diff --git a/docs/Using Fleet/Audit-logs.md b/docs/Using Fleet/Audit-logs.md
index f530dedc7b..d8db589946 100644
--- a/docs/Using Fleet/Audit-logs.md
+++ b/docs/Using Fleet/Audit-logs.md
@@ -871,6 +871,7 @@ This activity contains the following fields:
- "host_id": ID of the host.
- "host_display_name": Display name of the host.
- "script_execution_id": Execution ID of the script run.
+- "script_name": Name of the script (empty if it was an anonymous script).
- "async": Whether the script was executed asynchronously.
#### Example
@@ -879,6 +880,7 @@ This activity contains the following fields:
{
"host_id": 1,
"host_display_name": "Anna's MacBook Pro",
+ "script_name": "set-timezones.sh",
"script_execution_id": "d6cffa75-b5b5-41ef-9230-15073c8a88cf",
"async": false
}
diff --git a/docs/Using Fleet/Understanding-host-vitals.md b/docs/Using Fleet/Understanding-host-vitals.md
index f51fad9ffd..1bbe7ee8b3 100644
--- a/docs/Using Fleet/Understanding-host-vitals.md
+++ b/docs/Using Fleet/Understanding-host-vitals.md
@@ -8,7 +8,6 @@ Following is a summary of the detail queries hardcoded in Fleet used to populate
- Platforms: darwin
- Query:
-
```sql
SELECT serial_number, cycle_count, health FROM battery;
```
@@ -18,7 +17,6 @@ SELECT serial_number, cycle_count, health FROM battery;
- Platforms: chrome
- Query:
-
```sql
SELECT email FROM users
```
@@ -28,7 +26,6 @@ SELECT email FROM users
- Platforms: darwin
- Query:
-
```sql
SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1
```
@@ -38,7 +35,6 @@ SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = '
- Platforms: linux, ubuntu, debian, rhel, centos, sles, kali, gentoo, amzn, pop, arch, linuxmint, void, nixos, endeavouros, manjaro, opensuse-leap, opensuse-tumbleweed
- Query:
-
```sql
SELECT de.encrypted, m.path FROM disk_encryption de JOIN mounts m ON m.device_alias = de.name;
```
@@ -48,7 +44,6 @@ SELECT de.encrypted, m.path FROM disk_encryption de JOIN mounts m ON m.device_al
- Platforms: windows
- Query:
-
```sql
SELECT 1 FROM bitlocker_info WHERE drive_letter = 'C:' AND protection_status = 1;
```
@@ -58,10 +53,10 @@ SELECT 1 FROM bitlocker_info WHERE drive_letter = 'C:' AND protection_status = 1
- Platforms: linux, ubuntu, debian, rhel, centos, sles, kali, gentoo, amzn, pop, arch, linuxmint, void, nixos, endeavouros, manjaro, opensuse-leap, opensuse-tumbleweed, darwin
- Query:
-
```sql
SELECT (blocks_available * 100 / blocks) AS percent_disk_space_available,
- round((blocks_available * blocks_size *10e-10),2) AS gigs_disk_space_available
+ round((blocks_available * blocks_size * 10e-10),2) AS gigs_disk_space_available,
+ round((blocks * blocks_size * 10e-10),2) AS gigs_total_disk_space
FROM mounts WHERE path = '/' LIMIT 1;
```
@@ -70,10 +65,10 @@ FROM mounts WHERE path = '/' LIMIT 1;
- Platforms: windows
- Query:
-
```sql
SELECT ROUND((sum(free_space) * 100 * 10e-10) / (sum(size) * 10e-10)) AS percent_disk_space_available,
- ROUND(sum(free_space) * 10e-10) AS gigs_disk_space_available
+ ROUND(sum(free_space) * 10e-10) AS gigs_disk_space_available,
+ ROUND(sum(size) * 10e-10) AS gigs_total_disk_space
FROM logical_drives WHERE file_system = 'NTFS' LIMIT 1;
```
@@ -82,13 +77,11 @@ FROM logical_drives WHERE file_system = 'NTFS' LIMIT 1;
- Platforms: all
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'google_chrome_profiles';
```
- Query:
-
```sql
SELECT email FROM google_chrome_profiles WHERE NOT ephemeral AND email <> ''
```
@@ -98,13 +91,11 @@ SELECT email FROM google_chrome_profiles WHERE NOT ephemeral AND email <> ''
- Platforms: all
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'kubernetes_info';
```
- Query:
-
```sql
SELECT * from kubernetes_info
```
@@ -114,13 +105,11 @@ SELECT * from kubernetes_info
- Platforms: darwin
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'mdm';
```
- Query:
-
```sql
select enrolled, server_url, installed_from_dep, payload_identifier from mdm;
```
@@ -130,13 +119,11 @@ select enrolled, server_url, installed_from_dep, payload_identifier from mdm;
