diff --git a/docs/1-Using-Fleet/0-Learn-how-to-use-Fleet.md b/docs/1-Using-Fleet/0-Learn-how-to-use-Fleet.md
index 4cd9eaaeea..2eefc77a57 100644
--- a/docs/1-Using-Fleet/0-Learn-how-to-use-Fleet.md
+++ b/docs/1-Using-Fleet/0-Learn-how-to-use-Fleet.md
@@ -1,6 +1,6 @@
# Learn how to use Fleet
-> This tutorial assumes that you have a preview environment of Fleet up and running. If you haven't already done so, check out our [Get Started](../../../README.md#try-fleet) guide for instructions on how to start a preview environment of Fleet.
+> This tutorial assumes that you have a preview environment of Fleet up and running. If you haven't already done so, check out our [Get Started](https://fleetdm.com/get-started) guide for instructions on how to start a preview environment of Fleet.
In this tutorial, we'll cover the following concepts:
@@ -14,7 +14,7 @@ Once you log into Fleet, you are presented with the **Hosts** page.
>In Fleet, devices are referred to as "hosts."
-
+
On this page you'll see 7 hosts by default. These hosts are simulated Linux devices, and like the Fleet preview environment, they're running locally on your computer in Docker.
@@ -33,13 +33,13 @@ These questions can easily be answered, by running the following query: "Detect
On the **Queries** page, enter the query name, "Detect Linux hosts with high severity vulnerable versions of OpenSSL," in the search box, select the query from the results table, and navigate to the **Edit or run query** page.
-
+
On the **Edit or run query** page, open the "Select targets" dropdown, and press the purple "+" icon to the right of "All hosts," to run this query against all hosts enrolled in your Fleet. Then hit the "Run" button to execute the query.
-
+
The query may take several seconds to complete, because Fleet has to wait for the osquery agents to respond with results.
@@ -48,7 +48,7 @@ The query may take several seconds to complete, because Fleet has to wait for th
When the query has finished, you should see 4 columns and several rows in the "Results" table:
-
+
- The "hostname" column answers: which device responded for a given row of results?
@@ -95,13 +95,13 @@ To add your own device to Fleet, you'll first need to install the osquery agent.
> Take note on where your new Orbit directory is located on you device. Knowing this will be helpful when building the Orbit package in step 3.
-
+
2. In Fleet UI's Host page, hit the "Add new host" button, and copy your Fleet enroll secret (you'll need this in the next step.)
-
+
-3. With [fleetctl preview](http://www.fleetdm.com/get-started) still running, and [Go](https://golang.org/doc/install) 1.16 installed, run the following command (remembering to swap ```YOUR_FLEET_ENROLL_SECRET_HERE``` for the one you copied in the previous step:
+3. With [fleetctl preview](http://fleetdm.com/get-started) still running, and [Go](https://golang.org/doc/install) 1.16 installed, run the following command (remembering to swap ```YOUR_FLEET_ENROLL_SECRET_HERE``` for the one you copied in the previous step:
```
# From within the top-level directory of your cloned Orbit repository…
diff --git a/docs/1-Using-Fleet/1-Fleet-UI.md b/docs/1-Using-Fleet/1-Fleet-UI.md
index 174d5e0b3b..e6e0c68954 100644
--- a/docs/1-Using-Fleet/1-Fleet-UI.md
+++ b/docs/1-Using-Fleet/1-Fleet-UI.md
@@ -5,6 +5,7 @@
## Scheduling queries
The Fleet application allows you to schedule queries. This way these queries will run on an ongoing basis against the hosts that you have installed osquery on. To schedule specific queries in Fleet, you can organize these queries into "Query Packs". To view all saved packs and perhaps create a new pack, select "Schedule" from the top nav.
+
If you select a pack from the list, you can quickly enable and disable the entire pack, or you can configure it further.
