From 897fa82ec164842f015da0518ab00bc69469c7af Mon Sep 17 00:00:00 2001 From: Kelvin Oghenerhoro Omereshone Date: Tue, 4 Jan 2022 22:25:18 +0100 Subject: [PATCH] Feature/add query to get apps opened within the last 24 hours (#3513) * feat: add query to find running docker containers * docs: :memo: add query to get Mac and Linux machines with unencrypted primary disks * feat: add query to find running docker containers * docs: :memo: add query to get Mac and Linux machines with unencrypted primary disks * chore: remove queries from develop * docs: add query to get running docker containers * docs: add query to get machines with unencrypted primary disks * fix: remove trailing --- * fix: remove trailing --- * chore: remove trailing --- * docs: add query to get applications hogging memory * fix: resolve merge conflicts * chore: update PR * chore: update PR * chore: merge previous query * feat: add query to find servers with root logins within the day * fix: remove unneeded period * docs: add instructions for submiting multiple queries * fix: remove duplicate entry * fix: remove period from get running docker containers query description * docs: add instructions for submiting multiple queries * fix: resolve merge conflicts * feat: add description for query to fetch failing batteries * fix: resolve duplicate descriptions * fix: remove typo in deplying docs * fix: reword description * fix: add suggestions to improve description * feat: add description to query to fet windows machines with unencrypted hard disks * feat: update description for count apple applications installed query * docs: :memo: Add query to get apps opened within the last 24 hours * feat: add query to find apps not in Applications directory * feat: add query to find subscription based applications that have not been opened for the last 30 days --- .../standard-query-library.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml index 6923dfb7b1..ab682895a1 100644 --- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml +++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @@ -603,3 +603,33 @@ spec: ); purpose: Detection contributors: zwass,tgauda +--- +apiVersion: v1 +kind: query +spec: + name: Get applications that were opened within the last 24 hours + platforms: macOS + description: Returns applications that were opened within the last 24 hours starting with the last opened application. + query: SELECT * FROM apps WHERE last_opened_time > (( SELECT unix_time FROM time ) - 86400 ) ORDER BY last_opened_time DESC; + purpose: Informational + contributors: DominusKelvin +--- +apiVersion: v1 +kind: query +spec: + name: Get applications that are not in the Applications directory + platforms: macOS + description: Returns applications that are not in the `/Applications` directory + query: SELECT * FROM apps WHERE path NOT LIKE '/Applications/%'; + purpose: Informational + contributors: DominusKelvin +--- +apiVersion: v1 +kind: query +spec: + name: Get subscription-based applications that have not been opened for the last 30 days + platforms: macOS + description: Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case. + query: SELECT * FROM apps WHERE path LIKE '/Applications/%' AND name IN ("Photoshop.app", "Adobe XD.app", "Sketch.app", "Illustrator.app") AND last_opened_time < (( SELECT unix_time FROM time ) - 2592000000000 ); + purpose: Informational + contributors: DominusKelvin