Add 3 queries to the standard query library (#3138)

Queries: - Get applications hogging memory - Get Mac and Linux machines with unencrypted primary disks - Get servers with root login in the last 24 hours
2026-05-24 09:28:54 +00:00 · 2021-12-03 23:13:41 +01:00 · 2021-12-03 23:13:41 +01:00 · 5a2ed6f395
commit 5a2ed6f395
parent 9e095abddb
1 changed files with 31 additions and 1 deletions
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@ -522,7 +522,37 @@ kind: query
 spec:
  name: Get running docker containers
  platforms: macOS, Linux
-  description: Returns the running Docker containers.
+  description: Returns the running Docker containers
  query: SELECT id, name, image, image_id, state, status FROM docker_containers WHERE state = "running";
  purpose: Informational
  contributors: DominusKelvin
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get applications hogging memory
+  platforms: macOS, Linux, Windows
+  description: Returns top 10 applications or processes hogging memory the most.
+  query: SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10;
+  purpose: Informational
+  contributors: DominusKelvin
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get Mac and Linux machines with unencrypted primary disks
+  platforms: macOS, Linux
+  description:
+  query: SELECT * FROM mounts m, disk_encryption d WHERE m.path= "/" AND m.device = d.name AND d.encrypted = 0;
+  purpose: Informational
+  contributors: DominusKelvin
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get servers with root login in the last 24 hours
+  platforms: macOS, Linux, Windows
+  description: Returns servers with root login in the last 24 hours and the time the users where logged in.
+  query: SELECT * FROM last WHERE username = "root" AND time > (( SELECT unix_time FROM time ) - 86400 );
+  purpose: Informational
+  contributors: DominusKelvin