diff --git a/website/.sailsrc b/website/.sailsrc
index 413dbcd8df..9f58d730b0 100644
--- a/website/.sailsrc
+++ b/website/.sailsrc
@@ -5,5 +5,997 @@
"_generatedWith": {
"sails": "1.2.5",
"sails-generate": "2.0.0"
+ },
+ "builtStaticContent": {
+ "markdownPages": [
+ {
+ "url": "/docs",
+ "title": "Readme.md",
+ "lastModifiedAt": 1624049901000,
+ "htmlId": "docs--readme--9f534d32b2",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/learn-how-to-use-fleet",
+ "title": "Learn how to use Fleet",
+ "lastModifiedAt": 1631573400000,
+ "htmlId": "docs--0-learn-how-to-use-f--1b80658ae8",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/fleet-ui",
+ "title": "Fleet UI",
+ "lastModifiedAt": 1631640519000,
+ "htmlId": "docs--1-fleet-ui--ed954948be",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/teams",
+ "title": "Teams",
+ "lastModifiedAt": 1629395421000,
+ "htmlId": "docs--10-teams--782f2af710",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/usage-statistics",
+ "title": "Usage statistics",
+ "lastModifiedAt": 1624989594000,
+ "htmlId": "docs--11-usage-statistics--3ed9f3101b",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/supported-browsers",
+ "title": "Supported browsers",
+ "lastModifiedAt": 1630452786000,
+ "htmlId": "docs--12-supported-browser--6f8b591603",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/vulnerability-processing",
+ "title": "Vulnerability processing",
+ "lastModifiedAt": 1629761820000,
+ "htmlId": "docs--13-vulnerability-pro--edb754352c",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/fleetctl-cli",
+ "title": "Fleetctl CLI",
+ "lastModifiedAt": 1631040955000,
+ "htmlId": "docs--2-fleetctl-cli--b4a4f6b08c",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/rest-api",
+ "title": "REST API",
+ "lastModifiedAt": 1631555916000,
+ "htmlId": "docs--3-rest-api--0370e3eaff",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/adding-hosts",
+ "title": "Adding hosts",
+ "lastModifiedAt": 1625588060000,
+ "htmlId": "docs--4-adding-hosts--f25bc11364",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/osquery-logs",
+ "title": "Osquery logs",
+ "lastModifiedAt": 1624631015000,
+ "htmlId": "docs--5-osquery-logs--b2e649cc1f",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/monitoring-fleet",
+ "title": "Monitoring Fleet",
+ "lastModifiedAt": 1630357234000,
+ "htmlId": "docs--6-monitoring-fleet--b1fa6e4a69",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/security-best-practices",
+ "title": "Security best practices",
+ "lastModifiedAt": 1624893322000,
+ "htmlId": "docs--7-security-best-prac--ad931bb00b",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/updating-fleet",
+ "title": "Updating Fleet",
+ "lastModifiedAt": 1630641746000,
+ "htmlId": "docs--8-updating-fleet--1887128e93",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/permissions",
+ "title": "Permissions",
+ "lastModifiedAt": 1630415095000,
+ "htmlId": "docs--9-permissions--905e9c08da",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/faq",
+ "title": "FAQ",
+ "lastModifiedAt": 1627511403000,
+ "htmlId": "docs--faq--f96c7228ae",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet",
+ "title": "Using Fleet",
+ "lastModifiedAt": 1626938622000,
+ "htmlId": "docs--readme--b097d08746",
+ "meta": {}
+ },
+ {
+ "url": "/docs/deploying/installation",
+ "title": "Installation",
+ "lastModifiedAt": 1625173055000,
+ "htmlId": "docs--1-installation--fe7d4e2e74",
+ "meta": {}
+ },
+ {
+ "url": "/docs/deploying/example-deployment-scenarios",
+ "title": "Example deployment scenarios",
+ "lastModifiedAt": 1625588060000,
+ "htmlId": "docs--3-example-deployment--b850738ae0",
+ "meta": {}
+ },
+ {
+ "url": "/docs/deploying/configuration",
+ "title": "Configuration",
+ "lastModifiedAt": 1631134512000,
+ "htmlId": "docs--2-configuration--a242085fa7",
+ "meta": {}
+ },
+ {
+ "url": "/docs/deploying/fleetctl-agent-updates",
+ "title": "Fleetctl agent updates",
+ "lastModifiedAt": 1631165652000,
+ "htmlId": "docs--4-fleetctl-agent-upd--f6d6a601d4",
+ "meta": {}
+ },
+ {
+ "url": "/docs/deploying/faq",
+ "title": "FAQ",
+ "lastModifiedAt": 1627511403000,
+ "htmlId": "docs--faq--7abb678d36",
+ "meta": {}
+ },
+ {
+ "url": "/docs/deploying",
+ "title": "Deploying",
+ "lastModifiedAt": 1624893322000,
+ "htmlId": "docs--readme--a0a26f55e2",
+ "meta": {}
+ },
+ {
+ "url": "/docs/contributing/building-fleet",
+ "title": "Building Fleet",
+ "lastModifiedAt": 1629140343000,
+ "htmlId": "docs--1-building-fleet--a0d05ce171",
+ "meta": {}
+ },
+ {
+ "url": "/docs/contributing/testing",
+ "title": "Testing",
+ "lastModifiedAt": 1630685123000,
+ "htmlId": "docs--2-testing--20bd58879c",
+ "meta": {}
+ },
+ {
+ "url": "/docs/contributing/migrations",
+ "title": "Migrations",
+ "lastModifiedAt": 1629743194000,
+ "htmlId": "docs--3-migrations--ee672f0676",
+ "meta": {}
+ },
+ {
+ "url": "/docs/contributing/committing-changes",
+ "title": "Committing changes",
+ "lastModifiedAt": 1629140343000,
+ "htmlId": "docs--4-committing-changes--62d8075df1",
+ "meta": {}
+ },
+ {
+ "url": "/docs/contributing/releasing-fleet",
+ "title": "Releasing Fleet",
+ "lastModifiedAt": 1629929664000,
