go/src/github.com/kolide/fleet/frontend/osquery_tables.json
```

close #1883
2018-08-06 11:30:50 -06:00

5134 lines
296 KiB
JSON
Raw Blame History

{
"tables": [
{
"key": "yara",
"name": "YARA",
"tables": [
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "The path scanned","name": "target_path","options": {},"type": "TEXT_TYPE"},
{"description": "The category of the file","name": "category","options": {},"type": "TEXT_TYPE"},
{"description": "Change action (UPDATE, REMOVE, etc)","name": "action","options": {},"type": "TEXT_TYPE"},
{"description": "ID used during bulk update","name": "transaction_id","options": {},"type": "BIGINT_TYPE"},
{"description": "List of YARA matches","name": "matches","options": {},"type": "TEXT_TYPE"},
{"description": "Number of YARA matches","name": "count","options": {},"type": "INTEGER_TYPE"},
{"description": "Matching strings","name": "strings","options": {},"type": "TEXT_TYPE"},
{"description": "Matching tags","name": "tags","options": {},"type": "TEXT_TYPE"},
{"description": "Time of the scan","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Track YARA matches for files specified in configuration data.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "yara_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The path scanned","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "List of YARA matches","name": "matches","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Number of YARA matches","name": "count","options": {},"type": "INTEGER_TYPE"},
{"description": "Signature group used","name": "sig_group","options": {"additional": true,"index": true},"type": "TEXT_TYPE"},
{"description": "Signature file used","name": "sigfile","options": {"additional": true,"index": true},"type": "TEXT_TYPE"},
{"description": "Matching strings","name": "strings","options": {},"type": "TEXT_TYPE"},
{"description": "Matching tags","name": "tags","options": {},"type": "TEXT_TYPE"}
],
"description": "Track YARA matches for files or PIDs.",
"examples": [
"select * from yara where path = '/etc/passwd'",
"select * from yara where path LIKE '/etc/%'",
"select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'"
],
"foreign_keys": [],
"function": "genYara",
"name": "yara",
"profile": {}
}
]
},
{
"key": "sleuthkit",
"name": "The Sleuth Kit",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Absolute file path to device node","name": "device","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "A partition number","name": "partition","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "Filesystem inode number","name": "inode","options": {"required": true},"type": "BIGINT_TYPE"},
{"description": "MD5 hash of provided inode data","name": "md5","options": {},"type": "TEXT_TYPE"},
{"description": "SHA1 hash of provided inode data","name": "sha1","options": {},"type": "TEXT_TYPE"},
{"description": "SHA256 hash of provided inode data","name": "sha256","options": {},"type": "TEXT_TYPE"}
],
"description": "Similar to the hash table, but use TSK and allow block address access.",
"examples": [],
"foreign_keys": [],
"function": "genDeviceHash",
"name": "device_hash",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Absolute file path to device node","name": "device","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "A partition number or description","name": "partition","options": {},"type": "INTEGER_TYPE"},
{"description": "","name": "label","options": {},"type": "TEXT_TYPE"},
{"description": "","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "","name": "offset","options": {},"type": "BIGINT_TYPE"},
{"description": "Byte size of each block","name": "blocks_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of blocks","name": "blocks","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of meta nodes","name": "inodes","options": {},"type": "BIGINT_TYPE"},
{"description": "","name": "flags","options": {},"type": "INTEGER_TYPE"}
],
"description": "Use TSK to enumerate details about partitions on a disk device.",
"examples": [],
"foreign_keys": [],
"function": "genDevicePartitions",
"name": "device_partitions",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Absolute file path to device node","name": "device","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "A partition number","name": "partition","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "A logical path within the device node","name": "path","options": {"additional": true},"type": "TEXT_TYPE"},
{"description": "Name portion of file path","name": "filename","options": {},"type": "TEXT_TYPE"},
{"description": "Filesystem inode number","name": "inode","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "Owning user ID","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Owning group ID","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "Permission bits","name": "mode","options": {},"type": "TEXT_TYPE"},
{"description": "Size of file in bytes","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Block size of filesystem","name": "block_size","options": {},"type": "INTEGER_TYPE"},
{"description": "Last access time","name": "atime","options": {},"type": "BIGINT_TYPE"},
{"description": "Last modification time","name": "mtime","options": {},"type": "BIGINT_TYPE"},
{"description": "Creation time","name": "ctime","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of hard links","name": "hard_links","options": {},"type": "INTEGER_TYPE"},
{"description": "File status","name": "type","options": {},"type": "TEXT_TYPE"}
],
"description": "Similar to the file table, but use TSK and allow block address access.",
"examples": [],
"foreign_keys": [],
"function": "genDeviceFile",
"name": "device_file",
"profile": {}
}
]
},
{
"key": "macwin",
"name": "MacOS and Windows",
"tables": [
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Certificate CommonName","name": "common_name","options": {},"type": "TEXT_TYPE"},
{"description": "Certificate distinguished name","name": "subject","options": {},"type": "TEXT_TYPE"},
{"description": "Certificate issuer distinguished name","name": "issuer","options": {},"type": "TEXT_TYPE"},
{"description": "1 if CA: true (certificate is an authority) else 0","name": "ca","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if self-signed, else 0","name": "self_signed","options": {},"type": "INTEGER_TYPE"},
{"description": "Lower bound of valid date","name": "not_valid_before","options": {},"type": "TEXT_TYPE"},
{"description": "Certificate expiration data","name": "not_valid_after","options": {},"type": "TEXT_TYPE"},
{"description": "Signing algorithm used","name": "signing_algorithm","options": {},"type": "TEXT_TYPE"},
{"description": "Key algorithm used","name": "key_algorithm","options": {},"type": "TEXT_TYPE"},
{"description": "Key size used for RSA/DSA, or curve name","name": "key_strength","options": {},"type": "TEXT_TYPE"},
{"description": "Certificate key usage and extended key usage","name": "key_usage","options": {},"type": "TEXT_TYPE"},
{"description": "SKID an optionally included SHA1","name": "subject_key_id","options": {},"type": "TEXT_TYPE"},
{"description": "AKID an optionally included SHA1","name": "authority_key_id","options": {},"type": "TEXT_TYPE"},
{"description": "SHA1 hash of the raw certificate contents","name": "sha1","options": {},"type": "TEXT_TYPE"},
{"description": "Path to Keychain or PEM bundle","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Certificate serial number","name": "serial","options": {},"type": "TEXT_TYPE"}
],
"description": "Certificate Authorities installed in Keychains/ca-bundles.",
"examples": [],
"foreign_keys": [],
"function": "genCerts",
"name": "certificates",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Name of startup item","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Path of startup item","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Arguments provided to startup executable","name": "args","options": {},"type": "TEXT_TYPE"},
{"description": "Startup Item or Login Item","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Directory or plist containing startup item","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Startup status; either enabled or disabled","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "The user associated with the startup item","name": "username","options": {},"type": "TEXT_TYPE"}
],
"description": "Applications and binaries set as user/login startup items.",
"examples": [],
"foreign_keys": [],
"function": "genStartupItems",
"name": "startup_items",
"profile": {}
}
]
},
{
"key": "windows",
"name": "Microsoft Windows",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Path to the file or directory.","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Type of access mode for the access control entry.","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "User or group to which the ACE applies.","name": "principal","options": {},"type": "TEXT_TYPE"},
{"description": "Specific permissions that indicate the rights described by the ACE.","name": "access","options": {},"type": "TEXT_TYPE"},
{"description": "The inheritance policy of the ACE.","name": "inherited_from","options": {},"type": "TEXT_TYPE"}
],
"description": "Retrieve NTFS ACL permission information for files and directories.",
"examples": [],
"foreign_keys": [],
"function": "genNtfsAclPerms",
"name": "ntfs_acl_permissions",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the scheduled task","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Actions executed by the scheduled task","name": "action","options": {},"type": "TEXT_TYPE"},
{"description": "Path to the executable to be run","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Whether or not the scheduled task is enabled","name": "enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "State of the scheduled task","name": "state","options": {},"type": "TEXT_TYPE"},
{"description": "Whether or not the task is visible in the UI","name": "hidden","options": {},"type": "INTEGER_TYPE"},
{"description": "Timestamp the task last ran","name": "last_run_time","options": {},"type": "INTEGER_TYPE"},
{"description": "Timestamp the task is scheduled to run next","name": "next_run_time","options": {},"type": "INTEGER_TYPE"},
{"description": "Exit status message of the last task run","name": "last_run_message","options": {},"type": "TEXT_TYPE"},
{"description": "Exit status code of the last task run","name": "last_run_code","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists all of the tasks in the Windows task scheduler.",
"examples": [
"select * from scheduled_tasks",
"select * from scheduled_tasks where hidden=1 and enabled=1"
],
"foreign_keys": [],
"function": "genScheduledTasks",
"name": "scheduled_tasks",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Timestamp (log format) of the crash","name": "datetime","options": {},"type": "TEXT_TYPE"},
{"description": "Path of the crashed module within the process","name": "module","options": {},"type": "TEXT_TYPE"},
{"description": "Path of the executable file for the crashed process","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Process ID of the crashed process","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Thread ID of the crashed thread","name": "tid","options": {},"type": "BIGINT_TYPE"},
{"description": "File version info of the crashed process","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Uptime of the process in seconds","name": "process_uptime","options": {},"type": "BIGINT_TYPE"},
{"description": "Multiple stack frames from the stack trace","name": "stack_trace","options": {},"type": "TEXT_TYPE"},
{"description": "The Windows exception code","name": "exception_code","options": {},"type": "TEXT_TYPE"},
{"description": "The NTSTATUS error message associated with the exception code","name": "exception_message","options": {},"type": "TEXT_TYPE"},
{"description": "Address (in hex) where the exception occurred","name": "exception_address","options": {},"type": "TEXT_TYPE"},
{"description": "The values of the system registers","name": "registers","options": {},"type": "TEXT_TYPE"},
{"description": "Command-line string passed to the crashed process","name": "command_line","options": {},"type": "TEXT_TYPE"},
{"description": "Current working directory of the crashed process","name": "current_directory","options": {},"type": "TEXT_TYPE"},
{"description": "Username of the user who ran the crashed process","name": "username","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the machine where the crash happened","name": "machine_name","options": {},"type": "TEXT_TYPE"},
{"description": "Windows major version of the machine","name": "major_version","options": {},"type": "INTEGER_TYPE"},
{"description": "Windows minor version of the machine","name": "minor_version","options": {},"type": "INTEGER_TYPE"},
{"description": "Windows build number of the crashing machine","name": "build_number","options": {},"type": "INTEGER_TYPE"},
{"description": "Type of crash log","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Path of the log file","name": "crash_path","options": {},"type": "TEXT_TYPE"}
],
"description": "Extracted information from Windows crash logs (Minidumps).",
"examples": [
"select * from windows_crashes",
"select * from windows_crashes where module like '%electron.exe%'",
"select * from windows_crashes where datetime < '2016-10-14'",
"select * from windows_crashes where registers like '%rax=0000000000000004%'",
"select * from windows_crashes where stack_trace like '%vlc%'"
],
"foreign_keys": [],
"function": "genCrashLogs",
"name": "windows_crashes",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Service name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)","name": "service_type","options": {},"type": "TEXT_TYPE"},
{"description": "Service Display name","name": "display_name","options": {},"type": "TEXT_TYPE"},
{"description": "Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "the Process ID of the service","name": "pid","options": {},"type": "INTEGER_TYPE"},
{"description": "Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED","name": "start_type","options": {},"type": "TEXT_TYPE"},
{"description": "The error code that the service uses to report an error that occurs when it is starting or stopping","name": "win32_exit_code","options": {},"type": "INTEGER_TYPE"},
{"description": "The service-specific error code that the service returns when an error occurs while the service is starting or stopping","name": "service_exit_code","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to Service Executable","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Path to ServiceDll","name": "module_path","options": {},"type": "TEXT_TYPE"},
{"description": "Service Description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\\UserName. If the account belongs to the built-in domain, the name can be of the form .\\UserName.","name": "user_account","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists all installed Windows services and their relevant data.",
"examples": [
"select * from services"
],
"foreign_keys": [],
"function": "genServices",
"name": "services",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Kernel Virtual Address shadowing is enabled.","name": "kva_shadow_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "User pages are marked as global.","name": "kva_shadow_user_global","options": {},"type": "INTEGER_TYPE"},
{"description": "Kernel VA PCID flushing optimization is enabled.","name": "kva_shadow_pcid","options": {},"type": "INTEGER_TYPE"},
{"description": "Kernel VA INVPCID is enabled.","name": "kva_shadow_inv_pcid","options": {},"type": "INTEGER_TYPE"},
{"description": "Branch Prediction mitigations are enabled.","name": "bp_mitigations","options": {},"type": "INTEGER_TYPE"},
{"description": "Branch Predictions are disabled via system policy.","name": "bp_system_pol_disabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Branch Predictions are disabled due to lack of microcode update.","name": "bp_microcode_disabled","options": {},"type": "INTEGER_TYPE"},
{"description": "SPEC_CTRL MSR supported by CPU Microcode.","name": "cpu_spec_ctrl_supported","options": {},"type": "INTEGER_TYPE"},
{"description": "Windows uses IBRS.","name": "ibrs_support_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Windows uses STIBP.","name": "stibp_support_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "PRED_CMD MSR supported by CPU Microcode.","name": "cpu_pred_cmd_supported","options": {},"type": "INTEGER_TYPE"}
],
"description": "Display kernel virtual address and speculative execution information for the system.",
"examples": [
"select * from kva_speculative_info"
],
"foreign_keys": [],
"function": "genKvaSpeculative",
"name": "kva_speculative_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The name of the host the patch is installed on.","name": "csname","options": {},"type": "TEXT_TYPE"},
{"description": "The KB ID of the patch.","name": "hotfix_id","options": {},"type": "TEXT_TYPE"},
{"description": "Short description of the patch.","name": "caption","options": {},"type": "TEXT_TYPE"},
{"description": "Fuller description of the patch.","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Additional comments about the patch.","name": "fix_comments","options": {},"type": "TEXT_TYPE"},
{"description": "The system context in which the patch as installed.","name": "installed_by","options": {},"type": "TEXT_TYPE"},
{"description": "Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.","name": "install_date","options": {},"type": "TEXT_TYPE"},
{"description": "The date when the patch was installed.","name": "installed_on","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).",
"examples": [
"select * from patches"
],
"foreign_keys": [],
"function": "genInstalledPatches",
"name": "patches",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Extension display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Extension identifier","name": "registry_path","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Version of the executable","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Path to executable","name": "path","options": {"index": true},"type": "TEXT_TYPE"}
],
"description": "Internet Explorer browser extensions.",
"examples": [],
"foreign_keys": [],
"function": "genIEExtensions",
"name": "ie_extensions",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "A textual description of the object","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.","name": "install_date","options": {},"type": "TEXT_TYPE"},
{"description": "String that indicates the current status of the object.","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.","name": "allow_maximum","options": {},"type": "INTEGER_TYPE"},
{"description": "Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.","name": "maximum_allowed","options": {},"type": "INTEGER_TYPE"},
{"description": "Alias given to a path set up as a share on a computer system running Windows.","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Local path of the Windows share.","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.","name": "type","options": {},"type": "INTEGER_TYPE"}
],
"description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.",
"examples": [
"select * from shared_resources"
],
"foreign_keys": [],
"function": "genShares",
"name": "shared_resources",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Unique name of a consumer.","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.","name": "command_line_template","options": {},"type": "TEXT_TYPE"},
{"description": "Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.","name": "executable_path","options": {},"type": "TEXT_TYPE"},
{"description": "The name of the class.","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "Relative path to the class or instance.","name": "relative_path","options": {},"type": "TEXT_TYPE"}
],
"description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.",
"examples": [
"select filter,consumer,query,command_line_template,wcec.name from wmi_cli_event_consumers wcec left outer join wmi_filter_consumer_binding wcb on consumer = wcec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;"
],
"foreign_keys": [],
"function": "genWmiCliConsumers",
"name": "wmi_cli_event_consumers",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The amount of bits per pixel to represent color.","name": "color_depth","options": {},"type": "INTEGER_TYPE"},
{"description": "The driver of the device.","name": "driver","options": {},"type": "TEXT_TYPE"},
{"description": "The date listed on the installed driver.","name": "driver_date","options": {},"type": "TEXT_TYPE"},
{"description": "The version of the installed driver.","name": "driver_version","options": {},"type": "TEXT_TYPE"},
{"description": "The manufaturer of the gpu.","name": "manufacturer","options": {},"type": "TEXT_TYPE"},
{"description": "The model of the gpu.","name": "model","options": {},"type": "TEXT_TYPE"},
{"description": "The series of the gpu.","name": "series","options": {},"type": "TEXT_TYPE"},
{"description": "The current resolution of the display.","name": "video_mode","options": {},"type": "TEXT_TYPE"}
],
"description": "Retrieve video card information of the machine.",
"examples": [],
"foreign_keys": [],
"function": "genVideoInfo",
"name": "video_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the key to search for","name": "key","options": {"additional": true},"type": "TEXT_TYPE"},
{"description": "Full path to the value","name": "path","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Name of the registry value entry","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Type of the registry value, or 'subkey' if item is a subkey","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Data content of registry value","name": "data","options": {},"type": "TEXT_TYPE"},
{"description": "timestamp of the most recent registry write","name": "mtime","options": {},"type": "BIGINT_TYPE"}
],
"description": "All of the Windows registry hives.",
"examples": [
"select path, key, name from registry where key = 'HKEY_USERS'; -- get user SIDS. Note: path is key+name",
"select path from registry where key like 'HKEY_USERS\\.Default\\%'; -- a SQL wildcard match; will not recurse subkeys",
"select path from registry where key like 'HKEY_USERS\\.Default\\Software\\%%'; -- recursing query (compare with 1 %)",
"select path from registry where key like 'HKEY_LOCAL_MACHINE\\Software\\Micr%ft\\%' and type = 'subkey' LIMIT 10; -- midfix wildcard match",
"select name, type, data from registry where path like 'HKEY_USERS\\%\\Control Panel\\International\\User Profile\\Languages'; -- get users' current UI language. Note: osquery cannot reference HKEY_CURRENT_USER",
"select name, type, data from registry where path like 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpapers\\%'; -- list all of the desktop wallpapers",
"select name, type, data from registry where key like 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpapers'; -- same, but filtering by key instead of path"
],
"foreign_keys": [],
"function": "genRegistry",
"name": "registry",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Device ID","name": "device_id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Device name","name": "device_name","options": {},"type": "TEXT_TYPE"},
{"description": "Path to driver image file","name": "image","options": {},"type": "TEXT_TYPE"},
{"description": "Driver description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Driver service name, if one exists","name": "service","options": {},"type": "TEXT_TYPE"},
{"description": "Driver service registry key","name": "service_key","options": {},"type": "TEXT_TYPE"},
{"description": "Driver version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Associated inf file","name": "inf","options": {},"type": "TEXT_TYPE"},
{"description": "Device/driver class name","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "Driver provider","name": "provider","options": {},"type": "TEXT_TYPE"},
{"description": "Device manufacturer","name": "manufacturer","options": {},"type": "TEXT_TYPE"},
{"description": "Driver key","name": "driver_key","options": {},"type": "TEXT_TYPE"},
{"description": "Driver date","name": "date","options": {},"type": "BIGINT_TYPE"},
{"description": "Whether the driver is signed or not","name": "signed","options": {},"type": "INTEGER_TYPE"}
],
"description": "Details for in-use Windows device drivers. This does not display installed but unused drivers.",
"examples": [
"select * from drivers"
],
"foreign_keys": [],
"function": "genDrivers",
"name": "drivers",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Number of detected partitions on disk.","name": "partitions","options": {},"type": "INTEGER_TYPE"},
{"description": "Physical drive number of the disk.","name": "disk_index","options": {},"type": "INTEGER_TYPE"},
{"description": "The interface type of the disk.","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "The unique identifier of the drive on the system.","name": "id","options": {},"type": "TEXT_TYPE"},
{"description": "The unique identifier of the drive on the system.","name": "pnp_device_id","options": {},"type": "TEXT_TYPE"},
{"description": "Size of the disk.","name": "disk_size","options": {},"type": "BIGINT_TYPE"},
{"description": "The manufacturer of the disk.","name": "manufacturer","options": {},"type": "TEXT_TYPE"},
{"description": "Hard drive model.","name": "hardware_model","options": {},"type": "TEXT_TYPE"},
{"description": "The label of the disk object.","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "The serial number of the disk.","name": "serial","options": {},"type": "TEXT_TYPE"},
{"description": "The OS's description of the disk.","name": "description","options": {},"type": "TEXT_TYPE"}
],
"description": "Retrieve basic information about the physical disks of a system.",
"examples": [],
"foreign_keys": [],
"function": "genDiskInfo",
"name": "disk_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package-supplied version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Package-supplied summary","name": "summary","options": {},"type": "TEXT_TYPE"},
{"description": "Optional package author","name": "author","options": {},"type": "TEXT_TYPE"},
{"description": "License under which package is launched","name": "license","options": {},"type": "TEXT_TYPE"},
{"description": "Path at which this package resides","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Chocolatey packages installed in a system.",
"examples": [],
"foreign_keys": [],
"function": "genChocolateyPackages",
"name": "chocolatey_packages",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The drive id, usually the drive name, e.g., 'C:'.","name": "device_id","options": {},"type": "TEXT_TYPE"},
{"description": "The type of disk drive this logical drive represents.","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "The amount of free space, in bytes, of the drive.","name": "free_space","options": {},"type": "BIGINT_TYPE"},
{"description": "The total amount of space, in bytes, of the drive.","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "The file system of the drive.","name": "file_system","options": {},"type": "TEXT_TYPE"},
{"description": "True if Windows booted from this drive.","name": "boot_partition","options": {},"type": "INTEGER_TYPE"}
],
"description": "Details for logical drives on the system. A logical drive generally represents a single partition.",
"examples": [
"select * from logical_drives",
"select free_space from logical_drives where device_id = 'C:'"
],
"foreign_keys": [],
"function": "genLogicalDrives",
"name": "logical_drives",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Must provide a path or directory","name": "path","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "The original program name that the publisher has signed","name": "original_program_name","options": {},"type": "TEXT_TYPE"},
{"description": "The certificate serial number","name": "serial_number","options": {},"type": "TEXT_TYPE"},
{"description": "The certificate issuer name","name": "issuer_name","options": {},"type": "TEXT_TYPE"},
{"description": "The certificate subject name","name": "subject_name","options": {},"type": "TEXT_TYPE"},
{"description": "The signature check result","name": "result","options": {},"type": "TEXT_TYPE"}
],
"description": "File (executable, bundle, installer, disk) code signing status.",
"examples": [
"SELECT * FROM authenticode WHERE path = 'C:\\Windows\\notepad.exe'",
"SELECT process.pid, process.path, signature.result FROM processes as process LEFT JOIN authenticode AS signature ON process.path = signature.path;"
],
"foreign_keys": [],
"function": "genAuthenticode",
"name": "authenticode",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "A locally unique identifier (LUID) that identifies a logon session.","name": "logon_id","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "The account name of the security principal that owns the logon session.","name": "user","options": {},"type": "TEXT_TYPE"},
{"description": "The name of the domain used to authenticate the owner of the logon session.","name": "logon_domain","options": {},"type": "TEXT_TYPE"},
{"description": "The authentication package used to authenticate the owner of the logon session.","name": "authentication_package","options": {},"type": "TEXT_TYPE"},
{"description": "The logon method.","name": "logon_type","options": {},"type": "TEXT_TYPE"},
{"description": "The Terminal Services session identifier.","name": "session_id","options": {},"type": "INTEGER_TYPE"},
{"description": "The user's security identifier (SID).","name": "logon_sid","options": {},"type": "TEXT_TYPE"},
{"description": "The time the session owner logged on.","name": "logon_time","options": {},"type": "BIGINT_TYPE"},
{"description": "The name of the server used to authenticate the owner of the logon session.","name": "logon_server","options": {},"type": "TEXT_TYPE"},
{"description": "The DNS name for the owner of the logon session.","name": "dns_domain_name","options": {},"type": "TEXT_TYPE"},
{"description": "The user principal name (UPN) for the owner of the logon session.","name": "upn","options": {},"type": "TEXT_TYPE"},
{"description": "The script used for logging on.","name": "logon_script","options": {},"type": "TEXT_TYPE"},
{"description": "The home directory for the logon session.","name": "profile_path","options": {},"type": "TEXT_TYPE"},
{"description": "The home directory for the logon session.","name": "home_directory","options": {},"type": "TEXT_TYPE"},
{"description": "The drive location of the home directory of the logon session.","name": "home_directory_drive","options": {},"type": "TEXT_TYPE"}
],
"description": "Windows Logon Session.",
"examples": [
"select * from logon_sessions;"
],
"foreign_keys": [],
"function": "queryLogonSessions",
"name": "logon_sessions",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Process ID of the process to which the pipe belongs","name": "pid","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "Name of the pipe","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Number of instances of the named pipe","name": "instances","options": {},"type": "INTEGER_TYPE"},
{"description": "The maximum number of instances creatable for this pipe","name": "max_instances","options": {},"type": "INTEGER_TYPE"},
{"description": "The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes","name": "flags","options": {},"type": "TEXT_TYPE"}
],
"description": "Named and Anonymous pipes.",
"examples": [
"select * from pipes"
],
"foreign_keys": [],
