• Manufacturer: osquery project
  • Version: 4.1.2
  • Website: https://osquery.io/

Description

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.

Data Model Coverage

Registry

  data fqdn hive hostname image_path key pid type user value
add                    
edit            
remove                    

File

  company creation_time file_name file_path fqdn hostname image_path md5_hash pid ppid previous_creation_time sha1_hash sha256_hash signer user
create          
delete          
modify          
read                              
timestomp          
write          

Driver

  base_address fqdn hostname image_path md5_hash module_name sha1_hash sha256_hash signer
load        
unload                  

Flow

  content dest_fqdn dest_hostname dest_ip dest_port end_time exe flags fqdn hostname image_path packet_count pid ppid proto_info protocol src_fqdn src_hostname src_ip src_port start_time user
end                          
message                                            
start                          

Process

  command_line current_working_directory exe fqdn hostname image_path integrity_level md5_hash parent_command_line parent_exe parent_image_path pid ppid sha1_hash sha256_hash sid signer user
create                
terminate                                    

Analytic Coverage