+ "htmlId": "docs--5-releasing-fleet--2b2a696ea0",
+ "meta": {}
+ },
+ {
+ "url": "/docs/contributing/faq",
+ "title": "FAQ",
+ "lastModifiedAt": 1624893322000,
+ "htmlId": "docs--faq--92e0006bf2",
+ "meta": {}
+ },
+ {
+ "url": "/docs/contributing",
+ "title": "Contributing",
+ "lastModifiedAt": 1624893322000,
+ "htmlId": "docs--readme--d5e4f68946",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/configuration-files",
+ "title": "Configuration files",
+ "lastModifiedAt": 1631296113000,
+ "htmlId": "docs--readme--7908cef8a3",
+ "meta": {}
+ },
+ {
+ "url": "/docs/using-fleet/standard-query-library",
+ "title": "Standard query library",
+ "lastModifiedAt": 1624049901000,
+ "htmlId": "docs--readme--d3c7d96146",
+ "meta": {}
+ }
+ ],
+ "queries": [
+ {
+ "name": "Count Apple applications installed",
+ "platforms": "macOS",
+ "description": "Count the number of Apple applications installed on the machine.",
+ "query": "SELECT COUNT(*) FROM apps WHERE bundle_identifier LIKE 'com.apple.%';",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Mike Thomas",
+ "handle": "mike-j-thomas",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
+ "htmlUrl": "https://github.com/mike-j-thomas"
+ },
+ {
+ "name": null,
+ "handle": "noahtalerman",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
+ "htmlUrl": "https://github.com/noahtalerman"
+ },
+ {
+ "name": "Mike McNeil",
+ "handle": "mikermcneil",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/618009?v=4",
+ "htmlUrl": "https://github.com/mikermcneil"
+ }
+ ],
+ "slug": "count-apple-applications-installed",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect Linux hosts with high severity vulnerable versions of OpenSSL",
+ "platforms": "Linux",
+ "description": "Retrieves the OpenSSL version.",
+ "query": "SELECT name AS name, version AS version, 'deb_packages' AS source FROM deb_packages WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'apt_sources' AS source FROM apt_sources WHERE name LIKE 'openssl%' UNION SELECT name AS name, version AS version, 'rpm_packages' AS source FROM rpm_packages WHERE name LIKE 'openssl%';",
+ "purpose": "Detection",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "detect-linux-hosts-with-high-severity-vulnerable-versions-of-open-ssl",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect machines with Gatekeeper disabled",
+ "platforms": "macOS",
+ "description": "Gatekeeper tries to ensure only trusted software is run on a mac machine.",
+ "query": "SELECT * FROM gatekeeper WHERE assessments_enabled = 0;",
+ "purpose": "Detection",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "detect-machines-with-gatekeeper-disabled",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect presence of authorized SSH keys",
+ "platforms": "macOS, Linux",
+ "description": "Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.",
+ "query": "SELECT username, authorized_keys. * FROM users CROSS JOIN authorized_keys USING (uid);",
+ "purpose": "Detection",
+ "remediation": "Check out the linked table (https://github.com/fleetdm/fleet/blob/32b4d53e7f1428ce43b0f9fa52838cbe7b413eed/handbook/queries/detect-hosts-with-high-severity-vulnerable-versions-of-openssl.md#table-of-vulnerable-openssl-versions) to determine if the installed version is a high severity vulnerability and view the corresponding CVE(s)",
+ "contributors": [
+ {
+ "name": "Mike Thomas",
+ "handle": "mike-j-thomas",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/78363703?v=4",
+ "htmlUrl": "https://github.com/mike-j-thomas"
+ }
+ ],
+ "slug": "detect-presence-of-authorized-ssh-keys"
+ },
+ {
+ "name": "Get authorized keys for Local Accounts",
+ "platforms": "macOS, Linux",
+ "description": "List authorized_keys for each user on the system.",
+ "query": "SELECT * FROM users CROSS JOIN authorized_keys USING (uid);",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-authorized-keys-for-local-accounts",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get authorized keys for Domain Joined Accounts",
+ "platforms": "macOS, Linux",
+ "description": "List authorized_keys for each user on the system.",
+ "query": "SELECT * FROM users CROSS JOIN authorized_keys USING(uid) WHERE username IN (SELECT distinct(username) FROM last);",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-authorized-keys-for-domain-joined-accounts",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get crashes",
+ "platforms": "macOS",
+ "description": "Retrieve application, system, and mobile app crash logs.",
+ "query": "SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path FROM users CROSS JOIN crashes USING (uid);",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-crashes",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get installed Chrome Extensions",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "List installed Chrome Extensions for all users.",
+ "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-installed-chrome-extensions",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get installed FreeBSD software",
+ "platforms": "FreeBSD",
+ "description": "Get all software installed on a FreeBSD computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
