Update safari_extensions.yml (#19738)

Update safari_extensions table per #16993
2026-05-23 17:08:53 +00:00 · 2024-06-13 20:47:54 -04:00 · 2024-06-13 20:47:54 -04:00 · 9d453280b5
commit 9d453280b5
parent dd73758ebc
1 changed files with 17 additions and 3 deletions
--- a/schema/tables/safari_extensions.yml
+++ b/schema/tables/safari_extensions.yml
@ -1,11 +1,25 @@
 name: safari_extensions
-description: Installed Safari browser extensions (plugins).
+description: Safari extensions add functionality to Safari.app, the native web browser in macOS. The `safari_extensions` table collects all Safari extensions installed on a Mac.
 columns:
  - name: uid
 examples: |-
+  Collect Safari extensions for all Mac users:
+  
  ```
  SELECT * FROM users CROSS JOIN safari_extensions USING (uid);
  ```
 notes: |-
-  - Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
-  - Includes installed extensions for all system users.
+  Because Safari data is intentionally isolated for each macOS user to maintain privacy, this query requires a `JOIN` operation.
+  
+  Query explanation:
+  
+  - The `safari_extensions` table has a row for each installed extension
+  - Each row has a column with the `uid` of the user who installed the extension
+  - Each `uid` from the `safari_extensions` table is matched in the `users` table to collect Safari extensions in the output data for all user accounts on the Mac by the `JOIN`
+
+  Links:
+
+  - Apple dcoumentaion on Safari Extensions: https://support.apple.com/en-us/102343
+  - CROSS JOIN SQLite tutorial: https://www.sqlitetutorial.net/sqlite-cross-join/
+  - [Fleet documentation on joining against the `users` table](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
+  - Fleet users table: https://fleetdm.com/tables/users