From 4af331ac40552723c5cd3adddb35dcabf39f24bb Mon Sep 17 00:00:00 2001
From: Guillaume Ross <guillaume@fleetdm.com>
Date: Wed, 9 Nov 2022 15:01:04 -0500
Subject: [PATCH] Adding a query for default handlers (#7924)

* Adding a query

* Update standard-query-library.yml

Thanks @brunerd and @brockwalters!

* Update standard-query-library.yml

Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
---
 .../standard-query-library.yml                      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
index cc02a9c858..e3a418b581 100644
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -910,6 +910,18 @@ spec:
   contributors: nabilschear
 ---
 apiVersion: v1
+kind: query
+spec:
+  name: Identify the default mail, http and ftp applications
+  platforms: macOS
+  platform: darwin
+  description: Lists the currently enabled applications configured to handle mailto, http and ftp schemes.
+  query: SELECT * FROM app_schemes WHERE (scheme='mailto' OR scheme='http' OR scheme='ftp') AND enabled='1';
+  purpose: Informational
+  tags: compliance, hunting
+  contributors: brunerd
+---
+apiVersion: v1
 kind: policy
 spec:
   name: Firewall enabled, domain profile (Windows)
@@ -1003,3 +1015,4 @@ spec:
   tags: compliance, inventory, built-in
   platform: darwin
   contributors: GuillaumeRoss
+