- Platforms: darwin
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'macos_profiles';
```
- Query:
-
```sql
SELECT display_name, identifier, install_date FROM macos_profiles where type = "Configuration";
```
@@ -146,13 +133,11 @@ SELECT display_name, identifier, install_date FROM macos_profiles where type = "
- Platforms: darwin
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'filevault_prk';
```
- Query:
-
```sql
WITH
de AS (SELECT IFNULL((SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1), 0) as encrypted),
@@ -165,15 +150,13 @@ WITH
- Platforms: darwin
- Discovery query:
-
```sql
SELECT 1 WHERE EXISTS (SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'file_lines') AND NOT EXISTS (SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'filevault_prk');
```
- Query:
-
```sql
-WITH
+WITH
de AS (SELECT IFNULL((SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT "" AND filevault_status = 'on' LIMIT 1), 0) as encrypted),
fl AS (SELECT line FROM file_lines WHERE path = '/var/db/FileVaultPRK.dat')
SELECT encrypted, hex(line) as hex_line FROM de LEFT JOIN fl;
@@ -184,32 +167,35 @@ WITH
- Platforms: windows
- Query:
-
```sql
-SELECT * FROM (
- SELECT "provider_id" AS "key", data as "value" FROM registry
- WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Enrollments\%\ProviderID'
- LIMIT 1
- )
- UNION ALL
- SELECT * FROM (
- SELECT "discovery_service_url" AS "key", data as "value" FROM registry
- WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Enrollments\%\DiscoveryServiceFullURL'
- LIMIT 1
- )
- UNION ALL
- SELECT * FROM (
- SELECT "is_federated" AS "key", data as "value" FROM registry
- WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Enrollments\%\IsFederated'
- LIMIT 1
- )
- UNION ALL
- SELECT * FROM (
- SELECT "installation_type" AS "key", data as "value" FROM registry
- WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallationType'
- LIMIT 1
- )
- ;
+WITH registry_keys AS (
+ SELECT *
+ FROM registry
+ WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\%%'
+ ),
+ enrollment_info AS (
+ SELECT
+ MAX(CASE WHEN name = 'UPN' THEN data END) AS upn,
+ MAX(CASE WHEN name = 'IsFederated' THEN data END) AS is_federated,
+ MAX(CASE WHEN name = 'DiscoveryServiceFullURL' THEN data END) AS discovery_service_url,
+ MAX(CASE WHEN name = 'ProviderID' THEN data END) AS provider_id
+ FROM registry_keys
+ GROUP BY key
+ ),
+ installation_info AS (
+ SELECT data AS installation_type
+ FROM registry
+ WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallationType'
+ LIMIT 1
+ )
+ SELECT
+ e.is_federated,
+ e.discovery_service_url,
+ e.provider_id,
+ i.installation_type
+ FROM installation_info i
+ LEFT JOIN enrollment_info e ON e.upn IS NOT NULL
+ LIMIT 1;
```
## munki_info
@@ -217,13 +203,11 @@ SELECT * FROM (
- Platforms: darwin
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'munki_info';
```
- Query:
-
```sql
select version, errors, warnings from munki_info;
```
@@ -233,7 +217,6 @@ select version, errors, warnings from munki_info;
- Platforms: chrome
- Query:
-
```sql
SELECT ipv4 AS address, mac FROM network_interfaces LIMIT 1
```
@@ -243,7 +226,6 @@ SELECT ipv4 AS address, mac FROM network_interfaces LIMIT 1
- Platforms: linux, ubuntu, debian, rhel, centos, sles, kali, gentoo, amzn, pop, arch, linuxmint, void, nixos, endeavouros, manjaro, opensuse-leap, opensuse-tumbleweed, darwin
- Query:
-
```sql
SELECT
ia.address,
@@ -282,7 +264,6 @@ LIMIT 1;
- Platforms: windows
- Query:
-
```sql
SELECT
ia.address,
@@ -321,13 +302,11 @@ LIMIT 1;
- Platforms: all
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'orbit_info';
```
- Query:
-
```sql
SELECT version FROM orbit_info
```
@@ -337,7 +316,6 @@ SELECT version FROM orbit_info
- Platforms: chrome
- Query:
-
```sql
SELECT
os.name,
@@ -358,13 +336,13 @@ SELECT
- Platforms: linux, ubuntu, debian, rhel, centos, sles, kali, gentoo, amzn, pop, arch, linuxmint, void, nixos, endeavouros, manjaro, opensuse-leap, opensuse-tumbleweed, darwin