"function": "genPipes",
"name": "pipes",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.","name": "consumer","options": {},"type": "TEXT_TYPE"},
{"description": "Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.","name": "filter","options": {},"type": "TEXT_TYPE"},
{"description": "The name of the class.","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "Relative path to the class or instance.","name": "relative_path","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists the relationship between event consumers and filters.",
"examples": [
"select * from wmi_filter_consumer_binding"
],
"foreign_keys": [],
"function": "genFilterConsumer",
"name": "wmi_filter_consumer_binding",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Unique identifier of an event filter.","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.","name": "query","options": {},"type": "TEXT_TYPE"},
{"description": "Query language that the query is written in.","name": "query_language","options": {},"type": "TEXT_TYPE"},
{"description": "The name of the class.","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "Relative path to the class or instance.","name": "relative_path","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists WMI event filters.",
"examples": [
"select * from wmi_event_filters"
],
"foreign_keys": [],
"function": "genWmiFilters",
"name": "wmi_event_filters",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Timestamp the event was received","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "System time at which the event occurred","name": "datetime","options": {},"type": "TEXT_TYPE"},
{"description": "Source or channel of the event","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Provider name of the event","name": "provider_name","options": {},"type": "TEXT_TYPE"},
{"description": "Provider guid of the event","name": "provider_guid","options": {},"type": "TEXT_TYPE"},
{"description": "Event ID of the event","name": "eventid","options": {},"type": "INTEGER_TYPE"},
{"description": "Task value associated with the event","name": "task","options": {},"type": "INTEGER_TYPE"},
{"description": "The severity level associated with the event","name": "level","options": {},"type": "INTEGER_TYPE"},
{"description": "A bitmask of the keywords defined in the event","name": "keywords","options": {},"type": "BIGINT_TYPE"},
{"description": "Data associated with the event","name": "data","options": {},"type": "TEXT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Windows Event logs.",
"examples": [
"select * from windows_events where eventid=4104 and channel='Security'"
],
"foreign_keys": [],
"function": "genTable",
"name": "windows_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the executable that is being shimmed. This is pulled from the registry.","name": "executable","options": {},"type": "TEXT_TYPE"},
{"description": "This is the path to the SDB database.","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Description of the SDB.","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Install time of the SDB","name": "install_time","options": {},"type": "INTEGER_TYPE"},
{"description": "Type of the SDB database.","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Unique GUID of the SDB.","name": "sdb_id","options": {},"type": "TEXT_TYPE"}
],
"description": "Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.",
"examples": [
"select * from appcompat_shims;"
],
"foreign_keys": [],
"function": "genShims",
"name": "appcompat_shims",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Timestamp the event was received by the osquery event publisher","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "System time at which the Powershell script event occurred","name": "datetime","options": {},"type": "TEXT_TYPE"},
{"description": "The unique GUID of the powershell script to which this block belongs","name": "script_block_id","options": {},"type": "TEXT_TYPE"},
{"description": "The total number of script blocks for this script","name": "script_block_count","options": {},"type": "INTEGER_TYPE"},
{"description": "The text content of the Powershell script","name": "script_text","options": {},"type": "TEXT_TYPE"},
{"description": "The name of the Powershell script","name": "script_name","options": {},"type": "TEXT_TYPE"},
{"description": "The path for the Powershell script","name": "script_path","options": {},"type": "TEXT_TYPE"},
{"description": "How similar the Powershell script is to a provided 'normal' character frequency","name": "cosine_similarity","options": {},"type": "DOUBLE_TYPE"}
],
"description": "Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.",
"examples": [
"select * from powershell_events;",
"select * from powershell_events where script_text like '%Invoke-Mimikatz%';",
"select * from powershell_events where cosine_similarity < 0.25;"
],
"foreign_keys": [],
"function": "genTable",
"name": "powershell_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Terminal Services Session Id","name": "session_id","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "Object Name","name": "object_name","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Object Type","name": "object_type","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists named Windows objects in the default object directories, across all terminal services sessions.",
"examples": [
"select object_name, object_type from winbaseobj",
"select * from winbaseobj where type='Mutant'"
],
"foreign_keys": [],
"function": "genBaseNamedObjects",
"name": "winbaseobj",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The DeviceID of the CPU.","name": "device_id","options": {},"type": "TEXT_TYPE"},
{"description": "The model of the CPU.","name": "model","options": {},"type": "TEXT_TYPE"},
{"description": "The manufacturer of the CPU.","name": "manufacturer","options": {},"type": "TEXT_TYPE"},
{"description": "The processor type, such as Central, Math, or Video.","name": "processor_type","options": {},"type": "TEXT_TYPE"},
{"description": "The availability and status of the CPU.","name": "availability","options": {},"type": "TEXT_TYPE"},
{"description": "The current operating status of the CPU.","name": "cpu_status","options": {},"type": "INTEGER_TYPE"},
{"description": "The number of cores of the CPU.","name": "number_of_cores","options": {},"type": "TEXT_TYPE"},
{"description": "The number of logical processors of the CPU.","name": "logical_processors","options": {},"type": "INTEGER_TYPE"},
{"description": "The width of the CPU address bus.","name": "address_width","options": {},"type": "TEXT_TYPE"},
{"description": "The current frequency of the CPU.","name": "current_clock_speed","options": {},"type": "INTEGER_TYPE"},
{"description": "The maximum possible frequency of the CPU.","name": "max_clock_speed","options": {},"type": "INTEGER_TYPE"},
{"description": "The assigned socket on the board for the given CPU.","name": "socket_designation","options": {},"type": "TEXT_TYPE"}
],
"description": "Retrieve cpu hardware info of the machine.",
"examples": [],
"foreign_keys": [],
"function": "genCpuInfo",
"name": "cpu_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the Bios setting","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Value of the Bios setting","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists important information from the system bios.",
"examples": [
"select * from wmi_bios_info",
"select * from wmi_bios_info where name = 'AMTControl'"
],
"foreign_keys": [],
"function": "genBiosInfo",
"name": "wmi_bios_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Commonly used product name.","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Product version information.","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "The installation location directory of the product.","name": "install_location","options": {},"type": "TEXT_TYPE"},
{"description": "The installation source of the product.","name": "install_source","options": {},"type": "TEXT_TYPE"},
{"description": "The language of the product.","name": "language","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the product supplier.","name": "publisher","options": {},"type": "TEXT_TYPE"},
{"description": "Path and filename of the uninstaller.","name": "uninstall_string","options": {},"type": "TEXT_TYPE"},
{"description": "Date that this product was installed on the system. ","name": "install_date","options": {},"type": "TEXT_TYPE"},
{"description": "Product identification such as a serial number on software, or a die number on a hardware chip.","name": "identifying_number","options": {},"type": "TEXT_TYPE"}
],
"description": "Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.",
"examples": [
"select * from programs",
"select name, install_location from programs where install_location not like 'C:\\Program Files%';"
],
"foreign_keys": [],
"function": "genPrograms",
"name": "programs",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Unique identifier for the event consumer. ","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL.","name": "scripting_engine","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.","name": "script_file_name","options": {},"type": "TEXT_TYPE"},
{"description": "Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.","name": "script_text","options": {},"type": "TEXT_TYPE"},
{"description": "The name of the class.","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "Relative path to the class or instance.","name": "relative_path","options": {},"type": "TEXT_TYPE"}
],
"description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.",
"examples": [
"select filter,consumer,query,scripting_engine,script_file_name,script_text,wsec.name from wmi_script_event_consumers wsec left outer join wmi_filter_consumer_binding wcb on consumer = wsec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;"
],
"foreign_keys": [],
"function": "genScriptConsumers",
"name": "wmi_script_event_consumers",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the physical disk","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Average number of bytes transferred from the disk during read operations","name": "avg_disk_bytes_per_read","options": {},"type": "BIGINT_TYPE"},
{"description": "Average number of bytes transferred to the disk during write operations","name": "avg_disk_bytes_per_write","options": {},"type": "BIGINT_TYPE"},
{"description": "Average number of read requests that were queued for the selected disk during the sample interval","name": "avg_disk_read_queue_length","options": {},"type": "BIGINT_TYPE"},
{"description": "Average number of write requests that were queued for the selected disk during the sample interval","name": "avg_disk_write_queue_length","options": {},"type": "BIGINT_TYPE"},
{"description": "Average time, in seconds, of a read operation of data from the disk","name": "avg_disk_sec_per_read","options": {},"type": "INTEGER_TYPE"},
{"description": "Average time, in seconds, of a write operation of data to the disk","name": "avg_disk_sec_per_write","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of requests outstanding on the disk at the time the performance data is collected","name": "current_disk_queue_length","options": {},"type": "INTEGER_TYPE"},
{"description": "Percentage of elapsed time that the selected disk drive is busy servicing read requests","name": "percent_disk_read_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Percentage of elapsed time that the selected disk drive is busy servicing write requests","name": "percent_disk_write_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Percentage of elapsed time that the selected disk drive is busy servicing read or write requests","name": "percent_disk_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Percentage of time during the sample interval that the disk was idle","name": "percent_idle_time","options": {},"type": "BIGINT_TYPE"}
],
"description": "Provides provides raw data from performance counters that monitor hard or fixed disk drives on the system.",
"examples": [],
"foreign_keys": [],
"function": "genPhysicalDiskPerformance",
"name": "physical_disk_performance",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Path to the executable","name": "path","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Name of the program","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Source table of the autoexec item","name": "source","options": {},"type": "TEXT_TYPE"}
],
"description": "Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.",
"examples": [],
"foreign_keys": [],
"function": "genAutoexec",
"name": "autoexec",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "ID of the encrypted drive.","name": "device_id","options": {},"type": "TEXT_TYPE"},
{"description": "Drive letter of the encrypted drive.","name": "drive_letter","options": {},"type": "TEXT_TYPE"},
{"description": "Persistent ID of the drive.","name": "persistent_volume_id","options": {},"type": "TEXT_TYPE"},
{"description": "The bitlocker conversion status of the drive.","name": "conversion_status","options": {},"type": "INTEGER_TYPE"},
{"description": "The bitlocker protection status of the drive.","name": "protection_status","options": {},"type": "INTEGER_TYPE"},
{"description": "The encryption type of the device.","name": "encryption_method","options": {},"type": "TEXT_TYPE"}
],
"description": "Retrieve bitlocker status of the machine.",
"examples": [],
"foreign_keys": [],
"function": "genBitlockerInfo",
"name": "bitlocker_info",
"profile": {}
}
]
},
{
"key": "lldpd",
"name": "LLDPD",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Interface name","name": "interface","options": {},"type": "TEXT_TYPE"},
{"description": "Neighbor chassis index","name": "rid","options": {},"type": "INTEGER_TYPE"},
{"description": "Neighbor chassis ID type","name": "chassis_id_type","options": {},"type": "TEXT_TYPE"},
{"description": "Neighbor chassis ID value","name": "chassis_id","options": {},"type": "TEXT_TYPE"},
{"description": "CPU brand string, contains vendor and model","name": "chassis_sysname","options": {},"type": "TEXT_TYPE"},
{"description": "Max number of CPU physical cores","name": "chassis_sys_description","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis bridge capability availability","name": "chassis_bridge_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Is chassis bridge capability enabled.","name": "chassis_bridge_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis router capability availability","name": "chassis_router_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis router capability enabled","name": "chassis_router_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis repeater capability availability","name": "chassis_repeater_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis repeater capability enabled","name": "chassis_repeater_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis wlan capability availability","name": "chassis_wlan_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis wlan capability enabled","name": "chassis_wlan_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis telephone capability availability","name": "chassis_tel_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis telephone capability enabled","name": "chassis_tel_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis DOCSIS capability availability","name": "chassis_docsis_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis DOCSIS capability enabled","name": "chassis_docsis_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis station capability availability","name": "chassis_station_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis station capability enabled","name": "chassis_station_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis other capability availability","name": "chassis_other_capability_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Chassis other capability enabled","name": "chassis_other_capability_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Comma delimited list of chassis management IPS","name": "chassis_mgmt_ips","options": {},"type": "TEXT_TYPE"},
{"description": "Port ID type","name": "port_id_type","options": {},"type": "TEXT_TYPE"},
{"description": "Port ID value","name": "port_id","options": {},"type": "TEXT_TYPE"},
{"description": "Port description","name": "port_description","options": {},"type": "TEXT_TYPE"},
{"description": "Age of neighbor port","name": "port_ttl","options": {},"type": "BIGINT_TYPE"},
{"description": "Port max frame size","name": "port_mfs","options": {},"type": "BIGINT_TYPE"},
{"description": "Port aggregation ID","name": "port_aggregation_id","options": {},"type": "TEXT_TYPE"},
{"description": "Auto negotiation supported","name": "port_autoneg_supported","options": {},"type": "INTEGER_TYPE"},
{"description": "Is auto negotiation enabled","name": "port_autoneg_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "MAU type","name": "port_mau_type","options": {},"type": "TEXT_TYPE"},
{"description": "10Base-T HD auto negotiation enabled","name": "port_autoneg_10baset_hd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "10Base-T FD auto negotiation enabled","name": "port_autoneg_10baset_fd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "100Base-TX HD auto negotiation enabled","name": "port_autoneg_100basetx_hd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "100Base-TX FD auto negotiation enabled","name": "port_autoneg_100basetx_fd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "100Base-T2 HD auto negotiation enabled","name": "port_autoneg_100baset2_hd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "100Base-T2 FD auto negotiation enabled","name": "port_autoneg_100baset2_fd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "100Base-T4 HD auto negotiation enabled","name": "port_autoneg_100baset4_hd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "100Base-T4 FD auto negotiation enabled","name": "port_autoneg_100baset4_fd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1000Base-X HD auto negotiation enabled","name": "port_autoneg_1000basex_hd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1000Base-X FD auto negotiation enabled","name": "port_autoneg_1000basex_fd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1000Base-T HD auto negotiation enabled","name": "port_autoneg_1000baset_hd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1000Base-T FD auto negotiation enabled","name": "port_autoneg_1000baset_fd_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Dot3 power device type","name": "power_device_type","options": {},"type": "TEXT_TYPE"},
{"description": "MDI power supported","name": "power_mdi_supported","options": {},"type": "INTEGER_TYPE"},
{"description": "Is MDI power enabled","name": "power_mdi_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Is power pair control enabled","name": "power_paircontrol_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Dot3 power pairs","name": "power_pairs","options": {},"type": "TEXT_TYPE"},
{"description": "Power class","name": "power_class","options": {},"type": "TEXT_TYPE"},
{"description": "Is 802.3at enabled","name": "power_8023at_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "802.3at power type","name": "power_8023at_power_type","options": {},"type": "TEXT_TYPE"},
{"description": "802.3at power source","name": "power_8023at_power_source","options": {},"type": "TEXT_TYPE"},
{"description": "802.3at power priority","name": "power_8023at_power_priority","options": {},"type": "TEXT_TYPE"},
{"description": "802.3at power allocated","name": "power_8023at_power_allocated","options": {},"type": "TEXT_TYPE"},
{"description": "802.3at power requested","name": "power_8023at_power_requested","options": {},"type": "TEXT_TYPE"},
{"description": "Chassis MED type","name": "med_device_type","options": {},"type": "TEXT_TYPE"},
{"description": "Is MED capabilities enabled","name": "med_capability_capabilities","options": {},"type": "INTEGER_TYPE"},
{"description": "Is MED policy capability enabled","name": "med_capability_policy","options": {},"type": "INTEGER_TYPE"},
{"description": "Is MED location capability enabled","name": "med_capability_location","options": {},"type": "INTEGER_TYPE"},
{"description": "Is MED MDI PSE capability enabled","name": "med_capability_mdi_pse","options": {},"type": "INTEGER_TYPE"},
{"description": "Is MED MDI PD capability enabled","name": "med_capability_mdi_pd","options": {},"type": "INTEGER_TYPE"},
{"description": "Is MED inventory capability enabled","name": "med_capability_inventory","options": {},"type": "INTEGER_TYPE"},
{"description": "Comma delimited list of MED policies","name": "med_policies","options": {},"type": "TEXT_TYPE"},
{"description": "Comma delimited list of vlan ids","name": "vlans","options": {},"type": "TEXT_TYPE"},
{"description": "Primary VLAN id","name": "pvid","options": {},"type": "TEXT_TYPE"},
{"description": "Comma delimited list of supported PPVIDs","name": "ppvids_supported","options": {},"type": "TEXT_TYPE"},
{"description": "Comma delimited list of enabled PPVIDs","name": "ppvids_enabled","options": {},"type": "TEXT_TYPE"},
{"description": "Comma delimited list of PIDs","name": "pids","options": {},"type": "TEXT_TYPE"}
],
"description": "LLDP neighbors of interfaces.",
"examples": [],
"foreign_keys": [],
"function": "genLLDPNeighbors",
"name": "lldp_neighbors",
"profile": {}
}
]
},
{
"key": "linwin",
"name": "Linux and Windows",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Intel ME version","name": "version","options": {},"type": "TEXT_TYPE"}
],
"description": "Intel ME/CSE Info.",
"examples": [],
"foreign_keys": [],
"function": "getIntelMEInfo",
"name": "intel_me_info",
"profile": {}
}
]
},
{
"key": "posix",
"name": "POSIX-compatible Plaforms",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Network ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Network name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Network driver","name": "driver","options": {},"type": "TEXT_TYPE"},
{"description": "Time of creation as UNIX time","name": "created","options": {},"type": "BIGINT_TYPE"},
{"description": "1 if IPv6 is enabled on this network. 0 otherwise","name": "enable_ipv6","options": {},"type": "INTEGER_TYPE"},
{"description": "Network subnet","name": "subnet","options": {},"type": "TEXT_TYPE"},
{"description": "Network gateway","name": "gateway","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker networks information.",
"examples": [
"select * from docker_networks",
"select * from docker_networks where id = 'cfd2ffd49439'",
"select * from docker_networks where id = 'cfd2ffd494395b75d77539761df40cde06a2b6b497e0c9c1adc6c5a79539bfad'"
],
"foreign_keys": [],
"function": "genNetworks",
"name": "docker_networks",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "Process-specific file descriptor number","name": "fd","options": {},"type": "BIGINT_TYPE"},
{"description": "Filesystem path of descriptor","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "File descriptors for each process.",
"examples": [
"select * from process_open_files where pid = 1"
],
"foreign_keys": [],
"function": "genOpenFiles",
"name": "process_open_files",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Container ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Container name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Docker image (name) used to launch this container","name": "image","options": {},"type": "TEXT_TYPE"},
{"description": "Docker image ID","name": "image_id","options": {},"type": "TEXT_TYPE"},
{"description": "Command with arguments","name": "command","options": {},"type": "TEXT_TYPE"},
{"description": "Time of creation as UNIX time","name": "created","options": {},"type": "BIGINT_TYPE"},
{"description": "Container state (created, restarting, running, removing, paused, exited, dead)","name": "state","options": {},"type": "TEXT_TYPE"},
{"description": "Container status information","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "Identifier of the initial process","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Container path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Container entrypoint(s)","name": "config_entrypoint","options": {},"type": "TEXT_TYPE"},
{"description": "Container start time as string","name": "started_at","options": {},"type": "TEXT_TYPE"},
{"description": "Container finish time as string","name": "finished_at","options": {},"type": "TEXT_TYPE"},
{"description": "Is the container privileged","name": "privileged","options": {},"type": "INTEGER_TYPE"},
{"description": "List of container security options","name": "security_options","options": {},"type": "TEXT_TYPE"},
{"description": "Container environmental variables","name": "env_variables","options": {},"type": "TEXT_TYPE"},
{"description": "Is the root filesystem mounted as read only","name": "readonly_rootfs","options": {},"type": "INTEGER_TYPE"},
{"description": "cgroup namespace","name": "cgroup_namespace","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "IPC namespace","name": "ipc_namespace","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Mount namespace","name": "mnt_namespace","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Network namespace","name": "net_namespace","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "PID namespace","name": "pid_namespace","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "User namespace","name": "user_namespace","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "UTS namespace","name": "uts_namespace","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Docker containers information.",
"examples": [
"select * from docker_containers where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'",
"select * from docker_containers where name = '/hello'"
],
"foreign_keys": [],
"function": "genContainers",
"name": "docker_containers",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Block device name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Block device parent name","name": "parent","options": {},"type": "TEXT_TYPE"},
{"description": "Block device vendor string","name": "vendor","options": {},"type": "TEXT_TYPE"},
{"description": "Block device model string identifier","name": "model","options": {},"type": "TEXT_TYPE"},
{"description": "Block device size in blocks","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Block size in bytes","name": "block_size","options": {},"type": "INTEGER_TYPE"},
{"description": "Block device Universally Unique Identifier","name": "uuid","options": {},"type": "TEXT_TYPE"},
{"description": "Block device type string","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Block device label string","name": "label","options": {},"type": "TEXT_TYPE"}
],
"description": "Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.",
"examples": [],
"foreign_keys": [],
"function": "genBlockDevs",
"name": "block_devices",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "The job @event name (rare)","name": "event","options": {},"type": "TEXT_TYPE"},
{"description": "The exact minute for the job","name": "minute","options": {},"type": "TEXT_TYPE"},
{"description": "The hour of the day for the job","name": "hour","options": {},"type": "TEXT_TYPE"},
{"description": "The day of the month for the job","name": "day_of_month","options": {},"type": "TEXT_TYPE"},
{"description": "The month of the year for the job","name": "month","options": {},"type": "TEXT_TYPE"},
{"description": "The day of the week for the job","name": "day_of_week","options": {},"type": "TEXT_TYPE"},
{"description": "Raw command string","name": "command","options": {},"type": "TEXT_TYPE"},
{"description": "File parsed","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Line parsed values from system and user cron/tab.",
"examples": [],
"foreign_keys": [],
"function": "genCronTab",
"name": "crontab",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Handle, or instance number, associated with the structure","name": "handle","options": {},"type": "TEXT_TYPE"},
{"description": "type of error associated with current error status for array or device","name": "error_type","options": {},"type": "TEXT_TYPE"},
{"description": "Granularity to which the error can be resolved","name": "error_granularity","options": {},"type": "TEXT_TYPE"},
{"description": "Memory access operation that caused the error","name": "error_operation","options": {},"type": "TEXT_TYPE"},
{"description": "Vendor specific ECC syndrome or CRC data associated with the erroneous access","name": "vendor_syndrome","options": {},"type": "TEXT_TYPE"},
{"description": "32 bit physical address of the error based on the addressing of the bus to which the memory array is connected","name": "memory_array_error_address","options": {},"type": "TEXT_TYPE"},
{"description": "32 bit physical address of the error relative to the start of the failing memory address, in bytes","name": "device_error_address","options": {},"type": "TEXT_TYPE"},
{"description": "Range, in bytes, within which this error can be determined, when an error address is given","name": "error_resolution","options": {},"type": "TEXT_TYPE"}
],
"description": "Data associated with errors of a physical memory array.",
"examples": [],
"foreign_keys": [],
"function": "genMemoryErrorInfo",
"name": "memory_error_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Container ID","name": "id","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "Process ID","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "The process path or shorthand argv[0]","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Complete argv","name": "cmdline","options": {},"type": "TEXT_TYPE"},
{"description": "Process state","name": "state","options": {},"type": "TEXT_TYPE"},
{"description": "User ID","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Group ID","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "Effective user ID","name": "euid","options": {},"type": "BIGINT_TYPE"},
{"description": "Effective group ID","name": "egid","options": {},"type": "BIGINT_TYPE"},
{"description": "Saved user ID","name": "suid","options": {},"type": "BIGINT_TYPE"},
{"description": "Saved group ID","name": "sgid","options": {},"type": "BIGINT_TYPE"},
{"description": "Bytes of unpagable memory used by process","name": "wired_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Bytes of private memory used by process","name": "resident_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Total virtual memory size","name": "total_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Process start in seconds since boot (non-sleeping)","name": "start_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Process parent's PID","name": "parent","options": {},"type": "BIGINT_TYPE"},
{"description": "Process group","name": "pgroup","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of threads used by process","name": "threads","options": {},"type": "INTEGER_TYPE"},
{"description": "Process nice level (-20 to 20, default 0)","name": "nice","options": {},"type": "INTEGER_TYPE"},
{"description": "User name","name": "user","options": {},"type": "TEXT_TYPE"},
{"description": "Cumulative CPU time. [DD-]HH:MM:SS format","name": "time","options": {},"type": "TEXT_TYPE"},
{"description": "CPU utilization as percentage","name": "cpu","options": {},"type": "DOUBLE_TYPE"},
{"description": "Memory utilization as percentage","name": "mem","options": {},"type": "DOUBLE_TYPE"}
],
"description": "Docker container processes.",
"examples": [
"select * from docker_container_processes where id = '1234567890abcdef'",
"select * from docker_container_processes where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'"
