From 5a2ed6f3953f064f9d3542c5f32a05fd5c1d4c00 Mon Sep 17 00:00:00 2001
From: Omereshone Kelvin <kelvinomereshone@gmail.com>
Date: Fri, 3 Dec 2021 23:13:41 +0100
Subject: [PATCH] Add 3 queries to the standard query library (#3138)

Queries:
- Get applications hogging memory
- Get Mac and Linux machines with unencrypted primary disks
- Get servers with root login in the last 24 hours
---
 .../standard-query-library.yml                | 32 ++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
index 004b45bc3c..5ebecb75a6 100644
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -522,7 +522,37 @@ kind: query
 spec:
   name: Get running docker containers
   platforms: macOS, Linux
-  description: Returns the running Docker containers.
+  description: Returns the running Docker containers
   query: SELECT id, name, image, image_id, state, status FROM docker_containers WHERE state = "running";
   purpose: Informational
   contributors: DominusKelvin
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get applications hogging memory
+  platforms: macOS, Linux, Windows
+  description: Returns top 10 applications or processes hogging memory the most.
+  query: SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10;
+  purpose: Informational
+  contributors: DominusKelvin
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get Mac and Linux machines with unencrypted primary disks
+  platforms: macOS, Linux
+  description:
+  query: SELECT * FROM mounts m, disk_encryption d WHERE m.path= "/" AND m.device = d.name AND d.encrypted = 0;
+  purpose: Informational
+  contributors: DominusKelvin
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get servers with root login in the last 24 hours
+  platforms: macOS, Linux, Windows
+  description: Returns servers with root login in the last 24 hours and the time the users where logged in.
+  query: SELECT * FROM last WHERE username = "root" AND time > (( SELECT unix_time FROM time ) - 86400 );
+  purpose: Informational
+  contributors: DominusKelvin