- Query:
-
```sql
SELECT
os.name,
os.major,
os.minor,
os.patch,
+ os.extra,
os.build,
os.arch,
os.platform,
@@ -380,7 +358,6 @@ SELECT
- Platforms: all
- Query:
-
```sql
SELECT * FROM os_version LIMIT 1
```
@@ -390,13 +367,13 @@ SELECT * FROM os_version LIMIT 1
- Platforms: windows
- Query:
-
```sql
-SELECT
- os.name,
- os.version
- FROM
- os_version os
+SELECT os.name, r.data as display_version, k.version
+ FROM
+ registry r,
+ os_version os,
+ kernel_info k
+ WHERE r.path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
```
## os_windows
@@ -404,17 +381,20 @@ SELECT
- Platforms: windows
- Query:
-
```sql
SELECT
os.name,
os.platform,
os.arch,
k.version as kernel_version,
- os.version
+ os.version,
+ r.data as display_version
FROM
os_version os,
- kernel_info k
+ kernel_info k,
+ registry r
+ WHERE
+ r.path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion'
```
## osquery_flags
@@ -422,7 +402,6 @@ SELECT
- Platforms: all
- Query:
-
```sql
select name, value from osquery_flags where name in ("distributed_interval", "config_tls_refresh", "config_refresh", "logger_tls_period")
```
@@ -432,7 +411,6 @@ select name, value from osquery_flags where name in ("distributed_interval", "co
- Platforms: all
- Query:
-
```sql
select * from osquery_info limit 1
```
@@ -442,7 +420,6 @@ select * from osquery_info limit 1
- Platforms: all
- Query:
-
```sql
SELECT *,
(SELECT value from osquery_flags where name = 'pack_delimiter') AS delimiter
@@ -454,11 +431,12 @@ SELECT *,
- Platforms: chrome
- Query:
-
```sql
SELECT
name AS name,
version AS version,
+ identifier AS extension_id,
+ browser_type AS browser,
'Browser plugin (Chrome)' AS type,
'chrome_extensions' AS source,
'' AS vendor,
@@ -471,7 +449,6 @@ FROM chrome_extensions
- Platforms: linux, ubuntu, debian, rhel, centos, sles, kali, gentoo, amzn, pop, arch, linuxmint, void, nixos, endeavouros, manjaro, opensuse-leap, opensuse-tumbleweed
- Query:
-
```sql
WITH cached_users AS (WITH cached_groups AS (select * from groups)
SELECT uid, username, type, groupname, shell
@@ -481,6 +458,8 @@ SELECT
name AS name,
version AS version,
'Package (deb)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'deb_packages' AS source,
'' AS release,
'' AS vendor,
@@ -493,6 +472,8 @@ SELECT
package AS name,
version AS version,
'Package (Portage)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'portage_packages' AS source,
'' AS release,
'' AS vendor,
@@ -504,6 +485,8 @@ SELECT
name AS name,
version AS version,
'Package (RPM)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'rpm_packages' AS source,
release AS release,
vendor AS vendor,
@@ -515,6 +498,8 @@ SELECT
name AS name,
version AS version,
'Package (NPM)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'npm_packages' AS source,
'' AS release,
'' AS vendor,
@@ -526,6 +511,8 @@ SELECT
name AS name,
version AS version,
'Browser plugin (Chrome)' AS type,
+ identifier AS extension_id,
+ browser_type AS browser,
'chrome_extensions' AS source,
'' AS release,
'' AS vendor,
@@ -537,6 +524,8 @@ SELECT
name AS name,
version AS version,
'Browser plugin (Firefox)' AS type,
+ identifier AS extension_id,
+ 'firefox' AS browser,
'firefox_addons' AS source,
'' AS release,
'' AS vendor,
@@ -548,6 +537,8 @@ SELECT
name AS name,
version AS version,
'Package (Python)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'python_packages' AS source,
'' AS release,
'' AS vendor,
@@ -561,7 +552,6 @@ FROM python_packages;
- Platforms: darwin
- Query:
-
```sql
WITH cached_users AS (WITH cached_groups AS (select * from groups)
SELECT uid, username, type, groupname, shell
@@ -572,6 +562,8 @@ SELECT
COALESCE(NULLIF(bundle_short_version, ''), bundle_version) AS version,
'Application (macOS)' AS type,
bundle_identifier AS bundle_identifier,
+ '' AS extension_id,
+ '' AS browser,
'apps' AS source,
last_opened_time AS last_opened_at,
path AS installed_path
@@ -582,6 +574,8 @@ SELECT
version AS version,