],
"foreign_keys": [],
"function": "genContainerProcesses",
"name": "docker_container_processes",
"profile": {}
},
{
"attributes": {
"no_pkey": true,
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "Shell history owner","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "Entry timestamp. It could be absent, default value is 0.","name": "time","options": {},"type": "INTEGER_TYPE"},
{"description": "Unparsed date/line/command history line","name": "command","options": {},"type": "TEXT_TYPE"},
{"description": "Path to the .*_history for this user","name": "history_file","options": {},"type": "TEXT_TYPE"}
],
"description": "A line-delimited (command) table of per-user .*_history data.",
"examples": [
"select * from users join shell_history using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "genShellHistory",
"name": "shell_history",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Mounted device","name": "device","options": {},"type": "TEXT_TYPE"},
{"description": "Mounted device alias","name": "device_alias","options": {},"type": "TEXT_TYPE"},
{"description": "Mounted device path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Mounted device type","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Block size in bytes","name": "blocks_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Mounted device used blocks","name": "blocks","options": {},"type": "BIGINT_TYPE"},
{"description": "Mounted device free blocks","name": "blocks_free","options": {},"type": "BIGINT_TYPE"},
{"description": "Mounted device available blocks","name": "blocks_available","options": {},"type": "BIGINT_TYPE"},
{"description": "Mounted device used inodes","name": "inodes","options": {},"type": "BIGINT_TYPE"},
{"description": "Mounted device free inodes","name": "inodes_free","options": {},"type": "BIGINT_TYPE"},
{"description": "Mounted device flags","name": "flags","options": {},"type": "TEXT_TYPE"}
],
"description": "System mounted devices and filesystems (not process specific).",
"examples": [],
"foreign_keys": [],
"function": "genMounts",
"name": "mounts",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Handle, or instance number, associated with the structure in SMBIOS","name": "handle","options": {},"type": "TEXT_TYPE"},
{"description": "The memory array that the device is attached to","name": "array_handle","options": {},"type": "TEXT_TYPE"},
{"description": "Implementation form factor for this memory device","name": "form_factor","options": {},"type": "TEXT_TYPE"},
{"description": "Total width, in bits, of this memory device, including any check or error-correction bits","name": "total_width","options": {},"type": "INTEGER_TYPE"},
{"description": "Data width, in bits, of this memory device","name": "data_width","options": {},"type": "INTEGER_TYPE"},
{"description": "Size of memory device in Megabyte","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation.","name": "set","options": {},"type": "INTEGER_TYPE"},
{"description": "String number of the string that identifies the physically-labeled socket or board position where the memory device is located","name": "device_locator","options": {},"type": "TEXT_TYPE"},
{"description": "String number of the string that identifies the physically-labeled bank where the memory device is located","name": "bank_locator","options": {},"type": "TEXT_TYPE"},
{"description": "Type of memory used","name": "memory_type","options": {},"type": "TEXT_TYPE"},
{"description": "Additional details for memory device","name": "memory_type_details","options": {},"type": "TEXT_TYPE"},
{"description": "Max speed of memory device in megatransfers per second (MT/s)","name": "max_speed","options": {},"type": "INTEGER_TYPE"},
{"description": "Configured speed of memory device in megatransfers per second (MT/s)","name": "configured_clock_speed","options": {},"type": "INTEGER_TYPE"},
{"description": "Manufacturer ID string","name": "manufacturer","options": {},"type": "TEXT_TYPE"},
{"description": "Serial number of memory device","name": "serial_number","options": {},"type": "TEXT_TYPE"},
{"description": "Manufacturer specific asset tag of memory device","name": "asset_tag","options": {},"type": "TEXT_TYPE"},
{"description": "Manufacturer specific serial number of memory device","name": "part_number","options": {},"type": "TEXT_TYPE"},
{"description": "Minimum operating voltage of device in millivolts","name": "min_voltage","options": {},"type": "INTEGER_TYPE"},
{"description": "Maximum operating voltage of device in millivolts","name": "max_voltage","options": {},"type": "INTEGER_TYPE"},
{"description": "Configured operating voltage of device in millivolts","name": "configured_voltage","options": {},"type": "INTEGER_TYPE"}
],
"description": "Physical memory device (type 17) information retrieved from SMBIOS.",
"examples": [],
"foreign_keys": [],
"function": "genMemoryDevices",
"name": "memory_devices",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Docker version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "API version","name": "api_version","options": {},"type": "TEXT_TYPE"},
{"description": "Minimum API version supported","name": "min_api_version","options": {},"type": "TEXT_TYPE"},
{"description": "Docker build git commit","name": "git_commit","options": {},"type": "TEXT_TYPE"},
{"description": "Go version","name": "go_version","options": {},"type": "TEXT_TYPE"},
{"description": "Operating system","name": "os","options": {},"type": "TEXT_TYPE"},
{"description": "Hardware architecture","name": "arch","options": {},"type": "TEXT_TYPE"},
{"description": "Kernel version","name": "kernel_version","options": {},"type": "TEXT_TYPE"},
{"description": "Build time","name": "build_time","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker version information.",
"examples": [
"select version from docker_version"
],
"foreign_keys": [],
"function": "genVersion",
"name": "docker_version",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Path of executed file","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "File mode permissions","name": "mode","options": {},"type": "TEXT_TYPE"},
{"description": "Command line arguments (argv)","name": "cmdline","options": {},"type": "TEXT_TYPE"},
{"description": "Actual size (bytes) of command line arguments","name": "cmdline_size","options": {"hidden": true},"type": "BIGINT_TYPE"},
{"description": "Environment variables delimited by spaces","name": "env","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Number of environment variables","name": "env_count","options": {"hidden": true},"type": "BIGINT_TYPE"},
{"description": "Actual size (bytes) of environment list","name": "env_size","options": {"hidden": true},"type": "BIGINT_TYPE"},
{"description": "The process current working directory","name": "cwd","options": {},"type": "TEXT_TYPE"},
{"description": "Audit User ID at process start","name": "auid","options": {},"type": "BIGINT_TYPE"},
{"description": "User ID at process start","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Effective user ID at process start","name": "euid","options": {},"type": "BIGINT_TYPE"},
{"description": "Group ID at process start","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "Effective group ID at process start","name": "egid","options": {},"type": "BIGINT_TYPE"},
{"description": "File owner user ID","name": "owner_uid","options": {},"type": "BIGINT_TYPE"},
{"description": "File owner group ID","name": "owner_gid","options": {},"type": "BIGINT_TYPE"},
{"description": "File last access in UNIX time","name": "atime","options": {},"type": "BIGINT_TYPE"},
{"description": "File modification in UNIX time","name": "mtime","options": {},"type": "BIGINT_TYPE"},
{"description": "File last metadata change in UNIX time","name": "ctime","options": {},"type": "BIGINT_TYPE"},
{"description": "File creation in UNIX time","name": "btime","options": {},"type": "BIGINT_TYPE"},
{"description": "List of structures that overflowed","name": "overflows","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Process parent's PID, or -1 if cannot be determined.","name": "parent","options": {},"type": "BIGINT_TYPE"},
{"description": "Time of execution in UNIX time","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Time of execution in system uptime","name": "uptime","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "OpenBSM Attribute: Status of the process","name": "status","options": {},"type": "BIGINT_TYPE"}
],
"description": "Track time/action process executions.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "process_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "System resource to be limited","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Current limit value","name": "soft_limit","options": {},"type": "TEXT_TYPE"},
{"description": "Maximum limit value","name": "hard_limit","options": {},"type": "TEXT_TYPE"}
],
"description": "System resource usage limits.",
"examples": [
"select * from ulimit_info"
],
"foreign_keys": [],
"function": "genUlimitInfo",
"name": "ulimit_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Container ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Type of mount (bind, volume)","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Optional mount name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Source path on host","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Destination path inside container","name": "destination","options": {},"type": "TEXT_TYPE"},
{"description": "Driver providing the mount","name": "driver","options": {},"type": "TEXT_TYPE"},
{"description": "Mount options (rw, ro)","name": "mode","options": {},"type": "TEXT_TYPE"},
{"description": "1 if read/write. 0 otherwise","name": "rw","options": {},"type": "INTEGER_TYPE"},
{"description": "Mount propagation","name": "propagation","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker container mounts.",
"examples": [
"select * from docker_container_mounts",
"select * from docker_container_mounts where id = '1234567890abcdef'",
"select * from docker_container_mounts where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'"
],
"foreign_keys": [],
"function": "genContainerMounts",
"name": "docker_container_mounts",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Image ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Label key","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Optional label value","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker image labels.",
"examples": [
"select * from docker_image_labels",
"select * from docker_image_labels where id = '1234567890abcdef'",
"select * from docker_image_labels where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'"
],
"foreign_keys": [],
"function": "genImageLabels",
"name": "docker_image_labels",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Handle, or instance number, associated with the structure","name": "handle","options": {},"type": "TEXT_TYPE"},
{"description": "Handle of the memory array associated with this structure","name": "memory_array_handle","options": {},"type": "TEXT_TYPE"},
{"description": "Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","name": "starting_address","options": {},"type": "TEXT_TYPE"},
{"description": "Physical ending address of last kilobyte of a range of memory mapped to physical memory array","name": "ending_address","options": {},"type": "TEXT_TYPE"},
{"description": "Number of memory devices that form a single row of memory for the address partition of this structure","name": "partition_width","options": {},"type": "INTEGER_TYPE"}
],
"description": "Data associated for address mapping of physical memory arrays.",
"examples": [],
"foreign_keys": [],
"function": "genMemoryArrayMappedAddresses",
"name": "memory_array_mapped_addresses",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Absolute path to target file","name": "path","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "Magic number data from libmagic","name": "data","options": {},"type": "TEXT_TYPE"},
{"description": "MIME type data from libmagic","name": "mime_type","options": {},"type": "TEXT_TYPE"},
{"description": "MIME encoding data from libmagic","name": "mime_encoding","options": {},"type": "TEXT_TYPE"}
],
"description": "Magic number recognition library table.",
"examples": [],
"foreign_keys": [],
"function": "genMagicData",
"name": "magic",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Volume name","name": "name","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Label key","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Optional label value","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker volume labels.",
"examples": [
"select * from docker_volume_labels",
"select * from docker_volume_labels where name = 'btrfs'"
],
"foreign_keys": [],
"function": "genVolumeLabels",
"name": "docker_volume_labels",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "Environment variable name","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Environment variable value","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "A key/value table of environment variables for each process.",
"examples": [
"select * from process_envs where pid = 1",
"select pe.*\n from process_envs pe, (select * from processes limit 10) p\n where p.pid = pe.pid;"
],
"foreign_keys": [],
"function": "genProcessEnvs",
"name": "process_envs",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Handle, or instance number, associated with the structure","name": "handle","options": {},"type": "TEXT_TYPE"},
{"description": "Handle of the memory device structure associated with this structure","name": "memory_device_handle","options": {},"type": "TEXT_TYPE"},
{"description": "Handle of the memory array mapped address to which this device range is mapped to","name": "memory_array_mapped_address_handle","options": {},"type": "TEXT_TYPE"},
{"description": "Physical stating address, in kilobytes, of a range of memory mapped to physical memory array","name": "starting_address","options": {},"type": "TEXT_TYPE"},
{"description": "Physical ending address of last kilobyte of a range of memory mapped to physical memory array","name": "ending_address","options": {},"type": "TEXT_TYPE"},
{"description": "Identifies the position of the referenced memory device in a row of the address partition","name": "partition_row_position","options": {},"type": "INTEGER_TYPE"},
{"description": "The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc.","name": "interleave_position","options": {},"type": "INTEGER_TYPE"},
{"description": "The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave","name": "interleave_data_depth","options": {},"type": "INTEGER_TYPE"}
],
"description": "Data associated for address mapping of physical memory devices.",
"examples": [],
"foreign_keys": [],
"function": "genMemoryDeviceMappedAddresses",
"name": "memory_device_mapped_addresses",
"profile": {}
},
{
"attributes": {
"no_pkey": true,
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local owner of authorized_keys file","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "algorithim of key","name": "algorithm","options": {},"type": "TEXT_TYPE"},
{"description": "parsed authorized keys line","name": "key","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Path to the authorized_keys file","name": "key_file","options": {"index": true},"type": "TEXT_TYPE"}
],
"description": "A line-delimited authorized_keys table.",
"examples": [
"select * from users join authorized_keys using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "getAuthorizedKeys",
"name": "authorized_keys",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local user that owns the extension","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "Extension display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Extension identifier","name": "identifier","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Extension-supplied version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Extension-optional description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Default locale supported by extension","name": "locale","options": {},"type": "TEXT_TYPE"},
{"description": "Extension-supplied update URI","name": "update_url","options": {},"type": "TEXT_TYPE"},
{"description": "Optional extension author","name": "author","options": {},"type": "TEXT_TYPE"},
{"description": "1 If extension is persistent across all tabs else 0","name": "persistent","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to extension folder","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Opera browser extensions.",
"examples": [
"select * from users join opera_extensions using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "genOperaExtensions",
"name": "opera_extensions",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Docker system ID","name": "id","options": {},"type": "TEXT_TYPE"},
{"description": "Total number of containers","name": "containers","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of containers currently running","name": "containers_running","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of containers in paused state","name": "containers_paused","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of containers in stopped state","name": "containers_stopped","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of images","name": "images","options": {},"type": "INTEGER_TYPE"},
{"description": "Storage driver","name": "storage_driver","options": {},"type": "TEXT_TYPE"},
{"description": "1 if memory limit support is enabled. 0 otherwise","name": "memory_limit","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if swap limit support is enabled. 0 otherwise","name": "swap_limit","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if kernel memory limit support is enabled. 0 otherwise","name": "kernel_memory","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise","name": "cpu_cfs_period","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise","name": "cpu_cfs_quota","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if CPU share weighting support is enabled. 0 otherwise","name": "cpu_shares","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if CPU set selection support is enabled. 0 otherwise","name": "cpu_set","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if IPv4 forwarding is enabled. 0 otherwise","name": "ipv4_forwarding","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if bridge netfilter iptables is enabled. 0 otherwise","name": "bridge_nf_iptables","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if bridge netfilter ip6tables is enabled. 0 otherwise","name": "bridge_nf_ip6tables","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if Out-of-memory kill is disabled. 0 otherwise","name": "oom_kill_disable","options": {},"type": "INTEGER_TYPE"},
{"description": "Logging driver","name": "logging_driver","options": {},"type": "TEXT_TYPE"},
{"description": "Control groups driver","name": "cgroup_driver","options": {},"type": "TEXT_TYPE"},
{"description": "Kernel version","name": "kernel_version","options": {},"type": "TEXT_TYPE"},
{"description": "Operating system","name": "os","options": {},"type": "TEXT_TYPE"},
{"description": "Operating system type","name": "os_type","options": {},"type": "TEXT_TYPE"},
{"description": "Hardware architecture","name": "architecture","options": {},"type": "TEXT_TYPE"},
{"description": "Number of CPUs","name": "cpus","options": {},"type": "INTEGER_TYPE"},
{"description": "Total memory","name": "memory","options": {},"type": "BIGINT_TYPE"},
{"description": "HTTP proxy","name": "http_proxy","options": {},"type": "TEXT_TYPE"},
{"description": "HTTPS proxy","name": "https_proxy","options": {},"type": "TEXT_TYPE"},
{"description": "Comma-separated list of domain extensions proxy should not be used for","name": "no_proxy","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the docker host","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Server version","name": "server_version","options": {},"type": "TEXT_TYPE"},
{"description": "Docker root directory","name": "root_dir","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker system information.",
"examples": [
"select * from docker_info"
],
"foreign_keys": [],
"function": "genInfo",
"name": "docker_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Container ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Protocol (tcp, udp)","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Port inside the container","name": "port","options": {},"type": "INTEGER_TYPE"},
{"description": "Host IP address on which public port is listening","name": "host_ip","options": {},"type": "TEXT_TYPE"},
{"description": "Host port","name": "host_port","options": {},"type": "INTEGER_TYPE"}
],
"description": "Docker container ports.",
"examples": [
"select * from docker_container_ports",
"select * from docker_container_ports where id = '1234567890abcdef'",
"select * from docker_container_ports where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'"
],
"foreign_keys": [],
"function": "genContainerPorts",
"name": "docker_container_ports",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Disk name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Disk Universally Unique Identifier","name": "uuid","options": {},"type": "TEXT_TYPE"},
{"description": "1 If encrypted: true (disk is encrypted), else 0","name": "encrypted","options": {},"type": "INTEGER_TYPE"},
{"description": "Description of cipher type and mode if available","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Currently authenticated user if available (Apple)","name": "uid","options": {},"type": "TEXT_TYPE"},
{"description": "UUID of authenticated user if available (Apple)","name": "user_uuid","options": {},"type": "TEXT_TYPE"},
{"description": "Disk encryption status with one of following values: encrypted | not encrypted | undefined","name": "encryption_status","options": {},"type": "TEXT_TYPE"}
],
"description": "Disk encryption status and information.",
"examples": [],
"foreign_keys": [
{"column": "name","table": "block_devices"},
{"column": "uuid","table": "block_devices"}
],
"function": "genFDEStatus",
"name": "disk_encryption",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Handle, or instance number, associated with the array","name": "handle","options": {},"type": "TEXT_TYPE"},
{"description": "Physical location of the memory array","name": "location","options": {},"type": "TEXT_TYPE"},
{"description": "Function for which the array is used","name": "use","options": {},"type": "TEXT_TYPE"},
{"description": "Primary hardware error correction or detection method supported","name": "memory_error_correction","options": {},"type": "TEXT_TYPE"},
{"description": "Maximum capacity of array in gigabytes","name": "max_capacity","options": {},"type": "INTEGER_TYPE"},
{"description": "Handle, or instance number, associated with any error that was detected for the array","name": "memory_error_info_handle","options": {},"type": "TEXT_TYPE"},
{"description": "Number of memory devices on array","name": "number_memory_devices","options": {},"type": "INTEGER_TYPE"}
],
"description": "Data associated with collection of memory devices that operate to form a memory address.",
"examples": [],
"foreign_keys": [],
"function": "genMemoryArrays",
"name": "memory_arrays",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "USB Device used address","name": "usb_address","options": {},"type": "INTEGER_TYPE"},
{"description": "USB Device used port","name": "usb_port","options": {},"type": "INTEGER_TYPE"},
{"description": "USB Device vendor string","name": "vendor","options": {},"type": "TEXT_TYPE"},
{"description": "Hex encoded USB Device vendor identifier","name": "vendor_id","options": {},"type": "TEXT_TYPE"},
{"description": "USB Device version number","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "USB Device model string","name": "model","options": {},"type": "TEXT_TYPE"},
{"description": "Hex encoded USB Device model identifier","name": "model_id","options": {},"type": "TEXT_TYPE"},
{"description": "USB Device serial connection","name": "serial","options": {},"type": "TEXT_TYPE"},
{"description": "USB Device class","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "USB Device subclass","name": "subclass","options": {},"type": "TEXT_TYPE"},
{"description": "USB Device protocol","name": "protocol","options": {},"type": "TEXT_TYPE"},
{"description": "1 If USB device is removable else 0","name": "removable","options": {},"type": "INTEGER_TYPE"}
],
"description": "USB devices that are actively plugged into the host system.",
"examples": [],
"foreign_keys": [],
"function": "genUSBDevices",
"name": "usb_devices",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Address of prometheus target","name": "target_name","options": {},"type": "TEXT_TYPE"},
{"description": "Name of collected Prometheus metric","name": "metric_name","options": {},"type": "TEXT_TYPE"},
{"description": "Value of collected Prometheus metric","name": "metric_value","options": {},"type": "DOUBLE_TYPE"},
{"description": "Unix timestamp of collected data in MS","name": "timestamp_ms","options": {},"type": "BIGINT_TYPE"}
],
"description": "Network interfaces and relevant metadata.",
"examples": [],
"foreign_keys": [],
"function": "genPrometheusMetrics",
"name": "prometheus_metrics",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Period over which the average is calculated.","name": "period","options": {},"type": "TEXT_TYPE"},
{"description": "Load average over the specified period.","name": "average","options": {},"type": "TEXT_TYPE"}
],
"description": "Displays information about the system wide load averages.",
"examples": [
"select * from load_average;"
],
"foreign_keys": [],
"function": "genLoadAverage",
"name": "load_average",
"profile": {}
},
{
"attributes": {
"no_pkey": true,
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local owner of the ssh_config file","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "The host or match block","name": "block","options": {},"type": "TEXT_TYPE"},
{"description": "The option and value","name": "option","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Path to the ssh_config file","name": "ssh_config_file","options": {"index": true},"type": "TEXT_TYPE"}
],
"description": "A table of parsed ssh_configs.",
"examples": [
"select * from users join ssh_configs using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "getSshConfigs",
"name": "ssh_configs",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Repository name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Source file","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Repository base URI","name": "base_uri","options": {},"type": "TEXT_TYPE"},
{"description": "Release name","name": "release","options": {},"type": "TEXT_TYPE"},
{"description": "Repository source version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Repository maintainer","name": "maintainer","options": {},"type": "TEXT_TYPE"},
{"description": "Repository components","name": "components","options": {},"type": "TEXT_TYPE"},
{"description": "Repository architectures","name": "architectures","options": {},"type": "TEXT_TYPE"}
],
"description": "Current\u00a0list of APT repositories or software channels.",
"examples": [],
"foreign_keys": [],
"function": "genAptSrcs",
"name": "apt_sources",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Address type index or order","name": "id","options": {},"type": "INTEGER_TYPE"},
{"description": "Address type: sortlist, nameserver, search","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Resolver IP/IPv6 address","name": "address","options": {},"type": "TEXT_TYPE"},
{"description": "Address (sortlist) netmask length","name": "netmask","options": {},"type": "TEXT_TYPE"},
{"description": "Resolver options","name": "options","options": {},"type": "BIGINT_TYPE"}
],
"description": "Resolvers used by this host.",
"examples": [],
"foreign_keys": [],
"function": "genDNSResolvers",
"name": "dns_resolvers",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Repository name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Repository base URL","name": "baseurl","options": {},"type": "TEXT_TYPE"},
{"description": "Whether the repository is used","name": "enabled","options": {},"type": "TEXT_TYPE"},
{"description": "Whether packages are GPG checked","name": "gpgcheck","options": {},"type": "TEXT_TYPE"},
{"description": "URL to GPG key","name": "gpgkey","options": {},"type": "TEXT_TYPE"}
],
"description": "Current\u00a0list of Yum repositories or software channels.",
"examples": [],
"foreign_keys": [],
"function": "genYumSrcs",
"name": "yum_sources",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Entry username","name": "username","options": {},"type": "TEXT_TYPE"},
{"description": "Entry terminal","name": "tty","options": {},"type": "TEXT_TYPE"},
{"description": "Process (or thread) ID","name": "pid","options": {},"type": "INTEGER_TYPE"},
{"description": "Entry type, according to ut_type types (utmp.h)","name": "type","options": {},"type": "INTEGER_TYPE"},
{"description": "Entry timestamp","name": "time","options": {},"type": "INTEGER_TYPE"},
{"description": "Entry hostname","name": "host","options": {},"type": "TEXT_TYPE"}
],
"description": "System logins and logouts.",
"examples": [],
"foreign_keys": [],
"function": "genLastAccess",
"name": "last",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Remove, insert, change properties, etc","name": "action","options": {},"type": "TEXT_TYPE"},
{"description": "Local device path assigned (optional)","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Type of hardware and hardware event","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Driver claiming the device","name": "driver","options": {},"type": "TEXT_TYPE"},
{"description": "Hardware device vendor","name": "vendor","options": {},"type": "TEXT_TYPE"},
{"description": "Hex encoded Hardware vendor identifier","name": "vendor_id","options": {},"type": "TEXT_TYPE"},
{"description": "Hardware device model","name": "model","options": {},"type": "TEXT_TYPE"},
{"description": "Hex encoded Hardware model identifier","name": "model_id","options": {},"type": "TEXT_TYPE"},
{"description": "Device serial (optional)","name": "serial","options": {},"type": "TEXT_TYPE"},
{"description": "Device revision (optional)","name": "revision","options": {},"type": "TEXT_TYPE"},
{"description": "Time of hardware event","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "hardware_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Image ID","name": "id","options": {},"type": "TEXT_TYPE"},
{"description": "Time of creation as UNIX time","name": "created","options": {},"type": "BIGINT_TYPE"},
{"description": "Size of image in bytes","name": "size_bytes","options": {},"type": "BIGINT_TYPE"},
{"description": "Comma-separated list of repository tags","name": "tags","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker images information.",
"examples": [
"select * from docker_images",
"select * from docker_images where id = '6a2f32de169d'",
"select * from docker_images where id = '6a2f32de169d14e6f8a84538eaa28f2629872d7d4f580a303b296c60db36fbd7'"
],
"foreign_keys": [],
"function": "genImages",
"name": "docker_images",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Volume name","name": "name","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Volume driver","name": "driver","options": {},"type": "TEXT_TYPE"},
{"description": "Mount point","name": "mount_point","options": {},"type": "TEXT_TYPE"},
{"description": "Volume type","name": "type","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker volumes information.",
