• Manufacturer: osquery project
  • Version: 4.6.0
  • Website: https://osquery.io/

Description

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.

Data Model Coverage

driver

  base_address fqdn hostname image_path md5_hash module_name pid sha1_hash sha256_hash signature_valid signer
load            
unload                      

file

  company content creation_time extension file_name file_path fqdn gid group hostname image_path link_target md5_hash mime_type mode owner owner_uid pid ppid previous_creation_time sha1_hash sha256_hash signature_valid signer uid user
acl_modify                                                    
create                            
delete                            
modify                              
read                                                    
timestomp                              
write                              

flow

  application_protocol content dest_fqdn dest_hostname dest_ip dest_port end_time exe fqdn hostname image_path in_bytes network_direction out_bytes packet_count pid ppid proto_info src_fqdn src_hostname src_ip src_port start_time tcp_flags transport_protocol uid user
end                                      
message                                                      
start                                      

process

  access_level call_trace command_line current_working_directory env_vars exe fqdn guid hostname image_path integrity_level md5_hash parent_command_line parent_exe parent_guid parent_image_path pid ppid sha1_hash sha256_hash sid signature_valid signer target_address target_guid target_name target_pid uid user
access                                                          
create                                    
terminate                                                          

Analytic Coverage