+ "query": "SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Package (pkg)' AS type, 'pkg_packages' AS source FROM pkg_packages;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-installed-free-bsd-software",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get Homebrew Packages",
+ "platforms": "macOS",
+ "description": "Get the installed homebrew package database.",
+ "query": "SELECT * FROM homebrew_packages;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-homebrew-packages",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get installed Linux software",
+ "platforms": "Linux",
+ "description": "Get all software installed on a Linux computer, including browser plugins and installed packages. Note, this does not included other running processes in the processes table.",
+ "query": "SELECT name AS name, version AS version, 'Package (APT)' AS type, 'apt_sources' AS source FROM apt_sources UNION SELECT name AS name, version AS version, 'Package (deb)' AS type, 'deb_packages' AS source FROM deb_packages UNION SELECT package AS name, version AS version, 'Package (Portage)' AS type, 'portage_packages' AS source FROM portage_packages UNION SELECT name AS name, version AS version, 'Package (RPM)' AS type, 'rpm_packages' AS source FROM rpm_packages UNION SELECT name AS name, '' AS version, 'Package (YUM)' AS type, 'yum_sources' AS source FROM yum_sources UNION SELECT name AS name, version AS version, 'Package (NPM)' AS type, 'npm_packages' AS source FROM npm_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-installed-linux-software",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get installed macOS software",
+ "platforms": "macOS",
+ "description": "Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
+ "query": "SELECT name AS name, bundle_short_version AS version, 'Application (macOS)' AS type, 'apps' AS source FROM apps UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name As name, version AS version, 'Browser plugin (Safari)' AS type, 'safari_extensions' AS source FROM safari_extensions UNION SELECT name AS name, version AS version, 'Package (Homebrew)' AS type, 'homebrew_packages' AS source FROM homebrew_packages;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-installed-mac-os-software",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get installed Safari extensions",
+ "platforms": "macOS",
+ "description": "Retrieves the list of installed Safari Extensions for all users in the target system.",
+ "query": "SELECT safari_extensions.* FROM users join safari_extensions USING (uid);",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-installed-safari-extensions",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get installed Windows software",
+ "platforms": "Windows",
+ "description": "Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note, this does not included other running processes in the processes table.",
+ "query": "SELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-installed-windows-software",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get laptops with failing batteries",
+ "platforms": "macOS",
+ "description": null,
+ "query": "SELECT * FROM battery WHERE health != 'Good' AND condition NOT IN ('', 'Normal');",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-laptops-with-failing-batteries",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get macOS disk free space percentage",
+ "platforms": "macOS",
+ "description": "Displays the percentage of free space available on the primary disk partition.",
+ "query": "SELECT (blocks_available * 100 / blocks) AS pct, * FROM mounts WHERE path = '/';",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-mac-os-disk-free-space-percentage",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get mounts",
+ "platforms": "macOS, Linux",
+ "description": "Shows system mounted devices and filesystems (not process specific).",
+ "query": "SELECT device, device_alias, path, type, blocks_size FROM mounts;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-mounts",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get the version of the resident operating system",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Shows system mounted devices and filesystems (not process specific).",
+ "query": "SELECT * FROM os_version;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-the-version-of-the-resident-operating-system",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get platform info",
+ "platforms": "macOS",
+ "description": "Shows information about the host platform",
+ "query": "SELECT vendor, version, date, revision from platform_info;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-platform-info",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get startup items",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Shows applications and binaries set as user/login startup items.",
+ "query": "SELECT * FROM startup_items;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-startup-items",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get system logins and logouts",