"examples": [
"select * from docker_volumes",
"select * from docker_volumes where name = 'btrfs'"
],
"foreign_keys": [],
"function": "genVolumes",
"name": "docker_volumes",
"profile": {}
},
{
"attributes": {
"no_pkey": true,
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local user that owns the known_hosts file","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "parsed authorized keys line","name": "key","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Path to known_hosts file","name": "key_file","options": {"index": true},"type": "TEXT_TYPE"}
],
"description": "A line-delimited known_hosts table.",
"examples": [
"select * from users join known_hosts using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "getKnownHostsKeys",
"name": "known_hosts",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "PCI Device used slot","name": "pci_slot","options": {},"type": "TEXT_TYPE"},
{"description": "PCI Device class","name": "pci_class","options": {},"type": "TEXT_TYPE"},
{"description": "PCI Device used driver","name": "driver","options": {},"type": "TEXT_TYPE"},
{"description": "PCI Device vendor","name": "vendor","options": {},"type": "TEXT_TYPE"},
{"description": "Hex encoded PCI Device vendor identifier","name": "vendor_id","options": {},"type": "TEXT_TYPE"},
{"description": "PCI Device model","name": "model","options": {},"type": "TEXT_TYPE"},
{"description": "Hex encoded PCI Device model identifier","name": "model_id","options": {},"type": "TEXT_TYPE"}
],
"description": "PCI devices active on the host system.",
"examples": [],
"foreign_keys": [],
"function": "genPCIDevices",
"name": "pci_devices",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The node path of the configuration item","name": "node","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "The value of the configuration item","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "The label of the configuration item","name": "label","options": {},"type": "TEXT_TYPE"},
{"description": "The path to the configuration file","name": "path","options": {"additional": true},"type": "TEXT_TYPE"}
],
"description": "Configuration files parsed by augeas.",
"examples": [
"select * from augeas where path = '/etc/hosts'"
],
"foreign_keys": [],
"function": "genAugeas",
"name": "augeas",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "The path associated with the event","name": "target_path","options": {},"type": "TEXT_TYPE"},
{"description": "The category of the file defined in the config","name": "category","options": {},"type": "TEXT_TYPE"},
{"description": "Change action (UPDATE, REMOVE, etc)","name": "action","options": {},"type": "TEXT_TYPE"},
{"description": "ID used during bulk update","name": "transaction_id","options": {},"type": "BIGINT_TYPE"},
{"description": "Filesystem inode number","name": "inode","options": {},"type": "BIGINT_TYPE"},
{"description": "Owning user ID","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Owning group ID","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "Permission bits","name": "mode","options": {},"type": "TEXT_TYPE"},
{"description": "Size of file in bytes","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Last access time","name": "atime","options": {},"type": "BIGINT_TYPE"},
{"description": "Last modification time","name": "mtime","options": {},"type": "BIGINT_TYPE"},
{"description": "Last status change time","name": "ctime","options": {},"type": "BIGINT_TYPE"},
{"description": "The MD5 of the file after change","name": "md5","options": {},"type": "TEXT_TYPE"},
{"description": "The SHA1 of the file after change","name": "sha1","options": {},"type": "TEXT_TYPE"},
{"description": "The SHA256 of the file after change","name": "sha256","options": {},"type": "TEXT_TYPE"},
{"description": "1 if the file was hashed, 0 if not, -1 if hashing failed","name": "hashed","options": {},"type": "INTEGER_TYPE"},
{"description": "Time of file event","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Track time/action changes to files specified in configuration data.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "file_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Container ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Label key","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Optional label value","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker container labels.",
"examples": [
"select * from docker_container_labels",
"select * from docker_container_labels where id = '1234567890abcdef'",
"select * from docker_container_labels where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'"
],
"foreign_keys": [],
"function": "genContainerLabels",
"name": "docker_container_labels",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local user that owns the addon","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "Addon display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Addon identifier","name": "identifier","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Addon-supported creator string","name": "creator","options": {},"type": "TEXT_TYPE"},
{"description": "Extension, addon, webapp","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Addon-supplied version string","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Addon-supplied description string","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "URL that installed the addon","name": "source_url","options": {},"type": "TEXT_TYPE"},
{"description": "1 If the addon is shown in browser else 0","name": "visible","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If the addon is active else 0","name": "active","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If the addon is application-disabled else 0","name": "disabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If the addon applies background updates else 0","name": "autoupdate","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If the addon includes binary components else 0","name": "native","options": {},"type": "INTEGER_TYPE"},
{"description": "Global, profile location","name": "location","options": {},"type": "TEXT_TYPE"},
{"description": "Path to plugin bundle","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Firefox browser extensions, webapps, and addons.",
"examples": [
"select * from users join firefox_addons using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "genFirefoxAddons",
"name": "firefox_addons",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Table entry number","name": "number","options": {},"type": "INTEGER_TYPE"},
{"description": "Table entry type","name": "type","options": {},"type": "INTEGER_TYPE"},
{"description": "Table entry description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Table entry handle","name": "handle","options": {},"type": "INTEGER_TYPE"},
{"description": "Header size in bytes","name": "header_size","options": {},"type": "INTEGER_TYPE"},
{"description": "Table entry size in bytes","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "MD5 hash of table entry","name": "md5","options": {},"type": "TEXT_TYPE"}
],
"description": "BIOS (DMI) structure common details and content.",
"examples": [],
"foreign_keys": [],
"function": "genSMBIOSTables",
"name": "smbios_tables",
"profile": {}
},
{
"attributes": {
"no_pkey": true,
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local user that owns the key file","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "Path to key file","name": "path","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "1 if key is encrypted, 0 otherwise","name": "encrypted","options": {},"type": "INTEGER_TYPE"}
],
"description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.",
"examples": [
"select * from users join user_ssh_keys using (uid) where encrypted = 0"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "getUserSshKeys",
"name": "user_ssh_keys",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the cpu (core)","name": "core","options": {},"type": "INTEGER_TYPE"},
{"description": "Time spent in user mode","name": "user","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent in user mode with low priority (nice)","name": "nice","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent in system mode","name": "system","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent in the idle task","name": "idle","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent waiting for I/O to complete","name": "iowait","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent servicing interrupts","name": "irq","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent servicing softirqs","name": "softirq","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent in other operating systems when running in a virtualized environment","name": "steal","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent running a virtual CPU for a guest OS under the control of the Linux kernel","name": "guest","options": {},"type": "BIGINT_TYPE"},
{"description": "Time spent running a niced guest ","name": "guest_nice","options": {},"type": "BIGINT_TYPE"}
],
"description": "Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.",
"examples": [],
"foreign_keys": [],
"function": "genCpuTime",
"name": "cpu_time",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Container ID","name": "id","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "Container name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Number of processes","name": "pids","options": {},"type": "INTEGER_TYPE"},
{"description": "UNIX time when stats were read","name": "read","options": {},"type": "BIGINT_TYPE"},
{"description": "UNIX time when stats were last read","name": "preread","options": {},"type": "BIGINT_TYPE"},
{"description": "Difference between read and preread in nano-seconds","name": "interval","options": {},"type": "BIGINT_TYPE"},
{"description": "Total disk read bytes","name": "disk_read","options": {},"type": "BIGINT_TYPE"},
{"description": "Total disk write bytes","name": "disk_write","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of processors","name": "num_procs","options": {},"type": "INTEGER_TYPE"},
{"description": "Total CPU usage","name": "cpu_total_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "CPU kernel mode usage","name": "cpu_kernelmode_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "CPU user mode usage","name": "cpu_usermode_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "CPU system usage","name": "system_cpu_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "Online CPUs","name": "online_cpus","options": {},"type": "INTEGER_TYPE"},
{"description": "Last read total CPU usage","name": "pre_cpu_total_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "Last read CPU kernel mode usage","name": "pre_cpu_kernelmode_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "Last read CPU user mode usage","name": "pre_cpu_usermode_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "Last read CPU system usage","name": "pre_system_cpu_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "Last read online CPUs","name": "pre_online_cpus","options": {},"type": "INTEGER_TYPE"},
{"description": "Memory usage","name": "memory_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "Memory maximum usage","name": "memory_max_usage","options": {},"type": "BIGINT_TYPE"},
{"description": "Memory limit","name": "memory_limit","options": {},"type": "BIGINT_TYPE"},
{"description": "Total network bytes read","name": "network_rx_bytes","options": {},"type": "BIGINT_TYPE"},
{"description": "Total network bytes transmitted","name": "network_tx_bytes","options": {},"type": "BIGINT_TYPE"}
],
"description": "Docker container statistics. Queries on this table take at least one second.",
"examples": [
"select * from docker_container_stats where id = 'de8cfdc74c850967'",
"select * from docker_container_stats where id = 'de8cfdc74c850967fd3832e128f4d12e2d5476a4aea282734bfb7e57f66fce2f'"
],
"foreign_keys": [],
"function": "genContainerStats",
"name": "docker_container_stats",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Symbol for given rule","name": "header","options": {},"type": "TEXT_TYPE"},
{"description": "Rule definition","name": "rule_details","options": {},"type": "TEXT_TYPE"}
],
"description": "Rules for running commands as other users via sudo.",
"examples": [],
"foreign_keys": [],
"function": "genSudoers",
"name": "sudoers",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "ACPI table name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Size of compiled table data","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "MD5 hash of table content","name": "md5","options": {},"type": "TEXT_TYPE"}
],
"description": "Firmware ACPI functional table common metadata and content.",
"examples": [],
"foreign_keys": [],
"function": "genACPITables",
"name": "acpi_tables",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Binary path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Binary owner username","name": "username","options": {},"type": "TEXT_TYPE"},
{"description": "Binary owner group","name": "groupname","options": {},"type": "TEXT_TYPE"},
{"description": "Binary permissions","name": "permissions","options": {},"type": "TEXT_TYPE"}
],
"description": "suid binaries in common locations.",
"examples": [],
"foreign_keys": [],
"function": "genSuidBin",
"name": "suid_bin",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Container ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Network name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Network ID","name": "network_id","options": {},"type": "TEXT_TYPE"},
{"description": "Endpoint ID","name": "endpoint_id","options": {},"type": "TEXT_TYPE"},
{"description": "Gateway","name": "gateway","options": {},"type": "TEXT_TYPE"},
{"description": "IP address","name": "ip_address","options": {},"type": "TEXT_TYPE"},
{"description": "IP subnet prefix length","name": "ip_prefix_len","options": {},"type": "INTEGER_TYPE"},
{"description": "IPv6 gateway","name": "ipv6_gateway","options": {},"type": "TEXT_TYPE"},
{"description": "IPv6 address","name": "ipv6_address","options": {},"type": "TEXT_TYPE"},
{"description": "IPv6 subnet prefix length","name": "ipv6_prefix_len","options": {},"type": "INTEGER_TYPE"},
{"description": "MAC address","name": "mac_address","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker container networks.",
"examples": [
"select * from docker_container_networks",
"select * from docker_container_networks where id = '1234567890abcdef'",
"select * from docker_container_networks where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'"
],
"foreign_keys": [],
"function": "genContainerNetworks",
"name": "docker_container_networks",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "User ID","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Audit User ID","name": "auid","options": {},"type": "BIGINT_TYPE"},
{"description": "Process (or thread) ID","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Message from the event","name": "message","options": {},"type": "TEXT_TYPE"},
{"description": "The file description for the process socket","name": "type","options": {},"type": "INTEGER_TYPE"},
{"description": "Supplied path from event","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "The Internet protocol address or family ID","name": "address","options": {},"type": "TEXT_TYPE"},
{"description": "The network protocol ID","name": "terminal","options": {},"type": "TEXT_TYPE"},
{"description": "Time of execution in UNIX time","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Time of execution in system uptime","name": "uptime","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Track user events from the audit framework.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "user_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Full sysctl MIB name","name": "name","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Control MIB","name": "oid","options": {"additional": true},"type": "TEXT_TYPE"},
{"description": "Subsystem ID, control type","name": "subsystem","options": {},"type": "TEXT_TYPE"},
{"description": "Value of setting","name": "current_value","options": {},"type": "TEXT_TYPE"},
{"description": "The MIB value set in /etc/sysctl.conf","name": "config_value","options": {},"type": "TEXT_TYPE"},
{"description": "Data type","name": "type","options": {},"type": "TEXT_TYPE"}
],
"description": "sysctl names, values, and settings information.",
"examples": [],
"foreign_keys": [],
"function": "genSystemControls",
"name": "system_controls",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Network ID","name": "id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Label key","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Optional label value","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "Docker network labels.",
"examples": [
"select * from docker_network_labels",
"select * from docker_network_labels where id = '1234567890abcdef'",
"select * from docker_network_labels where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'"
],
"foreign_keys": [],
"function": "genNetworkLabels",
"name": "docker_network_labels",
"profile": {}
}
]
},
{
"key": "freebsd",
"name": "FreeBSD",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Module name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Size of module content","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "Module reverse dependencies","name": "refs","options": {},"type": "INTEGER_TYPE"},
{"description": "Kernel module address","name": "address","options": {},"type": "TEXT_TYPE"}
],
"description": "Loaded FreeBSD kernel modules.",
"examples": [],
"foreign_keys": [],
"function": "genFbsdKernelModules",
"name": "fbsd_kmods",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Package name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Package size in bytes","name": "flatsize","options": {},"type": "BIGINT_TYPE"},
{"description": "Architecture(s) supported","name": "arch","options": {},"type": "TEXT_TYPE"}
],
"description": "pkgng packages that are currently installed on the host system.",
"examples": [],
"foreign_keys": [],
"function": "genPkgPackages",
"name": "pkg_packages",
"profile": {}
}
]
},
{
"key": "linux",
"name": "Ubuntu, CentOS",
"tables": [
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Event type","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Message","name": "message","options": {},"type": "TEXT_TYPE"},
{"description": "Time of execution in UNIX time","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Time of execution in system uptime","name": "uptime","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Track SELinux events.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "selinux_events",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "The socket action (bind, listen, close)","name": "action","options": {},"type": "TEXT_TYPE"},
{"description": "Process (or thread) ID","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Path of executed file","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "The file description for the process socket","name": "fd","options": {},"type": "TEXT_TYPE"},
{"description": "Audit User ID","name": "auid","options": {},"type": "BIGINT_TYPE"},
{"description": "The socket open attempt status","name": "success","options": {},"type": "INTEGER_TYPE"},
{"description": "The Internet protocol family ID","name": "family","options": {},"type": "INTEGER_TYPE"},
{"description": "The network protocol ID","name": "protocol","options": {"hidden": true},"type": "INTEGER_TYPE"},
{"description": "Local address associated with socket","name": "local_address","options": {},"type": "TEXT_TYPE"},
{"description": "Remote address associated with socket","name": "remote_address","options": {},"type": "TEXT_TYPE"},
{"description": "Local network protocol port number","name": "local_port","options": {},"type": "INTEGER_TYPE"},
{"description": "Remote network protocol port number","name": "remote_port","options": {},"type": "INTEGER_TYPE"},
{"description": "The local path (UNIX domain socket only)","name": "socket","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Time of execution in UNIX time","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Time of execution in system uptime","name": "uptime","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Track network socket opens and closes.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "socket_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Symbol name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Symbol address (value)","name": "addr","options": {},"type": "INTEGER_TYPE"},
{"description": "Size of object","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "Symbol type","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Binding type","name": "binding","options": {},"type": "TEXT_TYPE"},
{"description": "Section table index","name": "offset","options": {},"type": "INTEGER_TYPE"},
{"description": "Table name containing symbol","name": "table","options": {},"type": "TEXT_TYPE"},
{"description": "Path to ELF file","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"}
],
"description": "ELF symbol list.",
"examples": [
"select * from elf_symbols where path = '/usr/bin/grep'"
],
"foreign_keys": [],
"function": "getELFSymbols",
"name": "elf_symbols",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package name","name": "package","options": {},"type": "TEXT_TYPE"},
{"description": "The version of the installed package","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "USE flag which has been enabled for package","name": "use","options": {},"type": "TEXT_TYPE"}
],
"description": "List of enabled portage USE values for specific package.",
"examples": [],
"foreign_keys": [],
"function": "genPortageUse",
"name": "portage_use",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "RPM package name","name": "package","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Path name","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "File default username from info DB","name": "username","options": {},"type": "TEXT_TYPE"},
{"description": "File default groupname from info DB","name": "groupname","options": {},"type": "TEXT_TYPE"},
{"description": "File permissions mode from info DB","name": "mode","options": {},"type": "TEXT_TYPE"},
{"description": "Expected file size in bytes from RPM info DB","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "SHA256 file digest from RPM info DB","name": "sha256","options": {},"type": "TEXT_TYPE"}
],
"description": "RPM packages that are currently installed on the host system.",
"examples": [],
"foreign_keys": [],
"function": "genRpmPackageFiles",
"name": "rpm_package_files",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Shared memory segment ID","name": "shmid","options": {},"type": "INTEGER_TYPE"},
{"description": "User ID of owning process","name": "owner_uid","options": {},"type": "BIGINT_TYPE"},
{"description": "User ID of creator process","name": "creator_uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Process ID to last use the segment","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Process ID that created the segment","name": "creator_pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Attached time","name": "atime","options": {},"type": "BIGINT_TYPE"},
{"description": "Detached time","name": "dtime","options": {},"type": "BIGINT_TYPE"},
{"description": "Changed time","name": "ctime","options": {},"type": "BIGINT_TYPE"},
{"description": "Memory segment permissions","name": "permissions","options": {},"type": "TEXT_TYPE"},
{"description": "Size in bytes","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of attached processes","name": "attached","options": {},"type": "INTEGER_TYPE"},
{"description": "Destination/attach status","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "1 if segment is locked else 0","name": "locked","options": {},"type": "INTEGER_TYPE"}
],
"description": "OS shared memory regions.",
"examples": [],
"foreign_keys": [],
"function": "genSharedMemory",
"name": "shared_memory",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Packet matching filter table name.","name": "filter_name","options": {},"type": "TEXT_TYPE"},
{"description": "Size of module content.","name": "chain","options": {},"type": "TEXT_TYPE"},
{"description": "Policy that applies for this rule.","name": "policy","options": {},"type": "TEXT_TYPE"},
{"description": "Target that applies for this rule.","name": "target","options": {},"type": "TEXT_TYPE"},
{"description": "Protocol number identification.","name": "protocol","options": {},"type": "INTEGER_TYPE"},
{"description": "Protocol source port(s).","name": "src_port","options": {},"type": "TEXT_TYPE"},
{"description": "Protocol destination port(s).","name": "dst_port","options": {},"type": "TEXT_TYPE"},
{"description": "Source IP address.","name": "src_ip","options": {},"type": "TEXT_TYPE"},
{"description": "Source IP address mask.","name": "src_mask","options": {},"type": "TEXT_TYPE"},
{"description": "Input interface for the rule.","name": "iniface","options": {},"type": "TEXT_TYPE"},
{"description": "Input interface mask for the rule.","name": "iniface_mask","options": {},"type": "TEXT_TYPE"},
{"description": "Destination IP address.","name": "dst_ip","options": {},"type": "TEXT_TYPE"},
{"description": "Destination IP address mask.","name": "dst_mask","options": {},"type": "TEXT_TYPE"},
{"description": "Output interface for the rule.","name": "outiface","options": {},"type": "TEXT_TYPE"},
{"description": "Output interface mask for the rule.","name": "outiface_mask","options": {},"type": "TEXT_TYPE"},
{"description": "Matching rule that applies.","name": "match","options": {},"type": "TEXT_TYPE"},
{"description": "Number of matching packets for this rule.","name": "packets","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of matching bytes for this rule.","name": "bytes","options": {},"type": "INTEGER_TYPE"}
],
"description": "Linux IP packet filtering and NAT tool.",
"examples": [],
"foreign_keys": [],
"function": "genIptables",
"name": "iptables",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package name","name": "package","options": {},"type": "TEXT_TYPE"},
{"description": "The version which are affected by the use flags, empty means all","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "The keyword applied to the package","name": "keyword","options": {},"type": "TEXT_TYPE"},
{"description": "If the package is masked","name": "mask","options": {},"type": "INTEGER_TYPE"},
{"description": "If the package is unmasked","name": "unmask","options": {},"type": "INTEGER_TYPE"}
],
"description": "A summary about portage configurations like keywords, mask and unmask.",
"examples": [],
"foreign_keys": [],
"function": "genPortageKeywordSummary",
"name": "portage_keywords",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Segment type/name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Segment offset in file","name": "offset","options": {},"type": "INTEGER_TYPE"},
{"description": "Segment virtual address in memory","name": "vaddr","options": {},"type": "INTEGER_TYPE"},
{"description": "Size of segment in file","name": "psize","options": {},"type": "INTEGER_TYPE"},
{"description": "Segment offset in memory","name": "msize","options": {},"type": "INTEGER_TYPE"},
{"description": "Segment attributes","name": "flags","options": {},"type": "TEXT_TYPE"},
{"description": "Segment alignment","name": "align","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to ELF file","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"}
],
"description": "ELF segment information.",
"examples": [
"select * from elf_segments where path = '/usr/bin/grep'"
],
"foreign_keys": [],
"function": "getELFSegments",
"name": "elf_segments",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "md device name","name": "device_name","options": {},"type": "TEXT_TYPE"},
{"description": "Current state of the array","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "Current raid level of the array","name": "raid_level","options": {},"type": "INTEGER_TYPE"},
{"description": "size of the array in blocks","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "chunk size in bytes","name": "chunk_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of configured RAID disks in array","name": "raid_disks","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of partitions or disk devices to comprise the array","name": "nr_raid_disks","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of working disks in array","name": "working_disks","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of active disks in array","name": "active_disks","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of active disks in array","name": "failed_disks","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of active disks in array","name": "spare_disks","options": {},"type": "INTEGER_TYPE"},
{"description": "State of the superblock","name": "superblock_state","options": {},"type": "TEXT_TYPE"},
{"description": "Version of the superblock","name": "superblock_version","options": {},"type": "TEXT_TYPE"},
{"description": "Unix timestamp of last update","name": "superblock_update_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Pages allocated in in-memory bitmap, if enabled","name": "bitmap_on_mem","options": {},"type": "TEXT_TYPE"},
{"description": "Bitmap chunk size","name": "bitmap_chunk_size","options": {},"type": "TEXT_TYPE"},
{"description": "External referenced bitmap file","name": "bitmap_external_file","options": {},"type": "TEXT_TYPE"},
{"description": "Progress of the recovery activity","name": "recovery_progress","options": {},"type": "TEXT_TYPE"},
{"description": "Estimated duration of recovery activity","name": "recovery_finish","options": {},"type": "TEXT_TYPE"},
{"description": "Speed of recovery activity","name": "recovery_speed","options": {},"type": "TEXT_TYPE"},
{"description": "Progress of the resync activity","name": "resync_progress","options": {},"type": "TEXT_TYPE"},
{"description": "Estimated duration of resync activity","name": "resync_finish","options": {},"type": "TEXT_TYPE"},
{"description": "Speed of resync activity","name": "resync_speed","options": {},"type": "TEXT_TYPE"},
{"description": "Progress of the reshape activity","name": "reshape_progress","options": {},"type": "TEXT_TYPE"},
{"description": "Estimated duration of reshape activity","name": "reshape_finish","options": {},"type": "TEXT_TYPE"},
{"description": "Speed of reshape activity","name": "reshape_speed","options": {},"type": "TEXT_TYPE"},
{"description": "Progress of the resync activity","name": "check_array_progress","options": {},"type": "TEXT_TYPE"},
{"description": "Estimated duration of resync activity","name": "check_array_finish","options": {},"type": "TEXT_TYPE"},
{"description": "Speed of resync activity","name": "check_array_speed","options": {},"type": "TEXT_TYPE"},
{"description": "Unused devices","name": "unused_devices","options": {},"type": "TEXT_TYPE"},
{"description": "Other information associated with array from /proc/mdstat","name": "other","options": {},"type": "TEXT_TYPE"}
],
"description": "Software RAID array settings.",
"examples": [],
"foreign_keys": [],
"function": "genMDDevices",
"name": "md_devices",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "cgroup namespace inode","name": "cgroup_namespace","options": {},"type": "TEXT_TYPE"},
{"description": "ipc namespace inode","name": "ipc_namespace","options": {},"type": "TEXT_TYPE"},
{"description": "mnt namespace inode","name": "mnt_namespace","options": {},"type": "TEXT_TYPE"},
