valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2084c74238
osquery-1/specs/windows/powershell_events.table

20 lines
1.2 KiB
Plaintext
Raw Blame History

table_name("powershell_events")
description("Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.")
schema([
Column("time", BIGINT, "Timestamp the event was received by the osquery event publisher"),
Column("datetime", TEXT, "System time at which the Powershell script event occurred"),
Column("script_block_id", TEXT, "The unique GUID of the powershell script to which this block belongs"),
Column("script_block_count", INTEGER, "The total number of script blocks for this script"),
Column("script_text", TEXT, "The text content of the Powershell script"),
Column("script_name", TEXT, "The name of the Powershell script"),
Column("script_path", TEXT, "The path for the Powershell script"),
Column("cosine_similarity", DOUBLE, "How similar the Powershell script is to a provided 'normal' character frequency"),
])
attributes(event_subscriber=True)
implementation("powershell_events@PowershellEventSubscriber::genTable")
examples([
"select * from powershell_events;",
"select * from powershell_events where script_text like '%Invoke-Mimikatz%';",
"select * from powershell_events where cosine_similarity < 0.25;",
])
Reference in New Issue View Git Blame Copy Permalink