diff --git a/schema/tables/npm_packages.yml b/schema/tables/npm_packages.yml index 7b2d3df156..63380ee6ef 100644 --- a/schema/tables/npm_packages.yml +++ b/schema/tables/npm_packages.yml @@ -6,3 +6,13 @@ columns: - name: mount_namespace_id platforms: - linux +examples: >- + List the author, description and more information about packages made by Fleet. Replace the + homepage with any other distributor desired. + + ``` + + SELECT author, description, directory, version FROM npm_packages WHERE homepage='https://fleetdm.com'; + + ``` + diff --git a/schema/tables/password_policy.yml b/schema/tables/password_policy.yml new file mode 100644 index 0000000000..0a4354e775 --- /dev/null +++ b/schema/tables/password_policy.yml @@ -0,0 +1,10 @@ +name: password_policy +examples: >- + This policy query will return a 1 if the password policy requires passwords that are 10 characters + or longer. + + ``` + + SELECT 1 FROM (SELECT cast(lengthtxt as integer(2)) minlength FROM (SELECT SUBSTRING(length, 1, 2) AS lengthtxt FROM (SELECT policy_description, policy_identifier, split(policy_content, '{', 1) AS length FROM password_policy WHERE policy_identifier LIKE '%minLength')) WHERE minlength >= 10); + + ``` diff --git a/schema/tables/pci_devices.yml b/schema/tables/pci_devices.yml index b67b31bc58..3a63e13469 100644 --- a/schema/tables/pci_devices.yml +++ b/schema/tables/pci_devices.yml @@ -21,3 +21,13 @@ columns: - name: subsystem_model platforms: - linux +examples: >- + This table allows you to list PCI devices. With this query, identify devices with a specific model + ID. This can be useful when trying to identify systems that use common hardware, for example, when + trying to target firmware updates or understand similarities between problematic systems. + + ``` + + SELECT driver, model, vendor, vendor_id FROM pci_devices WHERE model_id='0x1001'; + + ``` \ No newline at end of file diff --git a/schema/tables/process_open_sockets.yml b/schema/tables/process_open_sockets.yml index a3486c82ab..508df55c5a 100644 --- a/schema/tables/process_open_sockets.yml +++ b/schema/tables/process_open_sockets.yml @@ -8,3 +8,13 @@ columns: - name: net_namespace platforms: - linux +examples: >- + This table allows you to see network activity by process. With this query, list all connections + made to or from a process, excluding connections to localhost and + [RFC1918](https://en.wikipedia.org/wiki/Private_network) IP addresses. + + ``` + + SELECT pos.local_port, pos.remote_port, pos.remote_address, p.pid, p.path FROM process_open_sockets pos JOIN processes p ON pos.pid = p.pid WHERE remote_address NOT LIKE '192.168%' AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '172.16.%' AND remote_address NOT LIKE '127.%' AND remote_address!='0.0.0.0' AND remote_address NOT LIKE 'fe80%' AND remote_port!='0'; + + ``` \ No newline at end of file diff --git a/schema/tables/smbios_tables.yml b/schema/tables/smbios_tables.yml new file mode 100644 index 0000000000..d273f0bdad --- /dev/null +++ b/schema/tables/smbios_tables.yml @@ -0,0 +1,11 @@ +name: smbios_tables +notes: This table requires an Intel compatible system. +examples: >- + SMBIOS tables are used to deliver information from the BIOS to the operating system. Use the *md5* + field to compare systems and see if their hardware is configured identically. + + ``` + + SELECT * FROM smbios_tables WHERE md5='dd66d84ec724d35db011883052973eae' + + ```