{"description": "net namespace inode","name": "net_namespace","options": {},"type": "TEXT_TYPE"},
{"description": "pid namespace inode","name": "pid_namespace","options": {},"type": "TEXT_TYPE"},
{"description": "user namespace inode","name": "user_namespace","options": {},"type": "TEXT_TYPE"},
{"description": "uts namespace inode","name": "uts_namespace","options": {},"type": "TEXT_TYPE"}
],
"description": "Linux namespaces for processes running on the host system.",
"examples": [
"select * from process_namespaces where pid = 1"
],
"foreign_keys": [],
"function": "genProcessNamespaces",
"name": "process_namespaces",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Current unix epoch time","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Time known to syslog","name": "datetime","options": {},"type": "TEXT_TYPE"},
{"description": "Hostname configured for syslog","name": "host","options": {},"type": "TEXT_TYPE"},
{"description": "Syslog severity","name": "severity","options": {},"type": "INTEGER_TYPE"},
{"description": "Syslog facility","name": "facility","options": {},"type": "TEXT_TYPE"},
{"description": "The syslog tag","name": "tag","options": {},"type": "TEXT_TYPE"},
{"description": "The syslog message","name": "message","options": {},"type": "TEXT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "syslog_events",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "RPM package name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Package release","name": "release","options": {},"type": "TEXT_TYPE"},
{"description": "Source RPM package name (optional)","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Package size in bytes","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "SHA1 hash of the package contents","name": "sha1","options": {},"type": "TEXT_TYPE"},
{"description": "Architecture(s) supported","name": "arch","options": {},"type": "TEXT_TYPE"}
],
"description": "RPM packages that are currently installed on the host system.",
"examples": [],
"foreign_keys": [],
"function": "genRpmPackages",
"name": "rpm_packages",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package name","name": "package","options": {},"type": "TEXT_TYPE"},
{"description": "The version which are affected by the use flags, empty means all","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "The slot used by package","name": "slot","options": {},"type": "TEXT_TYPE"},
{"description": "Unix time when package was built","name": "build_time","options": {},"type": "BIGINT_TYPE"},
{"description": "From which repository the ebuild was used","name": "repository","options": {},"type": "TEXT_TYPE"},
{"description": "The eapi for the ebuild","name": "eapi","options": {},"type": "BIGINT_TYPE"},
{"description": "The size of the package","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "If package is in the world file","name": "world","options": {},"type": "INTEGER_TYPE"}
],
"description": "List of currently installed packages.",
"examples": [],
"foreign_keys": [],
"function": "portagePackages",
"name": "portage_packages",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Operation type","name": "operation","options": {},"type": "TEXT_TYPE"},
{"description": "Process ID","name": "pid","options": {},"type": "BIGINT_TYPE"},
{"description": "Parent process ID","name": "ppid","options": {},"type": "BIGINT_TYPE"},
{"description": "Time of execution in UNIX time","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "The executable path","name": "executable","options": {},"type": "TEXT_TYPE"},
{"description": "True if this is a partial event (i.e.: this process existed before we started osquery)","name": "partial","options": {},"type": "TEXT_TYPE"},
{"description": "The current working directory of the process","name": "cwd","options": {},"type": "TEXT_TYPE"},
{"description": "The path associated with the event","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "The canonical path associated with the event","name": "dest_path","options": {},"type": "TEXT_TYPE"},
{"description": "The uid of the process performing the action","name": "uid","options": {},"type": "TEXT_TYPE"},
{"description": "The gid of the process performing the action","name": "gid","options": {},"type": "TEXT_TYPE"},
{"description": "Effective user ID of the process using the file","name": "euid","options": {},"type": "TEXT_TYPE"},
{"description": "Effective group ID of the process using the file","name": "egid","options": {},"type": "TEXT_TYPE"},
{"description": "Time of execution in system uptime","name": "uptime","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "A File Integrity Monitor implementation using the audit service.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "process_file_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "md device name","name": "md_device_name","options": {},"type": "TEXT_TYPE"},
{"description": "Drive device name","name": "drive_name","options": {},"type": "TEXT_TYPE"},
{"description": "Slot position of disk","name": "slot","options": {},"type": "INTEGER_TYPE"},
{"description": "State of the drive","name": "state","options": {},"type": "TEXT_TYPE"}
],
"description": "Drive devices used for Software RAID.",
"examples": [],
"foreign_keys": [],
"function": "genMDDrives",
"name": "md_drives",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "EC2 instance ID","name": "instance_id","options": {},"type": "TEXT_TYPE"},
{"description": "Tag key","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Tag value","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "EC2 instance tag key value pairs.",
"examples": [
"select * from ec2_instance_tags"
],
"foreign_keys": [],
"function": "genEc2InstanceTags",
"name": "ec2_instance_tags",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package supplied version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Package supplied description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Package author name","name": "author","options": {},"type": "TEXT_TYPE"},
{"description": "License for package","name": "license","options": {},"type": "TEXT_TYPE"},
{"description": "Module's package.json path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Node module's directory where this package is located","name": "directory","options": {},"type": "TEXT_TYPE"}
],
"description": "Lists all npm packages in a directory or globally installed in a system.",
"examples": [
"select * from npm_packages",
"select * from npm_packages where directory = '/home/user/my_project'"
],
"foreign_keys": [],
"function": "genNPMPackages",
"name": "npm_packages",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Class type, 32 or 64bit","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "Section type","name": "abi","options": {},"type": "TEXT_TYPE"},
{"description": "Section virtual address in memory","name": "abi_version","options": {},"type": "INTEGER_TYPE"},
{"description": "Offset of section in file","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Machine type","name": "machine","options": {},"type": "INTEGER_TYPE"},
{"description": "Object file version","name": "version","options": {},"type": "INTEGER_TYPE"},
{"description": "Entry point address","name": "entry","options": {},"type": "BIGINT_TYPE"},
{"description": "ELF header flags","name": "flags","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to ELF file","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"}
],
"description": "ELF file information.",
"examples": [
"select * from elf_info where path = '/usr/bin/grep'"
],
"foreign_keys": [],
"function": "getELFInfo",
"name": "elf_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of personality supported by kernel","name": "name","options": {},"type": "TEXT_TYPE"}
],
"description": "Software RAID setting supported by the kernel.",
"examples": [],
"foreign_keys": [],
"function": "genMDPersonalities",
"name": "md_personalities",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Module name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Size of module content","name": "size","options": {},"type": "TEXT_TYPE"},
{"description": "Module reverse dependencies","name": "used_by","options": {},"type": "TEXT_TYPE"},
{"description": "Kernel module status","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "Kernel module address","name": "address","options": {},"type": "TEXT_TYPE"}
],
"description": "Linux kernel modules both loaded and within the load search path.",
"examples": [],
"foreign_keys": [],
"function": "genKernelModules",
"name": "kernel_modules",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Password status","name": "password_status","options": {},"type": "TEXT_TYPE"},
{"description": "Password hashing algorithm","name": "hash_alg","options": {},"type": "TEXT_TYPE"},
{"description": "Date of last password change (starting from UNIX epoch date)","name": "last_change","options": {},"type": "BIGINT_TYPE"},
{"description": "Minimal number of days between password changes","name": "min","options": {},"type": "BIGINT_TYPE"},
{"description": "Maximum number of days between password changes","name": "max","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of days before password expires to warn user about it","name": "warning","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of days after password expires until account is blocked","name": "inactive","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of days since UNIX epoch date until account is disabled","name": "expire","options": {},"type": "BIGINT_TYPE"},
{"description": "Reserved","name": "flag","options": {},"type": "BIGINT_TYPE"},
{"description": "Username","name": "username","options": {"index": true},"type": "TEXT_TYPE"}
],
"description": "Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.",
"examples": [
"select * from shadow where username = 'root'"
],
"foreign_keys": [],
"function": "genShadow",
"name": "shadow",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Total amount of physical RAM, in bytes","name": "memory_total","options": {},"type": "BIGINT_TYPE"},
{"description": "The amount of physical RAM, in bytes, left unused by the system","name": "memory_free","options": {},"type": "BIGINT_TYPE"},
{"description": "The amount of physical RAM, in bytes, used for file buffers","name": "buffers","options": {},"type": "BIGINT_TYPE"},
{"description": "The amount of physical RAM, in bytes, used as cache memory","name": "cached","options": {},"type": "BIGINT_TYPE"},
{"description": "The amount of swap, in bytes, used as cache memory","name": "swap_cached","options": {},"type": "BIGINT_TYPE"},
{"description": "The total amount of buffer or page cache memory, in bytes, that is in active use","name": "active","options": {},"type": "BIGINT_TYPE"},
{"description": "The total amount of buffer or page cache memory, in bytes, that are free and available","name": "inactive","options": {},"type": "BIGINT_TYPE"},
{"description": "The total amount of swap available, in bytes","name": "swap_total","options": {},"type": "BIGINT_TYPE"},
{"description": "The total amount of swap free, in bytes","name": "swap_free","options": {},"type": "BIGINT_TYPE"}
],
"description": "Main memory information in bytes.",
"examples": [],
"foreign_keys": [],
"function": "getMemoryInfo",
"name": "memory_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The processor number as reported in /proc/cpuinfo","name": "processor_number","options": {},"type": "BIGINT_TYPE"},
{"description": "Whether the turbo feature is disabled.","name": "turbo_disabled","options": {},"type": "BIGINT_TYPE"},
{"description": "The turbo feature ratio limit.","name": "turbo_ratio_limit","options": {},"type": "BIGINT_TYPE"},
{"description": "Platform information.","name": "platform_info","options": {},"type": "BIGINT_TYPE"},
{"description": "Performance setting for the processor.","name": "perf_ctl","options": {},"type": "BIGINT_TYPE"},
{"description": "Performance status for the processor.","name": "perf_status","options": {},"type": "BIGINT_TYPE"},
{"description": "Bitfield controling enabled features.","name": "feature_control","options": {},"type": "BIGINT_TYPE"},
{"description": "Run Time Average Power Limiting power limit.","name": "rapl_power_limit","options": {},"type": "BIGINT_TYPE"},
{"description": "Run Time Average Power Limiting energy status.","name": "rapl_energy_status","options": {},"type": "BIGINT_TYPE"},
{"description": "Run Time Average Power Limiting power units.","name": "rapl_power_units","options": {},"type": "BIGINT_TYPE"}
],
"description": "Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.",
"examples": [],
"foreign_keys": [],
"function": "genModelSpecificRegister",
"name": "msr",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Region name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Start address of memory region","name": "start","options": {},"type": "TEXT_TYPE"},
{"description": "End address of memory region","name": "end","options": {},"type": "TEXT_TYPE"}
],
"description": "OS memory region map.",
"examples": [],
"foreign_keys": [],
"function": "genMemoryMap",
"name": "memory_map",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Package name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Package source","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Package size in bytes","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Package architecture","name": "arch","options": {},"type": "TEXT_TYPE"},
{"description": "Package revision","name": "revision","options": {},"type": "TEXT_TYPE"}
],
"description": "The installed DEB package database.",
"examples": [],
"foreign_keys": [],
"function": "genDebPackages",
"name": "deb_packages",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Tag ID","name": "tag","options": {},"type": "INTEGER_TYPE"},
{"description": "Tag value","name": "value","options": {},"type": "INTEGER_TYPE"},
{"description": "Class (32 or 64)","name": "class","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to ELF file","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"}
],
"description": "ELF dynamic section information.",
"examples": [
"select * from elf_dynamic where path = '/usr/bin/grep'"
],
"foreign_keys": [],
"function": "getELFDynamic",
"name": "elf_dynamic",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "EC2 instance ID","name": "instance_id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "EC2 instance type","name": "instance_type","options": {},"type": "TEXT_TYPE"},
{"description": "Hardware architecture of this EC2 instance","name": "architecture","options": {},"type": "TEXT_TYPE"},
{"description": "AWS region in which this instance launched","name": "region","options": {},"type": "TEXT_TYPE"},
{"description": "Availability zone in which this instance launched","name": "availability_zone","options": {},"type": "TEXT_TYPE"},
{"description": "Private IPv4 DNS hostname of the first interface of this instance","name": "local_hostname","options": {},"type": "TEXT_TYPE"},
{"description": "Private IPv4 address of the first interface of this instance","name": "local_ipv4","options": {},"type": "TEXT_TYPE"},
{"description": "MAC address for the first network interface of this EC2 instance","name": "mac","options": {},"type": "TEXT_TYPE"},
{"description": "Comma separated list of security group names","name": "security_groups","options": {},"type": "TEXT_TYPE"},
{"description": "If there is an IAM role associated with the instance, contains instance profile ARN","name": "iam_arn","options": {},"type": "TEXT_TYPE"},
{"description": "AMI ID used to launch this EC2 instance","name": "ami_id","options": {},"type": "TEXT_TYPE"},
{"description": "ID of the reservation","name": "reservation_id","options": {},"type": "TEXT_TYPE"},
{"description": "AWS account ID which owns this EC2 instance","name": "account_id","options": {},"type": "TEXT_TYPE"},
{"description": "SSH public key. Only available if supplied at instance launch time","name": "ssh_public_key","options": {},"type": "TEXT_TYPE"}
],
"description": "EC2 instance metadata.",
"examples": [
"select * from ec2_instance_metadata"
],
"foreign_keys": [],
"function": "genEc2Metadata",
"name": "ec2_instance_metadata",
"profile": {}
},
{
"attributes": {
"kernel_required": true
},
"blacklisted": false,
"columns": [
{"description": "0 or 1, for whether a syscall table pointer is modified","name": "sycall_addr_modified","options": {},"type": "INTEGER_TYPE"},
{"description": "Hash value for the kernel's .text memory segment","name": "text_segment_hash","options": {},"type": "TEXT_TYPE"}
],
"description": "Various Linux kernel integrity checked attributes.",
"examples": [],
"foreign_keys": [],
"function": "genKernelIntegrity",
"name": "kernel_integrity",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Section name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Section type","name": "type","options": {},"type": "INTEGER_TYPE"},
{"description": "Section virtual address in memory","name": "vaddr","options": {},"type": "INTEGER_TYPE"},
{"description": "Offset of section in file","name": "offset","options": {},"type": "INTEGER_TYPE"},
{"description": "Size of section","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "Section attributes","name": "flags","options": {},"type": "TEXT_TYPE"},
{"description": "Link to other section","name": "link","options": {},"type": "TEXT_TYPE"},
{"description": "Segment alignment","name": "align","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to ELF file","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"}
],
"description": "ELF section information.",
"examples": [
"select * from elf_sections where path = '/usr/bin/grep'"
],
"foreign_keys": [],
"function": "getELFSections",
"name": "elf_sections",
"profile": {}
}
]
},
{
"key": "darwin",
"name": "Darwin (Apple OS X)",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Is the Event Tap enabled","name": "enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Unique ID for the Tap","name": "event_tap_id","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "The mask that identifies the set of events to be observed.","name": "event_tapped","options": {},"type": "TEXT_TYPE"},
{"description": "The process ID of the target application","name": "process_being_tapped","options": {},"type": "INTEGER_TYPE"},
{"description": "The process ID of the application that created the event tap.","name": "tapping_process","options": {},"type": "INTEGER_TYPE"}
],
"description": "Returns information about installed event taps.",
"examples": [],
"foreign_keys": [],
"function": "genEventTaps",
"name": "event_taps",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Path of the file returned from spotlight","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "The query that was run to find the file","name": "query","options": {},"type": "TEXT_TYPE"}
],
"description": "Run searches against the spotlight database.",
"examples": [
"select count(*) from mdfind where query = 'kMDItemTextContent == \"osquery\"';select * from mdfind where query = 'kMDItemDisplayName == \"rook.stl\"';",
"select * from mdfind where query in ('kMDItemDisplayName == \"rook.stl\"', 'kMDItemDisplayName == \"video.mp4\"')"
],
"foreign_keys": [],
"function": "genMdfindResults",
"name": "mdfind",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Time Machine destination ID","name": "destination_id","options": {},"type": "TEXT_TYPE"},
{"description": "Backup Date","name": "backup_date","options": {},"type": "INTEGER_TYPE"}
],
"description": "Backups to drives using TimeMachine.",
"examples": [
"select alias, backup_date, td.destination_id, root_volume_uuid, encryption from time_machine_backups tb join time_machine_destinations td on (td.destination_id=tb.destination_id);"
],
"foreign_keys": [],
"function": "genTimeMachineBackups",
"name": "time_machine_backups",
"profile": {}
},
{
"attributes": {
"cacheable": false
},
"blacklisted": false,
"columns": [
{"description": "Name of the interface","name": "interface","options": {},"type": "TEXT_TYPE"},
{"description": "SSID octets of the network","name": "ssid","options": {},"type": "TEXT_TYPE"},
{"description": "The current basic service set identifier","name": "bssid","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the network","name": "network_name","options": {},"type": "TEXT_TYPE"},
{"description": "The country code (ISO/IEC 3166-1:1997) for the network","name": "country_code","options": {},"type": "TEXT_TYPE"},
{"description": "The current received signal strength indication (dbm)","name": "rssi","options": {},"type": "INTEGER_TYPE"},
{"description": "The current noise measurement (dBm)","name": "noise","options": {},"type": "INTEGER_TYPE"},
{"description": "Channel number","name": "channel","options": {},"type": "INTEGER_TYPE"},
{"description": "Channel width","name": "channel_width","options": {},"type": "INTEGER_TYPE"},
{"description": "Channel band","name": "channel_band","options": {},"type": "INTEGER_TYPE"}
],
"description": "Scan for nearby WiFi networks.",
"examples": [],
"foreign_keys": [],
"function": "genWifiScan",
"name": "wifi_survey",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "The path of the keychain","name": "keychain_path","options": {},"type": "TEXT_TYPE"},
{"description": "A space delimited set of authorization attributes","name": "authorizations","options": {},"type": "TEXT_TYPE"},
{"description": "The path of the authorized application","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "The description included with the ACL entry","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "An optional label tag that may be included with the keychain entry","name": "label","options": {},"type": "TEXT_TYPE"}
],
"description": "Applications that have ACL entries in the keychain.",
"examples": [
"select label, description, authorizations, path, count(path) as c from keychain_acls where label != '' and path != '' group by label having c > 1;"
],
"foreign_keys": [],
"function": "genKeychainACLApps",
"name": "keychain_acls",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the printer","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Option name","name": "option_name","options": {},"type": "TEXT_TYPE"},
{"description": "Option value","name": "option_value","options": {},"type": "TEXT_TYPE"}
],
"description": "Returns all configured printers.",
"examples": [],
"foreign_keys": [],
"function": "genCupsDestinations",
"name": "cups_destinations",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local user that owns the extension","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "Extension display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Extension identifier","name": "identifier","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Extension long version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Bundle SDK used to compile extension","name": "sdk","options": {},"type": "TEXT_TYPE"},
{"description": "Extension-supplied update URI","name": "update_url","options": {},"type": "TEXT_TYPE"},
{"description": "Optional extension author","name": "author","options": {},"type": "TEXT_TYPE"},
{"description": "Optional developer identifier","name": "developer_id","options": {},"type": "TEXT_TYPE"},
{"description": "Optional extension description text","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Path to extension XAR bundle","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Safari browser extension details for all users.",
"examples": [
"select count(*) from users JOIN safari_extensions using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "genSafariExtensions",
"name": "safari_extensions",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "1 If allow signed mode is enabled else 0","name": "allow_signed_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If firewall unloading enabled else 0","name": "firewall_unload","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If the firewall is enabled with exceptions, 2 if the firewall is configured to block all incoming connections, else 0","name": "global_state","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If logging mode is enabled else 0","name": "logging_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Firewall logging option","name": "logging_option","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If stealth mode is enabled else 0","name": "stealth_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Application Layer Firewall version","name": "version","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X application layer firewall (ALF) service details.",
"examples": [],
"foreign_keys": [],
"function": "genALF",
"name": "alf",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The System Integrity Protection config flag","name": "config_flag","options": {},"type": "TEXT_TYPE"},
{"description": "1 if this configuration is enabled, otherwise 0","name": "enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if this configuration is enabled, otherwise 0","name": "enabled_nvram","options": {},"type": "INTEGER_TYPE"}
],
"description": "Apple's System Integrity Protection (rootless) status.",
"examples": [
"select * from sip_config"
],
"foreign_keys": [],
"function": "genSIPConfig",
"name": "sip_config",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Firewalled service name","name": "service","options": {},"type": "TEXT_TYPE"},
{"description": "Process name","name": "process","options": {},"type": "TEXT_TYPE"},
{"description": "Firewall service state","name": "state","options": {},"type": "INTEGER_TYPE"}
],
"description": "OS X application layer firewall (Firewall) services.",
"examples": [],
"foreign_keys": [],
"function": "genALFServices",
"name": "alf_services",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Unix timestamp. Set automatically","name": "time","options": {},"type": "INTEGER_TYPE"},
{"description": "Nanosecond time.","name": "time_nano_sec","options": {},"type": "INTEGER_TYPE"},
{"description": "Sender's address (set by the server).","name": "host","options": {},"type": "TEXT_TYPE"},
{"description": "Sender's identification string. Default is process name.","name": "sender","options": {},"type": "TEXT_TYPE"},
{"description": "Sender's facility. Default is 'user'.","name": "facility","options": {},"type": "TEXT_TYPE"},
{"description": "Sending process ID encoded as a string. Set automatically.","name": "pid","options": {},"type": "INTEGER_TYPE"},
{"description": "GID that sent the log message (set by the server).","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "UID that sent the log message (set by the server).","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Log level number. See levels in asl.h.","name": "level","options": {},"type": "INTEGER_TYPE"},
{"description": "Message text.","name": "message","options": {},"type": "TEXT_TYPE"},
{"description": "Reference PID for messages proxied by launchd","name": "ref_pid","options": {},"type": "INTEGER_TYPE"},
{"description": "Reference process for messages proxied by launchd","name": "ref_proc","options": {},"type": "TEXT_TYPE"},
{"description": "Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.","name": "extra","options": {},"type": "TEXT_TYPE"}
],
"description": "Queries the Apple System Log data structure for system events.",
"examples": [],
"foreign_keys": [],
"function": "genAsl",
"name": "asl",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Label of the authorization right","name": "label","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Authorization plugin name","name": "plugin","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the mechanism that will be called","name": "mechanism","options": {},"type": "TEXT_TYPE"},
{"description": "If privileged it will run as root, else as an anonymous user","name": "privileged","options": {},"type": "TEXT_TYPE"},
{"description": "The whole string entry","name": "entry","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X Authorization mechanisms database.",
"examples": [
"select * from authorization_mechanisms;",
"select * from authorization_mechanisms where label = 'system.login.console';",
"select * from authorization_mechanisms where label = 'authenticate';"
],
"foreign_keys": [],
"function": "genAuthorizationMechanisms",
"name": "authorization_mechanisms",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Item name, usually in reverse domain format","name": "label","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "modified","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "allow_root","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "timeout","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "tries","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "authenticate_user","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "shared","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "comment","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "created","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "Label top-level key","name": "session_owner","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X Authorization rights database.",
"examples": [
"select * from authorizations;",
"select * from authorizations where label = 'system.login.console';",
"select * from authorizations where label = 'authenticate';",
"select * from authorizations where label = 'system.preferences.softwareupdate';"
],
"foreign_keys": [],
"function": "genAuthorizations",
"name": "authorizations",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Description of XProtected malware","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Action taken by user after prompted","name": "user_action","options": {},"type": "TEXT_TYPE"},
{"description": "Quarantine alert time","name": "time","options": {},"type": "TEXT_TYPE"}
],
"description": "Database of XProtect matches (if user generated/sent an XProtect report).",
"examples": [],
"foreign_keys": [],
"function": "genXProtectReports",
"name": "xprotect_reports",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Must provide a path or directory","name": "path","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "Set to 1 to also hash resources, or 0 otherwise. Default is 1","name": "hash_resources","options": {},"type": "INTEGER_TYPE"},
{"description": "If applicable, the arch of the signed code","name": "arch","options": {},"type": "TEXT_TYPE"},
{"description": "1 If the file is signed else 0","name": "signed","options": {},"type": "INTEGER_TYPE"},
{"description": "The signing identifier sealed into the signature","name": "identifier","options": {},"type": "TEXT_TYPE"},
{"description": "Hash of the application Code Directory","name": "cdhash","options": {},"type": "TEXT_TYPE"},
{"description": "The team signing identifier sealed into the signature","name": "team_identifier","options": {},"type": "TEXT_TYPE"},
{"description": "Certificate Common Name","name": "authority","options": {},"type": "TEXT_TYPE"}
],
"description": "File (executable, bundle, installer, disk) code signing status.",
"examples": [
"SELECT * FROM signature WHERE path = '/bin/ls'",
"SELECT * FROM signature WHERE path = '/Applications/Xcode.app' AND hash_resources=0",
"SELECT * FROM (SELECT path, MIN(signed) AS all_signed, MIN(CASE WHEN authority = 'Software Signing' AND signed = 1 THEN 1 ELSE 0 END) AS all_signed_by_apple FROM signature WHERE path LIKE '/bin/%' GROUP BY path);"
],
"foreign_keys": [],
"function": "genSignature",
"name": "signature",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Default name of the node","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Best matching device class (most-specific category)","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "IOKit internal registry ID","name": "id","options": {},"type": "BIGINT_TYPE"},