+ "platforms": "macOS",
+ "description": "Get a list of system logins and logouts.",
+ "query": "SELECT * FROM last;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-system-logins-and-logouts",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get current users with active shell/console on the system",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Get current users with active shell/console on the system and associated process",
+ "query": "SELECT user,host,time, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid and liu.type='user' and liu.user <> '' ORDER BY time;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-current-users-with-active-shell-console-on-the-system",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get system uptime",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Shows the system uptime.",
+ "query": "SELECT * FROM uptime;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-system-uptime",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get USB devices",
+ "platforms": "macOS, Linux",
+ "description": "Shows all USB devices that are actively plugged into the host system.",
+ "query": "SELECT * FROM usb_devices;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-usb-devices",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get wifi status",
+ "platforms": "macOS",
+ "description": "Shows information about the wifi network that a host is currently connected to.",
+ "query": "SELECT * FROM wifi_status;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-wifi-status",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get Windows machines with unencrypted hard disks",
+ "platforms": "Windows",
+ "description": null,
+ "query": "SELECT * FROM bitlocker_info WHERE protection_status = 0;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-windows-machines-with-unencrypted-hard-disks",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get disk encryption status",
+ "platforms": "macOS, Linux",
+ "description": "Disk encryption status and information.",
+ "query": "SELECT * FROM disk_encryption;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-disk-encryption-status",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect unencrypted SSH keys for local accounts",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
+ "query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0;",
+ "purpose": "Detection",
+ "remediation": "First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "detect-unencrypted-ssh-keys-for-local-accounts"
+ },
+ {
+ "name": "Detect unencrypted SSH keys for domain joined accounts",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)",
+ "query": "SELECT uid, username, description, path, encrypted FROM users CROSS JOIN user_ssh_keys using (uid) WHERE encrypted=0 and username in (SELECT distinct(username) FROM last);",
+ "purpose": "Detection",
+ "remediation": "First, make the user aware about the impact of SSH keys. Then rotate the unencrypted keys detected.",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "detect-unencrypted-ssh-keys-for-domain-joined-accounts"
+ },
+ {
+ "name": "Get crontab jobs",
+ "platforms": "macOS, Linux",
+ "description": "Line parsed values from system and user cron/tab.",
+ "query": "SELECT * FROM crontab;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-crontab-jobs",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get suid binaries",
+ "platforms": "macOS, Linux",
+ "description": "suid binaries in common locations.",
+ "query": "SELECT * FROM suid_bin;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Zach Wasserman",
+ "handle": "zwass",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/575602?v=4",
+ "htmlUrl": "https://github.com/zwass"
+ }
+ ],
+ "slug": "get-suid-binaries",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect dynamic linker hijacking on Linux (MITRE. T1574.006)",
+ "platforms": "Linux",
+ "description": "Detect any processes that run with LD_PRELOAD environment variable",
+ "query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='LD_PRELOAD';",
+ "purpose": "Detection",
+ "remediation": "Identify the process/binary detected and confirm with the system's owner.",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "detect-dynamic-linker-hijacking-on-linux-mitre-t-1574-006"
+ },
+ {
+ "name": "Detect dynamic linker hijacking on macOS (MITRE. T1574.006)",
+ "platforms": "macOS",
+ "description": "Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable",
+ "query": "SELECT env.pid, env.key, env.value, p.name,p.path, p.cmdline, p.cwd FROM process_envs env join processes p USING (pid) WHERE key='DYLD_INSERT_LIBRARIES';",
+ "purpose": "Detection",
+ "remediation": "Identify the process/binary detected and confirm with the system's owner.",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "detect-dynamic-linker-hijacking-on-mac-os-mitre-t-1574-006"
+ },
+ {
+ "name": "Get etc hosts entries",
+ "platforms": "macOS, Linux",
+ "description": "Line-parsed /etc/hosts",