'Package (Python)' AS type,
'' AS bundle_identifier,
+ '' AS extension_id,
+ '' AS browser,
'python_packages' AS source,
0 AS last_opened_at,
path AS installed_path
@@ -592,6 +586,8 @@ SELECT
version AS version,
'Browser plugin (Chrome)' AS type,
'' AS bundle_identifier,
+ identifier AS extension_id,
+ browser_type AS browser,
'chrome_extensions' AS source,
0 AS last_opened_at,
path AS installed_path
@@ -602,6 +598,8 @@ SELECT
version AS version,
'Browser plugin (Firefox)' AS type,
'' AS bundle_identifier,
+ identifier AS extension_id,
+ 'firefox' AS browser,
'firefox_addons' AS source,
0 AS last_opened_at,
path AS installed_path
@@ -612,6 +610,8 @@ SELECT
version AS version,
'Browser plugin (Safari)' AS type,
'' AS bundle_identifier,
+ '' AS extension_id,
+ '' AS browser,
'safari_extensions' AS source,
0 AS last_opened_at,
path AS installed_path
@@ -622,6 +622,8 @@ SELECT
version AS version,
'Package (Homebrew)' AS type,
'' AS bundle_identifier,
+ '' AS extension_id,
+ '' AS browser,
'homebrew_packages' AS source,
0 AS last_opened_at,
path AS installed_path
@@ -633,7 +635,6 @@ FROM homebrew_packages;
- Platforms: windows
- Query:
-
```sql
WITH cached_users AS (WITH cached_groups AS (select * from groups)
SELECT uid, username, type, groupname, shell
@@ -643,6 +644,8 @@ SELECT
name AS name,
version AS version,
'Program (Windows)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'programs' AS source,
publisher AS vendor,
install_location AS installed_path
@@ -652,6 +655,8 @@ SELECT
name AS name,
version AS version,
'Package (Python)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'python_packages' AS source,
'' AS vendor,
path AS installed_path
@@ -661,6 +666,8 @@ SELECT
name AS name,
version AS version,
'Browser plugin (IE)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'ie_extensions' AS source,
'' AS vendor,
path AS installed_path
@@ -670,6 +677,8 @@ SELECT
name AS name,
version AS version,
'Browser plugin (Chrome)' AS type,
+ identifier AS extension_id,
+ browser_type AS browser,
'chrome_extensions' AS source,
'' AS vendor,
path AS installed_path
@@ -679,6 +688,8 @@ SELECT
name AS name,
version AS version,
'Browser plugin (Firefox)' AS type,
+ identifier AS extension_id,
+ 'firefox' AS browser,
'firefox_addons' AS source,
'' AS vendor,
path AS installed_path
@@ -688,6 +699,8 @@ SELECT
name AS name,
version AS version,
'Package (Chocolatey)' AS type,
+ '' AS extension_id,
+ '' AS browser,
'chocolatey_packages' AS source,
'' AS vendor,
path AS installed_path
@@ -699,7 +712,6 @@ FROM chocolatey_packages
- Platforms: all
- Query:
-
```sql
select * from system_info limit 1
```
@@ -709,7 +721,6 @@ select * from system_info limit 1
- Platforms: all
- Query:
-
```sql
select * from uptime limit 1
```
@@ -719,7 +730,6 @@ select * from uptime limit 1
- Platforms: linux, darwin, windows
- Query:
-
```sql
WITH cached_groups AS (select * from groups)
SELECT uid, username, type, groupname, shell
@@ -732,7 +742,6 @@ WITH cached_groups AS (select * from groups)
- Platforms: chrome
- Query:
-
```sql
SELECT uid, username, email FROM users
```
@@ -742,19 +751,15 @@ SELECT uid, username, email FROM users
- Platforms: windows
- Discovery query:
-
```sql
SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'windows_update_history';
```
- Query:
-
```sql
SELECT date, title FROM windows_update_history WHERE result_code = 'Succeeded'
```
-
-
\ No newline at end of file
diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
index 5cb32e4dbf..c63a1d5528 100644
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@@ -1761,7 +1761,7 @@ func directIngestMDMDeviceIDWindows(ctx context.Context, logger log.Logger, host
return ds.UpdateMDMWindowsEnrollmentsHostUUID(ctx, host.UUID, rows[0]["data"])
}
-// go:generate go run gen_queries_doc.go "../../../docs/Using Fleet/Understanding-host-vitals.md"
+//go:generate go run gen_queries_doc.go "../../../docs/Using Fleet/Understanding-host-vitals.md"
func GetDetailQueries(
ctx context.Context,