{"description": "Parent registry ID","name": "parent","options": {},"type": "BIGINT_TYPE"},
{"description": "1 if the node is in a busy state else 0","name": "busy_state","options": {},"type": "INTEGER_TYPE"},
{"description": "The node reference count","name": "retain_count","options": {},"type": "INTEGER_TYPE"},
{"description": "Node nested depth","name": "depth","options": {},"type": "INTEGER_TYPE"}
],
"description": "The full IOKit registry without selecting a plane.",
"examples": [],
"foreign_keys": [],
"function": "genIOKitRegistry",
"name": "iokit_registry",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Name of the interface","name": "interface","options": {},"type": "TEXT_TYPE"},
{"description": "SSID octets of the network","name": "ssid","options": {},"type": "TEXT_TYPE"},
{"description": "The current basic service set identifier","name": "bssid","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the network","name": "network_name","options": {},"type": "TEXT_TYPE"},
{"description": "The country code (ISO/IEC 3166-1:1997) for the network","name": "country_code","options": {},"type": "TEXT_TYPE"},
{"description": "Type of security on this network","name": "security_type","options": {},"type": "TEXT_TYPE"},
{"description": "The current received signal strength indication (dbm)","name": "rssi","options": {},"type": "INTEGER_TYPE"},
{"description": "The current noise measurement (dBm)","name": "noise","options": {},"type": "INTEGER_TYPE"},
{"description": "Channel number","name": "channel","options": {},"type": "INTEGER_TYPE"},
{"description": "Channel width","name": "channel_width","options": {},"type": "INTEGER_TYPE"},
{"description": "Channel band","name": "channel_band","options": {},"type": "INTEGER_TYPE"},
{"description": "The current transmit rate","name": "transmit_rate","options": {},"type": "TEXT_TYPE"},
{"description": "The current operating mode for the Wi-Fi interface","name": "mode","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X current WiFi status.",
"examples": [],
"foreign_keys": [],
"function": "genWifiStatus",
"name": "wifi_status",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "UTI-format bundle or label ID","name": "label","options": {},"type": "TEXT_TYPE"},
{"description": "Sandbox owner","name": "user","options": {},"type": "TEXT_TYPE"},
{"description": "Application sandboxings enabled on container","name": "enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Sandbox-specific identifier","name": "build_id","options": {},"type": "TEXT_TYPE"},
{"description": "Application bundle used by the sandbox","name": "bundle_path","options": {},"type": "TEXT_TYPE"},
{"description": "Path to sandbox container directory","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X application sandboxes container details.",
"examples": [],
"foreign_keys": [],
"function": "genSandboxContainers",
"name": "sandboxes",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "System or manager-chosen domain key","name": "domain","options": {},"type": "TEXT_TYPE"},
{"description": "Optional UUID assigned to policy set","name": "uuid","options": {},"type": "TEXT_TYPE"},
{"description": "Policy key name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Policy value","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "Policy applies only this user","name": "username","options": {},"type": "TEXT_TYPE"},
{"description": "1 if policy was loaded manually, otherwise 0","name": "manual","options": {},"type": "INTEGER_TYPE"}
],
"description": "The managed configuration policies from AD, MDM, MCX, etc.",
"examples": [],
"foreign_keys": [],
"function": "genManagedPolicies",
"name": "managed_policies",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Filesystem path to the share","name": "share","options": {},"type": "TEXT_TYPE"},
{"description": "Options string set on the export share","name": "options","options": {},"type": "TEXT_TYPE"},
{"description": "1 if the share is exported readonly else 0","name": "readonly","options": {},"type": "INTEGER_TYPE"}
],
"description": "NFS shares exported by the host.",
"examples": [],
"foreign_keys": [],
"function": "genNFSShares",
"name": "nfs_shares",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The SMC key on OS X","name": "key","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Name of temperature source","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Temperature in Celsius","name": "celsius","options": {},"type": "DOUBLE_TYPE"},
{"description": "Temperature in Fahrenheit","name": "fahrenheit","options": {},"type": "DOUBLE_TYPE"}
],
"description": "Machine's temperature sensors.",
"examples": [],
"foreign_keys": [
{"column": "key","table": "smc_keys"}
],
"function": "genTemperatureSensors",
"name": "temperature_sensors",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Type of device","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "The device name","name": "device","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Firmware version","name": "version","options": {},"type": "TEXT_TYPE"}
],
"description": "A best-effort list of discovered firmware versions.",
"examples": [],
"foreign_keys": [],
"function": "genDeviceFirmware",
"name": "device_firmware",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Browser plugin or extension identifier","name": "identifier","options": {},"type": "TEXT_TYPE"},
{"description": "Either plugin or extension","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Developer identity (SHA1) of extension","name": "developer_id","options": {},"type": "TEXT_TYPE"},
{"description": "The minimum allowed plugin version.","name": "min_version","options": {},"type": "TEXT_TYPE"}
],
"description": "Database of the machine's XProtect browser-related signatures.",
"examples": [],
"foreign_keys": [],
"function": "genXProtectMeta",
"name": "xprotect_meta",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Daemon or agent service name","name": "label","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the override key","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Overriden value","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "User ID applied to the override, 0 applies to all","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Path to daemon or agent plist","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Override keys, per user, for LaunchDaemons and Agents.",
"examples": [],
"foreign_keys": [],
"function": "genLaunchdOverrides",
"name": "launchd_overrides",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Path to the executable that is excepted","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Firewall exception state","name": "state","options": {},"type": "INTEGER_TYPE"}
],
"description": "OS X application layer firewall (ALF) service exceptions.",
"examples": [],
"foreign_keys": [],
"function": "genALFExceptions",
"name": "alf_exceptions",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The SMC key on OS X","name": "key","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "The sensor category: currents, voltage, wattage","name": "category","options": {},"type": "TEXT_TYPE"},
{"description": "Name of power source","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Power in Watts","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "Machine power (currents, voltages, wattages, etc) sensors.",
"examples": [
"select * from power_sensors where category = 'voltage'"
],
"foreign_keys": [
{"column": "key","table": "smc_keys"}
],
"function": "genPowerSensors",
"name": "power_sensors",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "1 If screen sharing is enabled else 0","name": "screen_sharing","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If file sharing is enabled else 0","name": "file_sharing","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If printer sharing is enabled else 0","name": "printer_sharing","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If remote login is enabled else 0","name": "remote_login","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If remote management is enabled else 0","name": "remote_management","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If remote apple events are enabled else 0","name": "remote_apple_events","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If internet sharing is enabled else 0","name": "internet_sharing","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If bluetooth sharing is enabled for any user else 0","name": "bluetooth_sharing","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If CD or DVD sharing is enabled else 0","name": "disc_sharing","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If content caching is enabled else 0","name": "content_caching","options": {},"type": "INTEGER_TYPE"}
],
"description": "OS X Sharing preferences.",
"examples": [],
"foreign_keys": [],
"function": "genSharingPreferences",
"name": "sharing_preferences",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Process name explicitly allowed","name": "process","options": {},"type": "TEXT_TYPE"}
],
"description": "ALF services explicitly allowed to perform networking.",
"examples": [],
"foreign_keys": [],
"function": "genALFExplicitAuths",
"name": "alf_explicit_auths",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Label packageIdentifiers","name": "package_id","options": {},"type": "TEXT_TYPE"},
{"description": "Label date as UNIX timestamp","name": "time","options": {},"type": "INTEGER_TYPE"},
{"description": "Package display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package display version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Install source: usually the installer process name","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Package content_type (optional)","name": "content_type","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X package install history.",
"examples": [],
"foreign_keys": [],
"function": "genPackageInstallHistory",
"name": "package_install_history",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The OS X-specific configuration name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Active Directory trust domain","name": "domain","options": {},"type": "TEXT_TYPE"},
{"description": "Canonical name of option","name": "option","options": {},"type": "TEXT_TYPE"},
{"description": "Variable typed option value","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X Active Directory configuration.",
"examples": [],
"foreign_keys": [],
"function": "genADConfig",
"name": "ad_config",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Path to daemon or agent plist","name": "path","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "File name of plist (used by launchd)","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Daemon or agent service name","name": "label","options": {},"type": "TEXT_TYPE"},
{"description": "Path to target program","name": "program","options": {},"type": "TEXT_TYPE"},
{"description": "Should the program run on launch load","name": "run_at_load","options": {},"type": "TEXT_TYPE"},
{"description": "Should the process be restarted if killed","name": "keep_alive","options": {},"type": "TEXT_TYPE"},
{"description": "Deprecated key, replaced by keep_alive","name": "on_demand","options": {},"type": "TEXT_TYPE"},
{"description": "Skip loading this daemon or agent on boot","name": "disabled","options": {},"type": "TEXT_TYPE"},
{"description": "Run this daemon or agent as this username","name": "username","options": {},"type": "TEXT_TYPE"},
{"description": "Run this daemon or agent as this group","name": "groupname","options": {},"type": "TEXT_TYPE"},
{"description": "Pipe stdout to a target path","name": "stdout_path","options": {},"type": "TEXT_TYPE"},
{"description": "Pipe stderr to a target path","name": "stderr_path","options": {},"type": "TEXT_TYPE"},
{"description": "Frecuency of running in seconds","name": "start_interval","options": {},"type": "TEXT_TYPE"},
{"description": "Command line arguments passed to program","name": "program_arguments","options": {},"type": "TEXT_TYPE"},
{"description": "Key that launches daemon or agent if path is modified","name": "watch_paths","options": {},"type": "TEXT_TYPE"},
{"description": "Similar to watch_paths but only with non-empty directories","name": "queue_directories","options": {},"type": "TEXT_TYPE"},
{"description": "Run this daemon or agent as it was launched from inetd","name": "inetd_compatibility","options": {},"type": "TEXT_TYPE"},
{"description": "Run daemon or agent every time a filesystem is mounted","name": "start_on_mount","options": {},"type": "TEXT_TYPE"},
{"description": "Key used to specify a directory to chroot to before launch","name": "root_directory","options": {},"type": "TEXT_TYPE"},
{"description": "Key used to specify a directory to chdir to before launch","name": "working_directory","options": {},"type": "TEXT_TYPE"},
{"description": "Key describes the intended purpose of the job","name": "process_type","options": {},"type": "TEXT_TYPE"}
],
"description": "LaunchAgents and LaunchDaemons from default search paths.",
"examples": [],
"foreign_keys": [],
"function": "genLaunchd",
"name": "launchd",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Description of XProtected malware","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Launch services content type","name": "launch_type","options": {},"type": "TEXT_TYPE"},
{"description": "XProtect identity (SHA1) of content","name": "identity","options": {},"type": "TEXT_TYPE"},
{"description": "Use this file name to match","name": "filename","options": {},"type": "TEXT_TYPE"},
{"description": "Use this file type to match","name": "filetype","options": {},"type": "TEXT_TYPE"},
{"description": "Match any of the identities/patterns for this XProtect name","name": "optional","options": {},"type": "INTEGER_TYPE"},
{"description": "Uses a match pattern instead of identity","name": "uses_pattern","options": {},"type": "INTEGER_TYPE"}
],
"description": "Database of the machine's XProtect signatures.",
"examples": [],
"foreign_keys": [],
"function": "genXProtectEntries",
"name": "xprotect_entries",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Package name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package install path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Current 'linked' version","name": "version","options": {},"type": "TEXT_TYPE"}
],
"description": "The installed homebrew package database.",
"examples": [],
"foreign_keys": [],
"function": "genHomebrewPackages",
"name": "homebrew_packages",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "Application ID usually in com.name.product format","name": "domain","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Preference top-level key","name": "key","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Intemediate key path, includes lists/dicts","name": "subkey","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "String value of most CF types","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "1 if the value is forced/managed, else 0","name": "forced","options": {},"type": "INTEGER_TYPE"},
{"description": "(optional) read preferences for a specific user","name": "username","options": {"additional": true},"type": "TEXT_TYPE"},
{"description": "'current' or 'any' host, where 'current' takes precedence","name": "host","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X defaults and managed preferences.",
"examples": [
"select * from preferences where domain = 'loginwindow'",
"select preferences.* from users join preferences using (username)"
],
"foreign_keys": [],
"function": "genOSXDefaultPreferences",
"name": "preferences",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Extension load tag or index","name": "idx","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "Reference count","name": "refs","options": {},"type": "INTEGER_TYPE"},
{"description": "Bytes of wired memory used by extension","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Extension label","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Extension version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Indexes of extensions this extension is linked against","name": "linked_against","options": {},"type": "TEXT_TYPE"},
{"description": "Optional path to extension bundle","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X's kernel extensions, both loaded and within the load search path.",
"examples": [],
"foreign_keys": [],
"function": "genKernelExtensions",
"name": "kernel_extensions",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Absolute file path","name": "path","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "Directory of file(s)","name": "directory","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "Name of the value generated from the extended attribute","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "The parsed information from the attribute","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "1 if the value is base64 encoded else 0","name": "base64","options": {},"type": "INTEGER_TYPE"}
],
"description": "Returns the extended attributes for files (similar to Windows ADS).",
"examples": [],
"foreign_keys": [],
"function": "genXattr",
"name": "extended_attributes",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Title of the printed job","name": "title","options": {},"type": "TEXT_TYPE"},
{"description": "The printer the job was sent to","name": "destination","options": {},"type": "TEXT_TYPE"},
{"description": "The user who printed the job","name": "user","options": {},"type": "TEXT_TYPE"},
{"description": "The format of the print job","name": "format","options": {},"type": "TEXT_TYPE"},
{"description": "The size of the print job","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "When the job completed printing","name": "completed_time","options": {},"type": "INTEGER_TYPE"},
{"description": "How long the job took to process","name": "processing_time","options": {},"type": "INTEGER_TYPE"},
{"description": "When the print request was initiated","name": "creation_time","options": {},"type": "INTEGER_TYPE"}
],
"description": "Returns all completed print jobs from cups.",
"examples": [],
"foreign_keys": [],
"function": "genCupsJobs",
"name": "cups_jobs",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Total number of free pages.","name": "free","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of active pages.","name": "active","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of inactive pages.","name": "inactive","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of speculative pages.","name": "speculative","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of throttled pages.","name": "throttled","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of wired down pages.","name": "wired","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of purgeable pages.","name": "purgeable","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of calls to vm_faults.","name": "faults","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of copy-on-write pages.","name": "copy","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of zero filled pages.","name": "zero_fill","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of reactivated pages.","name": "reactivated","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of purged pages.","name": "purged","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of file backed pages.","name": "file_backed","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of anonymous pages.","name": "anonymous","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of uncompressed pages.","name": "uncompressed","options": {},"type": "BIGINT_TYPE"},
{"description": "The number of pages used to store compressed VM pages.","name": "compressor","options": {},"type": "BIGINT_TYPE"},
{"description": "The total number of pages that have been decompressed by the VM compressor.","name": "decompressed","options": {},"type": "BIGINT_TYPE"},
{"description": "The total number of pages that have been compressed by the VM compressor.","name": "compressed","options": {},"type": "BIGINT_TYPE"},
{"description": "The total number of requests for pages from a pager.","name": "page_ins","options": {},"type": "BIGINT_TYPE"},
{"description": "Total number of pages paged out.","name": "page_outs","options": {},"type": "BIGINT_TYPE"},
{"description": "The total number of compressed pages that have been swapped out to disk.","name": "swap_ins","options": {},"type": "BIGINT_TYPE"},
{"description": "The total number of compressed pages that have been swapped back in from disk.","name": "swap_outs","options": {},"type": "BIGINT_TYPE"}
],
"description": "Darwin Virtual Memory statistics.",
"examples": [
"select * from virtual_memory_info;"
],
"foreign_keys": [],
"function": "genVirtualMemoryInfo",
"name": "virtual_memory_info",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The battery manufacturer's name","name": "manufacturer","options": {},"type": "TEXT_TYPE"},
{"description": "The date the battery was manufactured UNIX Epoch","name": "manufacture_date","options": {},"type": "INTEGER_TYPE"},
{"description": "The battery's model number","name": "model","options": {},"type": "TEXT_TYPE"},
{"description": "The battery\u2019s unique serial number","name": "serial_number","options": {},"type": "TEXT_TYPE"},
{"description": "The number of charge/discharge cycles","name": "cycle_count","options": {},"type": "INTEGER_TYPE"},
{"description": "One of the following: \"Good\" describes a well-performing battery, \"Fair\" describes a functional battery with limited capacity, or \"Poor\" describes a battery that's not capable of providing power","name": "health","options": {},"type": "TEXT_TYPE"},
{"description": "One of the following: \"Normal\" indicates the condition of the battery is within normal tolerances, \"Service Needed\" indicates that the battery should be checked out by a licensed Mac repair service, \"Permanent Failure\" indicates the battery needs replacement","name": "condition","options": {},"type": "TEXT_TYPE"},
{"description": "One of the following: \"AC Power\" indicates the battery is connected to an external power source, \"Battery Power\" indicates that the battery is drawing internal power, \"Off Line\" indicates the battery is off-line or no longer connected","name": "state","options": {},"type": "TEXT_TYPE"},
{"description": "1 if the battery is currently being charged by a power source. 0 otherwise","name": "charging","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if the battery is currently completely charged. 0 otherwise","name": "charged","options": {},"type": "INTEGER_TYPE"},
{"description": "The battery's designed capacity in mAh","name": "designed_capacity","options": {},"type": "INTEGER_TYPE"},
{"description": "The battery's actual capacity when it is fully charged in mAh","name": "max_capacity","options": {},"type": "INTEGER_TYPE"},
{"description": "The battery\u2019s current charged capacity in mAh","name": "current_capacity","options": {},"type": "INTEGER_TYPE"},
{"description": "The percentage of battery remaining before it is drained","name": "percent_remaining","options": {},"type": "INTEGER_TYPE"},
{"description": "The battery\u2019s current amperage in mA","name": "amperage","options": {},"type": "INTEGER_TYPE"},
{"description": "The battery\u2019s current voltage in mV","name": "voltage","options": {},"type": "INTEGER_TYPE"},
{"description": "The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated","name": "minutes_until_empty","options": {},"type": "INTEGER_TYPE"},
{"description": "The number of minutes until the battery is fully charged. This value is -1 if this time is still being calculated","name": "minutes_to_full_charge","options": {},"type": "INTEGER_TYPE"}
],
"description": "Provides information about the internal battery of a Macbook.",
"examples": [],
"foreign_keys": [],
"function": "genBatteryInfo",
"name": "battery",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Path of file","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Quicklook file rowid key","name": "rowid","options": {},"type": "INTEGER_TYPE"},
{"description": "Quicklook file fs_id key","name": "fs_id","options": {},"type": "TEXT_TYPE"},
{"description": "Parsed volume ID from fs_id","name": "volume_id","options": {},"type": "INTEGER_TYPE"},
{"description": "Parsed file ID (inode) from fs_id","name": "inode","options": {},"type": "INTEGER_TYPE"},
{"description": "Parsed version date field","name": "mtime","options": {},"type": "INTEGER_TYPE"},
{"description": "Parsed version size field","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Parsed version 'gen' field","name": "label","options": {},"type": "TEXT_TYPE"},
{"description": "Apple date format for last thumbnail cache hit","name": "last_hit_date","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of cache hits on thumbnail","name": "hit_count","options": {},"type": "TEXT_TYPE"},
{"description": "Thumbnail icon mode","name": "icon_mode","options": {},"type": "BIGINT_TYPE"},
{"description": "Path to cache data","name": "cache_path","options": {},"type": "TEXT_TYPE"}
],
"description": "Files and thumbnails within OS X's Quicklook Cache.",
"examples": [],
"foreign_keys": [],
"function": "genQuicklookCache",
"name": "quicklook_cache",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Appear or disappear","name": "action","options": {},"type": "TEXT_TYPE"},
{"description": "Path of the DMG file accessed","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Disk event name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Disk event BSD name","name": "device","options": {},"type": "TEXT_TYPE"},
{"description": "UUID of the volume inside DMG if available","name": "uuid","options": {},"type": "TEXT_TYPE"},
{"description": "Size of partition in bytes","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "1 if ejectable, 0 if not","name": "ejectable","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if mountable, 0 if not","name": "mountable","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if writable, 0 if not","name": "writable","options": {},"type": "INTEGER_TYPE"},
{"description": "Disk event content","name": "content","options": {},"type": "TEXT_TYPE"},
{"description": "Disk event media name string","name": "media_name","options": {},"type": "TEXT_TYPE"},
{"description": "Disk event vendor string","name": "vendor","options": {},"type": "TEXT_TYPE"},
{"description": "Filesystem if available","name": "filesystem","options": {},"type": "TEXT_TYPE"},
{"description": "UDIF Master checksum if available (CRC32)","name": "checksum","options": {},"type": "TEXT_TYPE"},
{"description": "Time of appearance/disappearance in UNIX time","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "Event ID","name": "eid","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Track DMG disk image events (appearance/disappearance) when opened.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "disk_events",
"profile": {}
},
{
"attributes": {
"event_subscriber": true
},
"blacklisted": false,
"columns": [
{"description": "Time","name": "time","options": {},"type": "BIGINT_TYPE"}
],
"description": "Track user interaction events from macOS' event tapping framework.",
"examples": [],
"foreign_keys": [],
"function": "genTable",
"name": "user_interaction_events",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Location of log file","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Formatted time of the event","name": "time","options": {},"type": "TEXT_TYPE"},
{"description": "A space delimited line of register:value pairs","name": "registers","options": {},"type": "TEXT_TYPE"},
{"description": "Backtrace of the crashed module","name": "frame_backtrace","options": {},"type": "TEXT_TYPE"},
{"description": "Modules appearing in the crashed module's backtrace","name": "module_backtrace","options": {},"type": "TEXT_TYPE"},
{"description": "Module dependencies existing in crashed module's backtrace","name": "dependencies","options": {},"type": "TEXT_TYPE"},
{"description": "Process name corresponding to crashed thread","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Version of the operating system","name": "os_version","options": {},"type": "TEXT_TYPE"},
{"description": "Version of the system kernel","name": "kernel_version","options": {},"type": "TEXT_TYPE"},
{"description": "Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)'","name": "system_model","options": {},"type": "TEXT_TYPE"},
{"description": "System uptime at kernel panic in nanoseconds","name": "uptime","options": {},"type": "BIGINT_TYPE"},
{"description": "Last loaded module before panic","name": "last_loaded","options": {},"type": "TEXT_TYPE"},
{"description": "Last unloaded module before panic","name": "last_unloaded","options": {},"type": "TEXT_TYPE"}
],
"description": "System kernel panic logs.",
"examples": [],
"foreign_keys": [],
"function": "genKernelPanics",
"name": "kernel_panics",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Path of executable allowed to run","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Code signing requirement language","name": "requirement","options": {},"type": "TEXT_TYPE"},
{"description": "Last change time","name": "ctime","options": {},"type": "DOUBLE_TYPE"},
{"description": "Last modification time","name": "mtime","options": {},"type": "DOUBLE_TYPE"}
],
"description": "Gatekeeper apps a user has allowed to run.",
"examples": [],
"foreign_keys": [],
"function": "genGateKeeperApprovedApps",
"name": "gatekeeper_approved_apps",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "SSID octets of the network","name": "ssid","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the network","name": "network_name","options": {},"type": "TEXT_TYPE"},
{"description": "Type of security on this network","name": "security_type","options": {},"type": "TEXT_TYPE"},
{"description": "Last time this netword was connected to as a unix_time","name": "last_connected","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if Passpoint is supported, 0 otherwise","name": "passpoint","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if network is possibly a hidden network, 0 otherwise","name": "possibly_hidden","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if roaming is supported, 0 otherwise","name": "roaming","options": {},"type": "INTEGER_TYPE"},
{"description": "Describe the roaming profile, usually one of Single, Dual or Multi","name": "roaming_profile","options": {},"type": "TEXT_TYPE"},
{"description": "1 if this network has a captive portal, 0 otherwise","name": "captive_portal","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if auto login is enabled, 0 otherwise","name": "auto_login","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if this network is temporarily disabled, 0 otherwise","name": "temporarily_disabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if this network is disabled, 0 otherwise","name": "disabled","options": {},"type": "INTEGER_TYPE"}
],
"description": "OS X known/remembered Wi-Fi networks list.",
"examples": [],
"foreign_keys": [],
"function": "genKnownWifiNetworks",
"name": "wifi_networks",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local user that owns the plugin","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "Plugin display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Plugin identifier","name": "identifier","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Plugin short version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Build SDK used to compile plugin","name": "sdk","options": {},"type": "TEXT_TYPE"},