+ "query": "SELECT * FROM etc_hosts WHERE address not in ('127.0.0.1', '::1');",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-etc-hosts-entries",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get network interfaces",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Network interfaces MAC address",
+ "query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface) WHERE address not in ('127.0.0.1', '::1');",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-network-interfaces",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get local user accounts",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Local user accounts (including domain accounts that have logged on locally (Windows)).",
+ "query": "SELECT uid, gid, username, description,directory, shell FROM users;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-local-user-accounts",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect active user accounts on servers",
+ "platforms": "Linux",
+ "description": "Domain Joined environment normally have root or other service account only and users are SSH-ing using their Domain Accounts.",
+ "query": "SELECT * FROM shadow WHERE password_status='active' and username!='root';",
+ "purpose": "Detection",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "detect-active-user-accounts-on-servers",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect Nmap scanner",
+ "platforms": "macOS, Linux, Windows, FreeBSD",
+ "description": "Detect Nmap scanner process, identify the user, parent, process details.",
+ "query": "SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent, (SELECT name FROM processes WHERE pid=p.parent) AS parent_name, (SELECT username FROM users WHERE uid=p.uid) AS username FROM processes as p WHERE cmdline like 'nmap%';",
+ "purpose": "Detection",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "detect-nmap-scanner",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get docker images on a system",
+ "platforms": "macOS, Linux",
+ "description": "Docker images information, can be used on normal system or a kubenode.",
+ "query": "SELECT * FROM docker_images;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-docker-images-on-a-system",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get docker running containers on a system",
+ "platforms": "macOS, Linux",
+ "description": "Docker containers information, can be used on normal system or a kubenode.",
+ "query": "SELECT * FROM docker_containers;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-docker-running-containers-on-a-system",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get docker running process on a system",
+ "platforms": "macOS, Linux",
+ "description": "Docker containers Processes, can be used on normal system or a kubenode.",
+ "query": "SELECT c.id, c.name, c.image, c.image_id, c.command, c.created, c.state, c.status, p.cmdline FROM docker_containers c CROSS JOIN docker_container_processes p using(id);",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": "Ahmed Elshaer",
+ "handle": "anelshaer",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/4087461?v=4",
+ "htmlUrl": "https://github.com/anelshaer"
+ }
+ ],
+ "slug": "get-docker-running-process-on-a-system",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Detect Windows print spooler remote code execution vulnerability",
+ "platforms": "Windows",
+ "description": "Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.",
+ "query": "SELECT CASE cnt WHEN 2 THEN \"TRUE\" ELSE \"FALSE\" END \"Vulnerable\" FROM (SELECT name start_type, COUNT(name) AS cnt FROM services WHERE name = 'NTDS' or (name = 'Spooler' and start_type <> 'DISABLED')) WHERE cnt = 2;",
+ "purpose": "Detection",
+ "contributors": [
+ {
+ "name": null,
+ "handle": "maravedi",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/9169890?v=4",
+ "htmlUrl": "https://github.com/maravedi"
+ }
+ ],
+ "slug": "detect-windows-print-spooler-remote-code-execution-vulnerability",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Get local users and their privileges",
+ "platforms": "macOS, Linux, Windows",
+ "description": "Collects the local user accounts and their respective user group.",
+ "query": "SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;",
+ "purpose": "Informational",
+ "contributors": [
+ {
+ "name": null,
+ "handle": "noahtalerman",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/47070608?v=4",
+ "htmlUrl": "https://github.com/noahtalerman"
+ }
+ ],
+ "slug": "get-local-users-and-their-privileges",
+ "remediation": "N/A"
+ },
+ {
+ "name": "Find deleted files from disk",
+ "platforms": "Linux, macOS, Windows",
+ "description": "Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.",
+ "query": "SELECT name, path, pid FROM processes WHERE on_disk = 0;",
+ "purpose": "Incident response",
+ "contributors": [
+ {
+ "name": "AndrewB",
+ "handle": "alphabrevity",
+ "avatarUrl": "https://avatars.githubusercontent.com/u/3847973?v=4",
+ "htmlUrl": "https://github.com/alphabrevity"
+ }
+ ],
+ "slug": "find-deleted-files-from-disk",
+ "remediation": "N/A"
+ }
+ ],
+ "queryLibraryYmlRepoPath": "docs/1-Using-Fleet/standard-query-library/standard-query-library.yml",
+ "compiledPagePartialsAppPath": "views/partials/built-from-markdown"
}
}