Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 17:08:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 83

fleetdm.com/tables: Add Fleet override for process_file_events docs (#16503)

Browse source 
- To address the bug, we decided to document the current behavior: The
`process_file_events table` will only emit events for changes and files
in directories that existed before osquery starts.
This commit is contained in:
Noah Talerman 2024-02-02 15:47:23 -05:00 committed by GitHub
parent 669f796d3a
commit 558ef6497f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 146 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

146
schema/tables/process_file_events.yml Normal file
View file

@ -0,0 +1,146 @@
name: process_file_events
description: A File Integrity Monitor implementation using the audit service.
notes: This table will only include events for changes and files in directories that existed before the fleetd agent starts.
columns:
- name: operation
description: Operation type
type: text
notes: ''
hidden: false
required: false
index: false
- name: pid
description: Process ID
type: bigint
notes: ''
hidden: false
required: false
index: false
- name: ppid
description: Parent process ID
type: bigint
notes: ''
hidden: false
required: false
index: false
- name: time
description: Time of execution in UNIX time
type: bigint
notes: ''
hidden: false
required: false
index: false
- name: executable
description: The executable path
type: text
notes: ''
hidden: false
required: false
index: false
- name: partial
description: >-
True if this is a partial event (i.e.: this process existed before we
started osquery)
type: text
notes: ''
hidden: false
required: false
index: false
- name: cwd
description: The current working directory of the process
type: text
notes: ''
hidden: false
required: false
index: false
- name: path
description: The path associated with the event
type: text
notes: ''
hidden: false
required: false
index: false
- name: dest_path
description: The canonical path associated with the event
type: text
notes: ''
hidden: false
required: false
index: false
- name: uid
description: The uid of the process performing the action
type: text
notes: ''
hidden: false
required: false
index: false
- name: gid
description: The gid of the process performing the action
type: text
notes: ''
hidden: false
required: false
index: false
- name: auid
description: Audit user ID of the process using the file
type: text
notes: ''
hidden: false
required: false
index: false
- name: euid
description: Effective user ID of the process using the file
type: text
notes: ''
hidden: false
required: false
index: false
- name: egid
description: Effective group ID of the process using the file
type: text
notes: ''
hidden: false
required: false
index: false
- name: fsuid
description: Filesystem user ID of the process using the file
type: text
notes: ''
hidden: false
required: false
index: false
- name: fsgid
description: Filesystem group ID of the process using the file
type: text
notes: ''
hidden: false
required: false
index: false
- name: suid
description: Saved user ID of the process using the file
type: text
notes: ''
hidden: false
required: false
index: false
- name: sgid
description: Saved group ID of the process using the file
type: text
notes: ''
hidden: false
required: false
index: false
- name: uptime
description: Time of execution in system uptime
type: bigint
notes: ''
hidden: false
required: false
index: false
- name: eid
description: Event ID
type: text
notes: ''
hidden: true
required: false
index: false