{"description": "Plugin description text","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Plugin language-localization","name": "development_region","options": {},"type": "TEXT_TYPE"},
{"description": "Plugin requires native execution","name": "native","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to plugin bundle","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Is the plugin disabled. 1 = Disabled","name": "disabled","options": {},"type": "INTEGER_TYPE"}
],
"description": "All C/NPAPI browser plugin details for all users.",
"examples": [
"select * from users join browser_plugins using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "genBrowserPlugins",
"name": "browser_plugins",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Fan number","name": "fan","options": {},"type": "TEXT_TYPE"},
{"description": "Fan name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Actual speed","name": "actual","options": {},"type": "INTEGER_TYPE"},
{"description": "Minimum speed","name": "min","options": {},"type": "INTEGER_TYPE"},
{"description": "Maximum speed","name": "max","options": {},"type": "INTEGER_TYPE"},
{"description": "Target speed","name": "target","options": {},"type": "INTEGER_TYPE"}
],
"description": "Fan speeds.",
"examples": [],
"foreign_keys": [],
"function": "genFanSpeedSensors",
"name": "fan_speed_sensors",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package file or directory","name": "filepath","options": {},"type": "TEXT_TYPE"},
{"description": "Expected user of file or directory","name": "uid","options": {},"type": "INTEGER_TYPE"},
{"description": "Expected group of file or directory","name": "gid","options": {},"type": "INTEGER_TYPE"},
{"description": "Expected permissions","name": "mode","options": {},"type": "INTEGER_TYPE"},
{"description": "Expected file size","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Timestamp the file was installed","name": "modified_time","options": {},"type": "INTEGER_TYPE"},
{"description": "Path of package bom","name": "path","options": {"required": true},"type": "TEXT_TYPE"}
],
"description": "OS X package bill of materials (BOM) file list.",
"examples": [
"select * from package_bom where path = '/var/db/receipts/com.apple.pkg.MobileDevice.bom'"
],
"foreign_keys": [],
"function": "genPackageBOM",
"name": "package_bom",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "4-character key","name": "key","options": {"additional": true,"index": true},"type": "TEXT_TYPE"},
{"description": "SMC-reported type literal type","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Reported size of data in bytes","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "A type-encoded representation of the key value","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "1 if this key is normally hidden, otherwise 0","name": "hidden","options": {},"type": "INTEGER_TYPE"}
],
"description": "Apple's system management controller keys.",
"examples": [
"select * from smc_keys where key = 'MOJO'"
],
"foreign_keys": [],
"function": "genSMCKeys",
"name": "smc_keys",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Human readable name of drive","name": "alias","options": {},"type": "TEXT_TYPE"},
{"description": "Time Machine destination ID","name": "destination_id","options": {},"type": "TEXT_TYPE"},
{"description": "Consistency scan date","name": "consistency_scan_date","options": {},"type": "INTEGER_TYPE"},
{"description": "Root UUID of backup volume","name": "root_volume_uuid","options": {},"type": "TEXT_TYPE"},
{"description": "Bytes available on volume","name": "bytes_available","options": {},"type": "INTEGER_TYPE"},
{"description": "Bytes used on volume","name": "bytes_used","options": {},"type": "INTEGER_TYPE"},
{"description": "Last known encrypted state","name": "encryption","options": {},"type": "TEXT_TYPE"}
],
"description": "Locations backed up to using Time Machine.",
"examples": [
"select alias, backup_date, td.destination_id, root_volume_uuid, encryption from time_machine_backups tb join time_machine_destinations td on (td.destination_id=tb.destination_id);"
],
"foreign_keys": [],
"function": "genTimeMachineDestinations",
"name": "time_machine_destinations",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of the scheme/protocol","name": "scheme","options": {},"type": "TEXT_TYPE"},
{"description": "Application label for the handler","name": "handler","options": {},"type": "TEXT_TYPE"},
{"description": "1 if this handler is the OS default, else 0","name": "enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if this handler does NOT exist on OS X by default, else 0","name": "external","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if this handler is protected (reserved) by OS X, else 0","name": "protected","options": {},"type": "INTEGER_TYPE"}
],
"description": "OS X application schemes and handlers (e.g., http, file, mailto).",
"examples": [],
"foreign_keys": [],
"function": "genAppSchemes",
"name": "app_schemes",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "1 If a Gatekeeper is enabled else 0","name": "assessments_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If a Gatekeeper allows execution from identified developers else 0","name": "dev_id_enabled","options": {},"type": "INTEGER_TYPE"},
{"description": "Version of Gatekeeper's gke.bundle","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Version of Gatekeeper's gkopaque.bundle","name": "opaque_version","options": {},"type": "TEXT_TYPE"}
],
"description": "OS X Gatekeeper Details.",
"examples": [],
"foreign_keys": [],
"function": "genGateKeeper",
"name": "gatekeeper",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The shared name of the folder as it appears to other users","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Absolute path of shared folder on the local system","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Folders available to others via SMB or AFP.",
"examples": [],
"foreign_keys": [],
"function": "genSharedFolders",
"name": "shared_folders",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package domain identifier","name": "package_id","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Filename of original .pkg file","name": "package_filename","options": {"hidden": true,"index": true},"type": "TEXT_TYPE"},
{"description": "Installed package version","name": "version","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Optional relative install path on volume","name": "location","options": {},"type": "TEXT_TYPE"},
{"description": "Timestamp of install time","name": "install_time","options": {},"type": "DOUBLE_TYPE"},
{"description": "Name of installer process","name": "installer_name","options": {},"type": "TEXT_TYPE"},
{"description": "Path of receipt plist","name": "path","options": {"additional": true},"type": "TEXT_TYPE"}
],
"description": "OS X package receipt details.",
"examples": [
"select * from package_bom where path = '/var/db/receipts/com.apple.pkg.MobileDevice.bom'"
],
"foreign_keys": [],
"function": "genPackageReceipts",
"name": "package_receipts",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "Type of crash log","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Process (or thread) ID of the crashed process","name": "pid","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "Path to the crashed process","name": "path","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Location of log file","name": "crash_path","options": {},"type": "TEXT_TYPE"},
{"description": "Identifier of the crashed process","name": "identifier","options": {},"type": "TEXT_TYPE"},
{"description": "Version info of the crashed process","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Parent PID of the crashed process","name": "parent","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "Process responsible for the crashed process","name": "responsible","options": {},"type": "TEXT_TYPE"},
{"description": "User ID of the crashed process","name": "uid","options": {"additional": true},"type": "INTEGER_TYPE"},
{"description": "Date/Time at which the crash occurred","name": "datetime","options": {},"type": "TEXT_TYPE"},
{"description": "Thread ID which crashed","name": "crashed_thread","options": {},"type": "BIGINT_TYPE"},
{"description": "Most recent frame from the stack trace","name": "stack_trace","options": {},"type": "TEXT_TYPE"},
{"description": "Exception type of the crash","name": "exception_type","options": {},"type": "TEXT_TYPE"},
{"description": "Exception codes from the crash","name": "exception_codes","options": {},"type": "TEXT_TYPE"},
{"description": "Exception notes from the crash","name": "exception_notes","options": {},"type": "TEXT_TYPE"},
{"description": "The value of the system registers","name": "registers","options": {},"type": "TEXT_TYPE"}
],
"description": "Application, System, and Mobile App crash logs.",
"examples": [
"select * from users join crashes using (uid)"
],
"foreign_keys": [],
"function": "genCrashLogs",
"name": "crashes",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "User ID","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "When the account was first created","name": "creation_time","options": {},"type": "DOUBLE_TYPE"},
{"description": "The number of times the user failed to login with the correct password. Resets after a correct password is entered","name": "failed_login_count","options": {},"type": "BIGINT_TYPE"},
{"description": "The time of the last failed login attempt. Resets after a correct password is entered","name": "failed_login_timestamp","options": {},"type": "DOUBLE_TYPE"},
{"description": "The time the password was last changed","name": "password_last_set_time","options": {},"type": "DOUBLE_TYPE"}
],
"description": "Additional OS X user account data from the AccountPolicy section of OpenDirectory.",
"examples": [
"select * from users join account_policy_data using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "genAccountPolicyData",
"name": "account_policy_data",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Variable name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Data type (CFData, CFString, etc)","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Raw variable data","name": "value","options": {},"type": "TEXT_TYPE"}
],
"description": "Apple NVRAM variable listing.",
"examples": [],
"foreign_keys": [],
"function": "genNVRAM",
"name": "nvram",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Device node name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Best matching device class (most-specific category)","name": "class","options": {},"type": "TEXT_TYPE"},
{"description": "IOKit internal registry ID","name": "id","options": {},"type": "BIGINT_TYPE"},
{"description": "Parent device registry ID","name": "parent","options": {},"type": "BIGINT_TYPE"},
{"description": "Device tree path","name": "device_path","options": {},"type": "TEXT_TYPE"},
{"description": "1 if the device conforms to IOService else 0","name": "service","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if the device is in a busy state else 0","name": "busy_state","options": {},"type": "INTEGER_TYPE"},
{"description": "The device reference count","name": "retain_count","options": {},"type": "INTEGER_TYPE"},
{"description": "Device nested depth","name": "depth","options": {},"type": "INTEGER_TYPE"}
],
"description": "The IOKit registry matching the DeviceTree plane.",
"examples": [],
"foreign_keys": [],
"function": "genIOKitDeviceTree",
"name": "iokit_devicetree",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Name of the Name.app folder","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Absolute and full Name.app path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleExecutable label","name": "bundle_executable","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleIdentifier label","name": "bundle_identifier","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleName label","name": "bundle_name","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleShortVersionString label","name": "bundle_short_version","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleVersion label","name": "bundle_version","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundlePackageType label","name": "bundle_package_type","options": {},"type": "TEXT_TYPE"},
{"description": "Application-set environment variables","name": "environment","options": {},"type": "TEXT_TYPE"},
{"description": "Does the app identify as a background agent","name": "element","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties DTCompiler label","name": "compiler","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleDevelopmentRegion label","name": "development_region","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleDisplayName label","name": "display_name","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties CFBundleGetInfoString label","name": "info_string","options": {},"type": "TEXT_TYPE"},
{"description": "Minimum version of OS X required for the app to run","name": "minimum_system_version","options": {},"type": "TEXT_TYPE"},
{"description": "The UTI that categorizes the app for the App Store","name": "category","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties NSAppleScriptEnabled label","name": "applescript_enabled","options": {},"type": "TEXT_TYPE"},
{"description": "Info properties NSHumanReadableCopyright label","name": "copyright","options": {},"type": "TEXT_TYPE"},
{"description": "The time that the app was last used","name": "last_opened_time","options": {},"type": "DOUBLE_TYPE"}
],
"description": "OS X applications installed in known search paths (e.g., /Applications).",
"examples": [],
"foreign_keys": [],
"function": "genApps",
"name": "apps",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Generic item name","name": "label","options": {},"type": "TEXT_TYPE"},
{"description": "Optional item description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Optional keychain comment","name": "comment","options": {},"type": "TEXT_TYPE"},
{"description": "Data item was created","name": "created","options": {},"type": "TEXT_TYPE"},
{"description": "Date of last modification","name": "modified","options": {},"type": "TEXT_TYPE"},
{"description": "Keychain item type (class)","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Path to keychain containing item","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Generic details about keychain items.",
"examples": [],
"foreign_keys": [],
"function": "genKeychainItems",
"name": "keychain_items",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Preference top-level key","name": "key","options": {},"type": "TEXT_TYPE"},
{"description": "Intemediate key path, includes lists/dicts","name": "subkey","options": {},"type": "TEXT_TYPE"},
{"description": "String value of most CF types","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "(optional) read preferences from a plist","name": "path","options": {"required": true},"type": "TEXT_TYPE"}
],
"description": "Read and parse a plist file.",
"examples": [
"select * from plist where path = '/Library/Preferences/loginwindow.plist'"
],
"foreign_keys": [],
"function": "genOSXPlist",
"name": "plist",
"profile": {}
}
]
},
{
"key": "specs",
"name": "All Platforms",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Distribution or product name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Pretty, suitable for presentation, OS version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Major release version","name": "major","options": {},"type": "INTEGER_TYPE"},
{"description": "Minor release version","name": "minor","options": {},"type": "INTEGER_TYPE"},
{"description": "Optional patch release","name": "patch","options": {},"type": "INTEGER_TYPE"},
{"description": "Optional build-specific or variant string","name": "build","options": {},"type": "TEXT_TYPE"},
{"description": "OS Platform or ID","name": "platform","options": {},"type": "TEXT_TYPE"},
{"description": "Closely related platforms","name": "platform_like","options": {},"type": "TEXT_TYPE"},
{"description": "OS version codename","name": "codename","options": {},"type": "TEXT_TYPE"}
],
"description": "A single row containing the operating system name and version.",
"examples": [],
"foreign_keys": [],
"function": "genOSVersion",
"name": "os_version",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Platform code vendor","name": "vendor","options": {},"type": "TEXT_TYPE"},
{"description": "Platform code version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Self-reported platform code update date","name": "date","options": {},"type": "TEXT_TYPE"},
{"description": "BIOS major and minor revision","name": "revision","options": {},"type": "TEXT_TYPE"},
{"description": "Relative address of firmware mapping","name": "address","options": {},"type": "TEXT_TYPE"},
{"description": "Size in bytes of firmware","name": "size","options": {},"type": "TEXT_TYPE"},
{"description": "(Optional) size of firmware volume","name": "volume_size","options": {},"type": "INTEGER_TYPE"},
{"description": "Platform-specific additional information","name": "extra","options": {},"type": "TEXT_TYPE"}
],
"description": "Information about EFI/UEFI/ROM and platform/boot.",
"examples": [],
"foreign_keys": [],
"function": "genPlatformInfo",
"name": "platform_info",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "IP address mapping","name": "address","options": {},"type": "TEXT_TYPE"},
{"description": "Raw hosts mapping","name": "hostnames","options": {},"type": "TEXT_TYPE"}
],
"description": "Line-parsed /etc/hosts.",
"examples": [],
"foreign_keys": [],
"function": "genEtcHosts",
"name": "etc_hosts",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Days of uptime","name": "days","options": {},"type": "INTEGER_TYPE"},
{"description": "Hours of uptime","name": "hours","options": {},"type": "INTEGER_TYPE"},
{"description": "Minutes of uptime","name": "minutes","options": {},"type": "INTEGER_TYPE"},
{"description": "Seconds of uptime","name": "seconds","options": {},"type": "INTEGER_TYPE"},
{"description": "Total uptime seconds","name": "total_seconds","options": {},"type": "BIGINT_TYPE"}
],
"description": "Track time passed since last boot.",
"examples": [],
"foreign_keys": [],
"function": "genUptime",
"name": "uptime",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "User ID","name": "uid","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "Group ID (unsigned)","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "User ID as int64 signed (Apple)","name": "uid_signed","options": {},"type": "BIGINT_TYPE"},
{"description": "Default group ID as int64 signed (Apple)","name": "gid_signed","options": {},"type": "BIGINT_TYPE"},
{"description": "Username","name": "username","options": {"additional": true},"type": "TEXT_TYPE"},
{"description": "Optional user description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "User's home directory","name": "directory","options": {},"type": "TEXT_TYPE"},
{"description": "User's configured default shell","name": "shell","options": {},"type": "TEXT_TYPE"},
{"description": "User's UUID (Apple) or SID (Windows)","name": "uuid","options": {},"type": "TEXT_TYPE"},
{"description": "Whether the account is roaming (domain), local, or a system profile","name": "type","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Local user accounts (including domain accounts that have logged on locally (Windows)).",
"examples": [
"select * from users where uid = 1000",
"select * from users where username = 'root'",
"select count(*) from users u, user_groups ug where u.uid = ug.uid"
],
"foreign_keys": [],
"function": "genUsers",
"name": "users",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Must provide a path or directory","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "Must provide a path or directory","name": "directory","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "MD5 hash of provided filesystem data","name": "md5","options": {},"type": "TEXT_TYPE"},
{"description": "SHA1 hash of provided filesystem data","name": "sha1","options": {},"type": "TEXT_TYPE"},
{"description": "SHA256 hash of provided filesystem data","name": "sha256","options": {},"type": "TEXT_TYPE"},
{"description": "ssdeep hash of provided filesystem data","name": "ssdeep","options": {},"type": "TEXT_TYPE"}
],
"description": "Filesystem hash data.",
"examples": [
"select * from hash where path = '/etc/passwd'",
"select * from hash where directory = '/etc/'"
],
"foreign_keys": [],
"function": "genHash",
"name": "hash",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "Time at which the carve was kicked off","name": "time","options": {},"type": "BIGINT_TYPE"},
{"description": "A SHA256 sum of the carved archive","name": "sha256","options": {},"type": "TEXT_TYPE"},
{"description": "Size of the carved archive","name": "size","options": {},"type": "INTEGER_TYPE"},
{"description": "The path of the requested carve","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED","name": "status","options": {},"type": "TEXT_TYPE"},
{"description": "Identifying value of the carve session","name": "carve_guid","options": {},"type": "TEXT_TYPE"},
{"description": "Set this value to '1' to start a file carve","name": "carve","options": {},"type": "INTEGER_TYPE"}
],
"description": "Forensic Carves.",
"examples": [
"select * from carves where status like '%FAIL%'",
"select * from carves where path like '/Users/%/Downloads/%' and carve=1"
],
"foreign_keys": [],
"function": "genCarves",
"name": "carves",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {},"type": "INTEGER_TYPE"},
{"description": "Transport layer port","name": "port","options": {},"type": "INTEGER_TYPE"},
{"description": "Transport protocol (TCP/UDP)","name": "protocol","options": {},"type": "INTEGER_TYPE"},
{"description": "Network protocol (IPv4, IPv6)","name": "family","options": {},"type": "INTEGER_TYPE"},
{"description": "Specific address for bind","name": "address","options": {},"type": "TEXT_TYPE"},
{"description": "Socket file descriptor number","name": "fd","options": {},"type": "BIGINT_TYPE"},
{"description": "Socket handle or inode number","name": "socket","options": {},"type": "BIGINT_TYPE"},
{"description": "Path for UNIX domain sockets","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "The inode number of the network namespace","name": "net_namespace","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Processes with listening (bound) network sockets/ports.",
"examples": [],
"foreign_keys": [],
"function": "genListeningPorts",
"name": "listening_ports",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Network hostname including domain","name": "hostname","options": {},"type": "TEXT_TYPE"},
{"description": "Unique ID provided by the system","name": "uuid","options": {},"type": "TEXT_TYPE"},
{"description": "CPU type","name": "cpu_type","options": {},"type": "TEXT_TYPE"},
{"description": "CPU subtype","name": "cpu_subtype","options": {},"type": "TEXT_TYPE"},
{"description": "CPU brand string, contains vendor and model","name": "cpu_brand","options": {},"type": "TEXT_TYPE"},
{"description": "Max number of CPU physical cores","name": "cpu_physical_cores","options": {},"type": "INTEGER_TYPE"},
{"description": "Max number of CPU logical cores","name": "cpu_logical_cores","options": {},"type": "INTEGER_TYPE"},
{"description": "Microcode version","name": "cpu_microcode","options": {},"type": "TEXT_TYPE"},
{"description": "Total physical memory in bytes","name": "physical_memory","options": {},"type": "BIGINT_TYPE"},
{"description": "Hardware or board vendor","name": "hardware_vendor","options": {},"type": "TEXT_TYPE"},
{"description": "Hardware or board model","name": "hardware_model","options": {},"type": "TEXT_TYPE"},
{"description": "Hardware or board version","name": "hardware_version","options": {},"type": "TEXT_TYPE"},
{"description": "Device or board serial number","name": "hardware_serial","options": {},"type": "TEXT_TYPE"},
{"description": "Friendly computer name (optional)","name": "computer_name","options": {},"type": "TEXT_TYPE"},
{"description": "Local hostname (optional)","name": "local_hostname","options": {},"type": "TEXT_TYPE"}
],
"description": "System information for identification.",
"examples": [],
"foreign_keys": [],
"function": "genSystemInfo",
"name": "system_info",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "The process path or shorthand argv[0]","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Path to executed binary","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Complete argv","name": "cmdline","options": {},"type": "TEXT_TYPE"},
{"description": "Process state","name": "state","options": {},"type": "TEXT_TYPE"},
{"description": "Process current working directory","name": "cwd","options": {},"type": "TEXT_TYPE"},
{"description": "Process virtual root directory","name": "root","options": {},"type": "TEXT_TYPE"},
{"description": "Unsigned user ID","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Unsigned group ID","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "Unsigned effective user ID","name": "euid","options": {},"type": "BIGINT_TYPE"},
{"description": "Unsigned effective group ID","name": "egid","options": {},"type": "BIGINT_TYPE"},
{"description": "Unsigned saved user ID","name": "suid","options": {},"type": "BIGINT_TYPE"},
{"description": "Unsigned saved group ID","name": "sgid","options": {},"type": "BIGINT_TYPE"},
{"description": "The process path exists yes=1, no=0, unknown=-1","name": "on_disk","options": {},"type": "INTEGER_TYPE"},
{"description": "Bytes of unpagable memory used by process","name": "wired_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Bytes of private memory used by process","name": "resident_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Total virtual memory size","name": "total_size","options": {},"type": "BIGINT_TYPE"},
{"description": "CPU time in milliseconds spent in user space","name": "user_time","options": {},"type": "BIGINT_TYPE"},
{"description": "CPU time in milliseconds spent in kernel space","name": "system_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Bytes read from disk","name": "disk_bytes_read","options": {},"type": "BIGINT_TYPE"},
{"description": "Bytes written to disk","name": "disk_bytes_written","options": {},"type": "BIGINT_TYPE"},
{"description": "Process start in seconds since boot (non-sleeping)","name": "start_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Process parent's PID","name": "parent","options": {},"type": "BIGINT_TYPE"},
{"description": "Process group","name": "pgroup","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of threads used by process","name": "threads","options": {},"type": "INTEGER_TYPE"},
{"description": "Process nice level (-20 to 20, default 0)","name": "nice","options": {},"type": "INTEGER_TYPE"},
{"description": "Process uses elevated token yes=1, no=0","name": "is_elevated_token","options": {"hidden": true},"type": "INTEGER_TYPE"},
{"description": "A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","name": "upid","options": {},"type": "BIGINT_TYPE"},
{"description": "The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","name": "uppid","options": {},"type": "BIGINT_TYPE"},
{"description": "A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system.","name": "cpu_type","options": {},"type": "INTEGER_TYPE"},
{"description": "The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system.","name": "cpu_subtype","options": {},"type": "INTEGER_TYPE"}
],
"description": "All running processes on the host system.",
"examples": [
"select * from processes where pid = 1"
],
"foreign_keys": [],
"function": "genProcesses",
"name": "processes",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Sensor ID of the Carbon Black sensor","name": "sensor_id","options": {},"type": "INTEGER_TYPE"},
{"description": "Sensor group","name": "config_name","options": {},"type": "TEXT_TYPE"},
{"description": "If the sensor is configured to send back binaries to the Carbon Black server","name": "collect_store_files","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to capture module loads","name": "collect_module_loads","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to collect metadata of binaries","name": "collect_module_info","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to collect file modification events","name": "collect_file_mods","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to collect registry modification events","name": "collect_reg_mods","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to collect network connections","name": "collect_net_conns","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to process events","name": "collect_processes","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to cross process events","name": "collect_cross_processes","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to EMET events","name": "collect_emet_events","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to collect non binary file writes","name": "collect_data_file_writes","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to collect the user running a process","name": "collect_process_user_context","options": {},"type": "INTEGER_TYPE"},
{"description": "Unknown","name": "collect_sensor_operations","options": {},"type": "INTEGER_TYPE"},
{"description": "Event file disk quota in MB","name": "log_file_disk_quota_mb","options": {},"type": "INTEGER_TYPE"},
{"description": "Event file disk quota in a percentage","name": "log_file_disk_quota_percentage","options": {},"type": "INTEGER_TYPE"},
{"description": "If the sensor is configured to report tamper events","name": "protection_disabled","options": {},"type": "INTEGER_TYPE"},
{"description": "IP address of the sensor","name": "sensor_ip_addr","options": {},"type": "TEXT_TYPE"},
{"description": "Carbon Black server","name": "sensor_backend_server","options": {},"type": "TEXT_TYPE"},
{"description": "Size in bytes of Carbon Black event files on disk","name": "event_queue","options": {},"type": "INTEGER_TYPE"},
{"description": "Size in bytes of binaries waiting to be sent to Carbon Black server","name": "binary_queue","options": {},"type": "INTEGER_TYPE"}
],
"description": "Returns info about a Carbon Black sensor install.",
"examples": [],
"foreign_keys": [],
"function": "genCarbonBlackInfo",
"name": "carbon_black_info",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Interface name","name": "interface","options": {},"type": "TEXT_TYPE"},
{"description": "MAC of interface (optional)","name": "mac","options": {},"type": "TEXT_TYPE"},
{"description": "Interface type (includes virtual)","name": "type","options": {},"type": "INTEGER_TYPE"},
{"description": "Network MTU","name": "mtu","options": {},"type": "INTEGER_TYPE"},
{"description": "Metric based on the speed of the interface","name": "metric","options": {},"type": "INTEGER_TYPE"},
{"description": "Flags (netdevice) for the device","name": "flags","options": {},"type": "INTEGER_TYPE"},
{"description": "Input packets","name": "ipackets","options": {},"type": "BIGINT_TYPE"},
{"description": "Output packets","name": "opackets","options": {},"type": "BIGINT_TYPE"},
{"description": "Input bytes","name": "ibytes","options": {},"type": "BIGINT_TYPE"},
{"description": "Output bytes","name": "obytes","options": {},"type": "BIGINT_TYPE"},
{"description": "Input errors","name": "ierrors","options": {},"type": "BIGINT_TYPE"},
{"description": "Output errors","name": "oerrors","options": {},"type": "BIGINT_TYPE"},
{"description": "Input drops","name": "idrops","options": {},"type": "BIGINT_TYPE"},
