osquery> SELECT * FROM docker_images JOIN docker_image_layers USING (id) This table retrieves metadata about the layers that make up a Docker image. New Table – docker_image_layers – macOS, Linux Path = /Users/zwass/Downloads/osquery-4.1.2.pkg > AND key IN ('kMDItemContentType', 'kMDItemKind', 'kMDItemWhereFroms') > WHERE path = '/Users/zwass/Downloads/osquery-4.1.2.pkg' Which can give the download URL of a file. Name = Printing-PrintToPDFServices-FeaturesĬaption = Remote Differential Compression API Support osquery> SELECT * FROM windows_optional_features LIMIT 5 Provides information about the “optional features” enabled and disabled on aĭactiv’s Zach Wasserman enabled the (previously implemented) table byĬonfiguring it to be built with osquery. New Table – windows_optional_features – Windows osquery> SELECT * FROM bitlocker_info ĭevice_id = \\?\Volume\ Lock_status: The accessibility status of the drive from Windows. Percentage_encrypted: The percentage of the drive that is encrypted. Version: The FVE metadata version of the drive. Path = C:\Program Files\Mozilla Columns – bitlocker_info – Windows osquery> SELECT fa.* FROM users JOIN firefox_addons fa USING (uid) LIMIT 1 ĭescription = Mozilla add-on that supports the roll-out of DoH The table is now supported on all platforms. Ssh_config_file = C:\Users\zachw\.ssh/config osquery> SELECT sc.* FROM users JOIN ssh_configs sc USING (uid) Get information about the SSH configurations in the default SSH configuration osquery> SELECT usk.* FROM users JOIN user_ssh_keys usk USING (uid) LIMIT 1 Get information about the SSH keys in the default SSH configuration directory. "file_attributes": "FILE_ATTRIBUTE_ARCHIVE", "query": "SELECT * FROM ntfs_journal_events" ![]() This table can be used to implement File Integrity Monitoring (FIM) with osquery New Table – ntfs_journal_events – Windows osquery> SELECT *, community_id_v1(local_address,remote_address,local_port,remote_port,protocol) AS community_id Sponsoring Dactiv’s development of this new feature. Thank you to Security Onion Solutions for ![]() Osquery can be linked to those recorded by network monitoring software. Using the hashed value, network connections in As a function, it can be used with any data set in osquery that This function calculates the Community IDĬonnection. New SQL Function – community_id_v1 – All Platforms Man-in-the-middle attack on the osquery TLS plugins. Osquery 4.2.0 also patches a security vulnerability that could allow a Demonstrates the use of new osquery features in context.
0 Comments
Leave a Reply. |