{"description": "Output drops","name": "odrops","options": {},"type": "BIGINT_TYPE"},
{"description": "Packet Collisions detected","name": "collisions","options": {},"type": "BIGINT_TYPE"},
{"description": "Time of last device modification (optional)","name": "last_change","options": {},"type": "BIGINT_TYPE"},
{"description": "Interface speed in Mb/s","name": "link_speed","options": {},"type": "BIGINT_TYPE"},
{"description": "PCI slot number","name": "pci_slot","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "The friendly display name of the interface.","name": "friendly_name","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Short description of the object\u2014a one-line string.","name": "description","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Name of the network adapter's manufacturer.","name": "manufacturer","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Name of the network connection as it appears in the Network Connections Control Panel program.","name": "connection_id","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "State of the network adapter connection to the network.","name": "connection_status","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Indicates whether the adapter is enabled or not.","name": "enabled","options": {"hidden": true},"type": "INTEGER_TYPE"},
{"description": "Indicates whether the adapter is a physical or a logical adapter.","name": "physical_adapter","options": {"hidden": true},"type": "INTEGER_TYPE"},
{"description": "Estimate of the current bandwidth in bits per second.","name": "speed","options": {"hidden": true},"type": "INTEGER_TYPE"},
{"description": "The name of the service the network adapter uses.","name": "service","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.","name": "dhcp_enabled","options": {"hidden": true},"type": "INTEGER_TYPE"},
{"description": "Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.","name": "dhcp_lease_expires","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.","name": "dhcp_lease_obtained","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "IP address of the dynamic host configuration protocol (DHCP) server.","name": "dhcp_server","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.","name": "dns_domain","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Array of DNS domain suffixes to be appended to the end of host names during name resolution.","name": "dns_domain_suffix_search_order","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Host name used to identify the local computer for authentication by some utilities.","name": "dns_host_name","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Array of server IP addresses to be used in querying for DNS servers.","name": "dns_server_search_order","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Detailed information and stats of network interfaces.",
"examples": [
"select interface, mac, type, idrops as input_drops from interface_details;",
"select interface, mac, type, flags, (1<<8) as promisc_flag from interface_details where (flags & promisc_flag) > 0;",
"select interface, mac, type, flags, (1<<3) as loopback_flag from interface_details where (flags & loopback_flag) > 0;"
],
"foreign_keys": [],
"function": "genInterfaceDetails",
"name": "interface_details",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Package display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Package-supplied version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Package-supplied summary","name": "summary","options": {},"type": "TEXT_TYPE"},
{"description": "Optional package author","name": "author","options": {},"type": "TEXT_TYPE"},
{"description": "License under which package is launched","name": "license","options": {},"type": "TEXT_TYPE"},
{"description": "Path at which this module resides","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Directory where Python modules are located","name": "directory","options": {},"type": "TEXT_TYPE"}
],
"description": "Python packages installed in a system.",
"examples": [
"select * from python_packages where directory='/usr/'"
],
"foreign_keys": [],
"function": "genPythonPackages",
"name": "python_packages",
"profile": {}
},
{
"attributes": {
"user_data": true
},
"blacklisted": false,
"columns": [
{"description": "The local user that owns the extension","name": "uid","options": {"additional": true},"type": "BIGINT_TYPE"},
{"description": "Extension display name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Extension identifier","name": "identifier","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Extension-supplied version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Extension-optional description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Default locale supported by extension","name": "locale","options": {},"type": "TEXT_TYPE"},
{"description": "Extension-supplied update URI","name": "update_url","options": {},"type": "TEXT_TYPE"},
{"description": "Optional extension author","name": "author","options": {},"type": "TEXT_TYPE"},
{"description": "1 If extension is persistent across all tabs else 0","name": "persistent","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to extension folder","name": "path","options": {},"type": "TEXT_TYPE"}
],
"description": "Chrome browser extensions.",
"examples": [
"select * from users join chrome_extensions using (uid)"
],
"foreign_keys": [
{"column": "uid","table": "users"}
],
"function": "genChromeExtensions",
"name": "chrome_extensions",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Login type","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "User login name","name": "user","options": {},"type": "TEXT_TYPE"},
{"description": "Device name","name": "tty","options": {},"type": "TEXT_TYPE"},
{"description": "Remote hostname","name": "host","options": {},"type": "TEXT_TYPE"},
{"description": "Time entry was made","name": "time","options": {},"type": "INTEGER_TYPE"},
{"description": "Process (or thread) ID","name": "pid","options": {},"type": "INTEGER_TYPE"}
],
"description": "Users with an active shell on the system.",
"examples": [],
"foreign_keys": [],
"function": "genLoggedInUsers",
"name": "logged_in_users",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "The url for the request","name": "url","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "The HTTP method for the request","name": "method","options": {},"type": "TEXT_TYPE"},
{"description": "The user-agent string to use for the request","name": "user_agent","options": {},"type": "TEXT_TYPE"},
{"description": "The HTTP status code for the response","name": "response_code","options": {},"type": "INTEGER_TYPE"},
{"description": "Time taken to complete the request","name": "round_trip_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of bytes in the response","name": "bytes","options": {},"type": "BIGINT_TYPE"},
{"description": "The HTTP response body","name": "result","options": {},"type": "TEXT_TYPE"}
],
"description": "Perform an http request and return stats about it.",
"examples": [
"select url, round_trip_time, response_code from curl where url = 'https://github.com/facebook/osquery'"
],
"foreign_keys": [],
"function": "genCurl",
"name": "curl",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "Virtual start address (hex)","name": "start","options": {},"type": "TEXT_TYPE"},
{"description": "Virtual end address (hex)","name": "end","options": {},"type": "TEXT_TYPE"},
{"description": "r=read, w=write, x=execute, p=private (cow)","name": "permissions","options": {},"type": "TEXT_TYPE"},
{"description": "Offset into mapped path","name": "offset","options": {},"type": "BIGINT_TYPE"},
{"description": "MA:MI Major/minor device ID","name": "device","options": {},"type": "TEXT_TYPE"},
{"description": "Mapped path inode, 0 means uninitialized (BSS)","name": "inode","options": {},"type": "INTEGER_TYPE"},
{"description": "Path to mapped file or mapped type","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "1 If path is a pseudo path, else 0","name": "pseudo","options": {},"type": "INTEGER_TYPE"}
],
"description": "Process memory mapped files and pseudo device/regions.",
"examples": [
"select * from process_memory_map where pid = 1"
],
"foreign_keys": [],
"function": "genProcessMemoryMap",
"name": "process_memory_map",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Service name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Service port number","name": "port","options": {},"type": "INTEGER_TYPE"},
{"description": "Transport protocol (TCP/UDP)","name": "protocol","options": {},"type": "TEXT_TYPE"},
{"description": "Optional space separated list of other names for a service","name": "aliases","options": {},"type": "TEXT_TYPE"},
{"description": "Optional comment for a service.","name": "comment","options": {},"type": "TEXT_TYPE"}
],
"description": "Line-parsed /etc/services.",
"examples": [],
"foreign_keys": [],
"function": "genEtcServices",
"name": "etc_services",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Unsigned int64 group ID","name": "gid","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "A signed int64 version of gid","name": "gid_signed","options": {},"type": "BIGINT_TYPE"},
{"description": "Canonical local group name","name": "groupname","options": {},"type": "TEXT_TYPE"},
{"description": "Unique group ID","name": "group_sid","options": {"hidden": true,"index": true},"type": "TEXT_TYPE"},
{"description": "Remarks or comments associated with the group","name": "comment","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Local system groups.",
"examples": [
"select * from groups where gid = 0"
],
"foreign_keys": [],
"function": "genGroups",
"name": "groups",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Process (or thread) ID","name": "pid","options": {"index": true},"type": "INTEGER_TYPE"},
{"description": "Socket file descriptor number","name": "fd","options": {},"type": "BIGINT_TYPE"},
{"description": "Socket handle or inode number","name": "socket","options": {},"type": "BIGINT_TYPE"},
{"description": "Network protocol (IPv4, IPv6)","name": "family","options": {},"type": "INTEGER_TYPE"},
{"description": "Transport protocol (TCP/UDP)","name": "protocol","options": {},"type": "INTEGER_TYPE"},
{"description": "Socket local address","name": "local_address","options": {},"type": "TEXT_TYPE"},
{"description": "Socket remote address","name": "remote_address","options": {},"type": "TEXT_TYPE"},
{"description": "Socket local port","name": "local_port","options": {},"type": "INTEGER_TYPE"},
{"description": "Socket remote port","name": "remote_port","options": {},"type": "INTEGER_TYPE"},
{"description": "For UNIX sockets (family=AF_UNIX), the domain path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "TCP socket state","name": "state","options": {},"type": "TEXT_TYPE"},
{"description": "The inode number of the network namespace","name": "net_namespace","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Processes which have open network sockets on the system.",
"examples": [
"select * from process_open_sockets where pid = 1"
],
"foreign_keys": [],
"function": "genOpenSockets",
"name": "process_open_sockets",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Destination IP address","name": "destination","options": {},"type": "TEXT_TYPE"},
{"description": "Netmask length","name": "netmask","options": {},"type": "TEXT_TYPE"},
{"description": "Route gateway","name": "gateway","options": {},"type": "TEXT_TYPE"},
{"description": "Route source","name": "source","options": {},"type": "TEXT_TYPE"},
{"description": "Flags to describe route","name": "flags","options": {},"type": "INTEGER_TYPE"},
{"description": "Route local interface","name": "interface","options": {},"type": "TEXT_TYPE"},
{"description": "Maximum Transmission Unit for the route","name": "mtu","options": {},"type": "INTEGER_TYPE"},
{"description": "Cost of route. Lowest is preferred","name": "metric","options": {},"type": "INTEGER_TYPE"},
{"description": "Type of route","name": "type","options": {},"type": "TEXT_TYPE"}
],
"description": "The active route table for the host system.",
"examples": [],
"foreign_keys": [],
"function": "genRoutes",
"name": "routes",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Kernel version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Kernel arguments","name": "arguments","options": {},"type": "TEXT_TYPE"},
{"description": "Kernel path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "Kernel device identifier","name": "device","options": {},"type": "TEXT_TYPE"}
],
"description": "Basic active kernel information.",
"examples": [],
"foreign_keys": [],
"function": "genKernelInfo",
"name": "kernel_info",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Interface name","name": "interface","options": {},"type": "TEXT_TYPE"},
{"description": "Specific address for interface","name": "address","options": {},"type": "TEXT_TYPE"},
{"description": "Interface netmask","name": "mask","options": {},"type": "TEXT_TYPE"},
{"description": "Broadcast address for the interface","name": "broadcast","options": {},"type": "TEXT_TYPE"},
{"description": "PtP address for the interface","name": "point_to_point","options": {},"type": "TEXT_TYPE"},
{"description": "Type of address. One of dhcp, manual, auto, other","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "The friendly display name of the interface.","name": "friendly_name","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Network interfaces and relevant metadata.",
"examples": [],
"foreign_keys": [],
"function": "genInterfaceAddresses",
"name": "interface_addresses",
"profile": {}
},
{
"attributes": {
"cacheable": true
},
"blacklisted": false,
"columns": [
{"description": "Protocol name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Protocol number","name": "number","options": {},"type": "INTEGER_TYPE"},
{"description": "Protocol alias","name": "alias","options": {},"type": "TEXT_TYPE"},
{"description": "Comment with protocol description","name": "comment","options": {},"type": "TEXT_TYPE"}
],
"description": "Line-parsed /etc/protocols.",
"examples": [],
"foreign_keys": [],
"function": "genEtcProtocols",
"name": "etc_protocols",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "IPv4 address target","name": "address","options": {},"type": "TEXT_TYPE"},
{"description": "MAC address of broadcasted address","name": "mac","options": {},"type": "TEXT_TYPE"},
{"description": "Interface of the network for the MAC","name": "interface","options": {},"type": "TEXT_TYPE"},
{"description": "1 for true, 0 for false","name": "permanent","options": {},"type": "TEXT_TYPE"}
],
"description": "Address resolution cache, both static and dynamic (from ARP, NDP).",
"examples": [],
"foreign_keys": [],
"function": "genArpCache",
"name": "arp_cache",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "User ID","name": "uid","options": {"index": true},"type": "BIGINT_TYPE"},
{"description": "Group ID","name": "gid","options": {"index": true},"type": "BIGINT_TYPE"}
],
"description": "Local system user group relationships.",
"examples": [],
"foreign_keys": [],
"function": "genUserGroups",
"name": "user_groups",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Present feature flags","name": "feature","options": {},"type": "TEXT_TYPE"},
{"description": "Bit value or string","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "Register used to for feature value","name": "output_register","options": {},"type": "TEXT_TYPE"},
{"description": "Bit in register value for feature value","name": "output_bit","options": {},"type": "INTEGER_TYPE"},
{"description": "Value of EAX used","name": "input_eax","options": {},"type": "TEXT_TYPE"}
],
"description": "Useful CPU features from the cpuid ASM call.",
"examples": [],
"foreign_keys": [],
"function": "genCPUID",
"name": "cpuid",
"profile": {}
},
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Hostname (domain[:port]) to CURL","name": "hostname","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "Common name of company issued to","name": "common_name","options": {},"type": "TEXT_TYPE"},
{"description": "Organization issued to","name": "organization","options": {},"type": "TEXT_TYPE"},
{"description": "Organization unit issued to","name": "organization_unit","options": {},"type": "TEXT_TYPE"},
{"description": "Certificate serial number","name": "serial_number","options": {},"type": "TEXT_TYPE"},
{"description": "Issuer common name","name": "issuer_common_name","options": {},"type": "TEXT_TYPE"},
{"description": "Issuer organization","name": "issuer_organization","options": {},"type": "TEXT_TYPE"},
{"description": "Issuer organization unit","name": "issuer_organization_unit","options": {},"type": "TEXT_TYPE"},
{"description": "Period of validity start date","name": "valid_from","options": {},"type": "TEXT_TYPE"},
{"description": "Period of validity end date","name": "valid_to","options": {},"type": "TEXT_TYPE"},
{"description": "SHA-256 fingerprint","name": "sha256_fingerprint","options": {},"type": "TEXT_TYPE"},
{"description": "SHA1 fingerprint","name": "sha1_fingerprint","options": {},"type": "TEXT_TYPE"}
],
"description": "Inspect TLS certificates by connecting to input hostnames.",
"examples": [
"select * from curl_certificate where hostname = 'osquery.io'"
],
"foreign_keys": [],
"function": "genTLSCertificate",
"name": "curl_certificate",
"profile": {}
}
]
},
{
"key": "smart",
"name": "SMART",
"tables": [
{
"attributes": {},
"blacklisted": false,
"columns": [
{"description": "Name of block device","name": "device_name","options": {"index": true},"type": "TEXT_TYPE"},
{"description": "Physical slot number of device, only exists when hardware storage controller exists","name": "disk_id","options": {},"type": "INTEGER_TYPE"},
{"description": "The explicit device type used to retrieve the SMART information","name": "driver_type","options": {},"type": "TEXT_TYPE"},
{"description": "Drive model family","name": "model_family","options": {},"type": "TEXT_TYPE"},
{"description": "Device Model","name": "device_model","options": {},"type": "TEXT_TYPE"},
{"description": "Device serial number","name": "serial_number","options": {},"type": "TEXT_TYPE"},
{"description": "Device Identifier","name": "lu_wwn_device_id","options": {},"type": "TEXT_TYPE"},
{"description": "An additional drive identifier if any","name": "additional_product_id","options": {},"type": "TEXT_TYPE"},
{"description": "Drive firmware version","name": "firmware_version","options": {},"type": "TEXT_TYPE"},
{"description": "Bytes of drive capacity","name": "user_capacity","options": {},"type": "TEXT_TYPE"},
{"description": "Bytes of drive sector sizes","name": "sector_sizes","options": {},"type": "TEXT_TYPE"},
{"description": "Drive RPM","name": "rotation_rate","options": {},"type": "TEXT_TYPE"},
{"description": "Form factor if reported","name": "form_factor","options": {},"type": "TEXT_TYPE"},
{"description": "Boolean value for if drive is recognized","name": "in_smartctl_db","options": {},"type": "INTEGER_TYPE"},
{"description": "ATA version of drive","name": "ata_version","options": {},"type": "TEXT_TYPE"},
{"description": "Drive transport type","name": "transport_type","options": {},"type": "TEXT_TYPE"},
{"description": "SATA version, if any","name": "sata_version","options": {},"type": "TEXT_TYPE"},
{"description": "Error string for device id read, if any","name": "read_device_identity_failure","options": {},"type": "TEXT_TYPE"},
{"description": "SMART support status","name": "smart_supported","options": {},"type": "TEXT_TYPE"},
{"description": "SMART enabled status","name": "smart_enabled","options": {},"type": "TEXT_TYPE"},
{"description": "Packet device type","name": "packet_device_type","options": {},"type": "TEXT_TYPE"},
{"description": "Device power mode","name": "power_mode","options": {},"type": "TEXT_TYPE"},
{"description": "Warning messages from SMART controller","name": "warnings","options": {},"type": "TEXT_TYPE"}
],
"description": "Drive information read by SMART controller utilizing autodetect.",
"examples": [],
"foreign_keys": [],
"function": "genSmartInfo",
"name": "smart_drive_info",
"profile": {}
}
]
},
{
"key": "utility",
"name": "Utility",
"tables": [
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "Flag name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Flag type","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Flag description","name": "description","options": {},"type": "TEXT_TYPE"},
{"description": "Flag default value","name": "default_value","options": {},"type": "TEXT_TYPE"},
{"description": "Flag value","name": "value","options": {},"type": "TEXT_TYPE"},
{"description": "Is the flag shell only?","name": "shell_only","options": {},"type": "INTEGER_TYPE"}
],
"description": "Configurable flags that modify osquery's behavior.",
"examples": [],
"foreign_keys": [],
"function": "genOsqueryFlags",
"name": "osquery_flags",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "The transient ID assigned for communication","name": "uuid","options": {},"type": "BIGINT_TYPE"},
{"description": "Extension's name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Extenion's version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "osquery SDK version used to build the extension","name": "sdk_version","options": {},"type": "TEXT_TYPE"},
{"description": "Path of the extenion's domain socket or library path","name": "path","options": {},"type": "TEXT_TYPE"},
{"description": "SDK extension type: extension or module","name": "type","options": {},"type": "TEXT_TYPE"}
],
"description": "List of active osquery extensions.",
"examples": [],
"foreign_keys": [],
"function": "genOsqueryExtensions",
"name": "osquery_extensions",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "Event publisher or subscriber name","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the associated publisher","name": "publisher","options": {},"type": "TEXT_TYPE"},
{"description": "Either publisher or subscriber","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "Number of subscriptions the publisher received or subscriber used","name": "subscriptions","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of events emitted or received since osquery started","name": "events","options": {},"type": "INTEGER_TYPE"},
{"description": "Publisher only: number of runloop restarts","name": "refreshes","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if the publisher or subscriber is active else 0","name": "active","options": {},"type": "INTEGER_TYPE"}
],
"description": "Information about the event publishers and subscribers.",
"examples": [],
"foreign_keys": [],
"function": "genOsqueryEvents",
"name": "osquery_events",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "Process (or thread/handle) ID","name": "pid","options": {},"type": "INTEGER_TYPE"},
{"description": "Unique ID provided by the system","name": "uuid","options": {},"type": "TEXT_TYPE"},
{"description": "Unique, long-lived ID per instance of osquery","name": "instance_id","options": {},"type": "TEXT_TYPE"},
{"description": "osquery toolkit version","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Hash of the working configuration state","name": "config_hash","options": {},"type": "TEXT_TYPE"},
{"description": "1 if the config was loaded and considered valid, else 0","name": "config_valid","options": {},"type": "INTEGER_TYPE"},
{"description": "osquery extensions status","name": "extensions","options": {},"type": "TEXT_TYPE"},
{"description": "osquery toolkit build platform","name": "build_platform","options": {},"type": "TEXT_TYPE"},
{"description": "osquery toolkit platform distribution name (os version)","name": "build_distro","options": {},"type": "TEXT_TYPE"},
{"description": "UNIX time in seconds when the process started","name": "start_time","options": {},"type": "INTEGER_TYPE"},
{"description": "Process (or thread/handle) ID of optional watcher process","name": "watcher","options": {},"type": "INTEGER_TYPE"}
],
"description": "Top level information about the running version of osquery.",
"examples": [],
"foreign_keys": [],
"function": "genOsqueryInfo",
"name": "osquery_info",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "Name of the osquery registry","name": "registry","options": {},"type": "TEXT_TYPE"},
{"description": "Name of the plugin item","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Extension route UUID (0 for core)","name": "owner_uuid","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If the plugin is internal else 0","name": "internal","options": {},"type": "INTEGER_TYPE"},
{"description": "1 If this plugin is active else 0","name": "active","options": {},"type": "INTEGER_TYPE"}
],
"description": "List the osquery registry plugins.",
"examples": [],
"foreign_keys": [],
"function": "genOsqueryRegistry",
"name": "osquery_registry",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "Current weekday in the system","name": "weekday","options": {},"type": "TEXT_TYPE"},
{"description": "Current year in the system","name": "year","options": {},"type": "INTEGER_TYPE"},
{"description": "Current month in the system","name": "month","options": {},"type": "INTEGER_TYPE"},
{"description": "Current day in the system","name": "day","options": {},"type": "INTEGER_TYPE"},
{"description": "Current hour in the system","name": "hour","options": {},"type": "INTEGER_TYPE"},
{"description": "Current minutes in the system","name": "minutes","options": {},"type": "INTEGER_TYPE"},
{"description": "Current seconds in the system","name": "seconds","options": {},"type": "INTEGER_TYPE"},
{"description": "Current timezone in the system","name": "timezone","options": {},"type": "TEXT_TYPE"},
{"description": "Current local UNIX time in the system","name": "local_time","options": {},"type": "INTEGER_TYPE"},
{"description": "Current local timezone in the system","name": "local_timezone","options": {},"type": "TEXT_TYPE"},
{"description": "Current UNIX time in the system, converted to UTC if --utc enabled","name": "unix_time","options": {},"type": "INTEGER_TYPE"},
{"description": "Current timestamp (log format) in the system","name": "timestamp","options": {},"type": "TEXT_TYPE"},
{"description": "Current date and time (ISO format) in the system","name": "datetime","options": {},"type": "TEXT_TYPE"},
{"description": "Current time (ISO format) in the system","name": "iso_8601","options": {},"type": "TEXT_TYPE"}
],
"description": "Track current date and time in the system.",
"examples": [],
"foreign_keys": [],
"function": "genTime",
"name": "time",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "The given name for this query","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "The exact query to run","name": "query","options": {},"type": "TEXT_TYPE"},
{"description": "The interval in seconds to run this query, not an exact interval","name": "interval","options": {},"type": "INTEGER_TYPE"},
{"description": "Number of times the query was executed","name": "executions","options": {},"type": "BIGINT_TYPE"},
{"description": "UNIX time stamp in seconds of the last completed execution","name": "last_executed","options": {},"type": "BIGINT_TYPE"},
{"description": "1 if the query is blacklisted else 0","name": "blacklisted","options": {},"type": "INTEGER_TYPE"},
{"description": "Total number of bytes generated by the query","name": "output_size","options": {},"type": "BIGINT_TYPE"},
{"description": "Total wall time spent executing","name": "wall_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Total user time spent executing","name": "user_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Total system time spent executing","name": "system_time","options": {},"type": "BIGINT_TYPE"},
{"description": "Average private memory left after executing","name": "average_memory","options": {},"type": "BIGINT_TYPE"}
],
"description": "Information about the current queries that are scheduled in osquery.",
"examples": [],
"foreign_keys": [],
"function": "genOsquerySchedule",
"name": "osquery_schedule",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "Absolute file path","name": "path","options": {"index": true,"required": true},"type": "TEXT_TYPE"},
{"description": "Directory of file(s)","name": "directory","options": {"required": true},"type": "TEXT_TYPE"},
{"description": "Name portion of file path","name": "filename","options": {},"type": "TEXT_TYPE"},
{"description": "Filesystem inode number","name": "inode","options": {},"type": "BIGINT_TYPE"},
{"description": "Owning user ID","name": "uid","options": {},"type": "BIGINT_TYPE"},
{"description": "Owning group ID","name": "gid","options": {},"type": "BIGINT_TYPE"},
{"description": "Permission bits","name": "mode","options": {},"type": "TEXT_TYPE"},
{"description": "Device ID (optional)","name": "device","options": {},"type": "BIGINT_TYPE"},
{"description": "Size of file in bytes","name": "size","options": {},"type": "BIGINT_TYPE"},
{"description": "Block size of filesystem","name": "block_size","options": {},"type": "INTEGER_TYPE"},
{"description": "Last access time","name": "atime","options": {},"type": "BIGINT_TYPE"},
{"description": "Last modification time","name": "mtime","options": {},"type": "BIGINT_TYPE"},
{"description": "Last status change time","name": "ctime","options": {},"type": "BIGINT_TYPE"},
{"description": "(B)irth or (cr)eate time","name": "btime","options": {},"type": "BIGINT_TYPE"},
{"description": "Number of hard links","name": "hard_links","options": {},"type": "INTEGER_TYPE"},
{"description": "1 if the path is a symlink, otherwise 0","name": "symlink","options": {},"type": "INTEGER_TYPE"},
{"description": "File status","name": "type","options": {},"type": "TEXT_TYPE"},
{"description": "File attrib string. See: https://ss64.com/nt/attrib.html","name": "attributes","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "Volume serial number","name": "volume_serial","options": {"hidden": true},"type": "TEXT_TYPE"},
{"description": "file ID","name": "file_id","options": {"hidden": true},"type": "TEXT_TYPE"}
],
"description": "Interactive filesystem attributes and metadata.",
"examples": [
"select * from file where path = '/etc/passwd'",
"select * from file where directory = '/etc/'",
"select * from file where path LIKE '/etc/%'"
],
"foreign_keys": [],
"function": "genFile",
"name": "file",
"profile": {}
},
{
"attributes": {
"utility": true
},
"blacklisted": false,
"columns": [
{"description": "The given name for this query pack","name": "name","options": {},"type": "TEXT_TYPE"},
{"description": "Platforms this query is supported on","name": "platform","options": {},"type": "TEXT_TYPE"},
{"description": "Minimum osquery version that this query will run on","name": "version","options": {},"type": "TEXT_TYPE"},
{"description": "Shard restriction limit, 1-100, 0 meaning no restriction","name": "shard","options": {},"type": "INTEGER_TYPE"},
{"description": "The number of times that the discovery query used cached values since the last time the config was reloaded","name": "discovery_cache_hits","options": {},"type": "INTEGER_TYPE"},
{"description": "The number of times that the discovery queries have been executed since the last time the config was reloaded","name": "discovery_executions","options": {},"type": "INTEGER_TYPE"},
{"description": "Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.","name": "active","options": {},"type": "INTEGER_TYPE"}
],
"description": "Information about the current query packs that are loaded in osquery.",
"examples": [],
"foreign_keys": [],
"function": "genOsqueryPacks",
"name": "osquery_packs",
"profile": {}
}
]
}
],
"events": [
]
}
Reference in New Issue View Git Blame Copy Permalink