Fleet UI: Add es_process_file_events, password_policy, windows_update_history to osquery tables (#7831)

* Add es_process_file_events to osquery tables * Correct change file * Add password_policy and windows_update_history to fleet/frontend/osquery_tables * Update changelog
2026-05-24 09:28:54 +00:00 · 2022-09-20 08:52:53 -04:00 · 2022-09-20 08:52:53 -04:00 · eacc75b585
commit eacc75b585
parent 718b01a4c4
2 changed files with 247 additions and 0 deletions
--- a/changes/issue-7816-update-fleet-copy-of-osquery-tables
+++ b/changes/issue-7816-update-fleet-copy-of-osquery-tables
@ -0,0 +1 @@
+* Add es_process_file_events, password_policy and windows_update_history to osquery tables
--- a/frontend/osquery_tables.json
+++ b/frontend/osquery_tables.json
@ -7555,6 +7555,104 @@
      }
    ]
  },
+  {
+    "name": "es_process_file_events",
+    "description": "Process execution events from EndpointSecurity.",
+    "url": "https://github.com/osquery/osquery/blob/master/specs/darwin/es_process_file_events.table",
+    "platforms": ["darwin"],
+    "evented": true,
+    "cacheable": false,
+    "columns": [
+      {
+        "name": "version",
+        "description": "Version of EndpointSecurity event",
+        "type": "integer",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "seq_num",
+        "description": "Per event sequence number",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "global_seq_num",
+        "description": "Global sequence number",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "pid",
+        "description": "Process (or thread) ID",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "path",
+        "description": "Path of executed file",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "parent",
+        "description": "Parent process ID",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "dest_filename",
+        "description": "Destination filename for the event",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "event_type",
+        "description": "Type of EndpointSecurity event",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "time",
+        "description": "Time of execution in UNIX time",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "event_type",
+        "description": "Type of EndpointSecurity event",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "eid",
+        "description": "Event ID",
+        "type": "text",
+        "hidden": true,
+        "required": false,
+        "index": false
+      }
+    ]
+  },
  {
    "name": "etc_hosts",
    "description": "Line-parsed /etc/hosts.",
@ -14441,6 +14539,48 @@
      }
    ]
  },
+  {
+    "name": "password_policy",
+    "description": "Password Policies for macOS.",
+    "url": "https://github.com/osquery/osquery/blob/master/specs/darwin/password_policy.table",
+    "platforms": ["darwin"],
+    "evented": false,
+    "cacheable": false,
+    "columns": [
+      {
+        "name": "uid",
+        "description": "User ID for the policy if available",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "policy_identifier",
+        "description": "Policy Identifier",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "policy_content",
+        "description": "Policy content",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "policy_description",
+        "description": "Policy description",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      }
+    ]
+  },
  {
    "name": "patches",
    "description": "Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).",
@ -21805,6 +21945,112 @@
      }
    ]
  },
+  {
+    "name": "windows_update_history",
+    "description": "Provides the history of the windows update events.",
+    "url": "https://github.com/osquery/osquery/blob/master/specs/windows/windows_update_history.table",
+    "platforms": ["windows"],
+    "evented": false,
+    "cacheable": false,
+    "columns": [
+      {
+        "name": "client_app_id",
+        "description": "Identifier of the client application that processed an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "date",
+        "description": "Date and the time an update was applied",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "description",
+        "description": "Description of an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "hresult",
+        "description": "HRESULT value that is returned from the operation on an update",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "operation",
+        "description": "Operation on an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "result_code",
+        "description": "Result of an operation on an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "server_selection",
+        "description": "Value that indicates which server provided an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "service_id",
+        "description": "Service identifier of an update service that is not a Windows update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "support_url",
+        "description": "Hyperlink to the language-specific support information for an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "title",
+        "description": "Title of an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "update_id",
+        "description": "Revision-independent identifier of an update",
+        "type": "text",
+        "hidden": false,
+        "required": false,
+        "index": false
+      },
+      {
+        "name": "update_revision",
+        "description": "Revision number of an update",
+        "type": "bigint",
+        "hidden": false,
+        "required": false,
+        "index": false
+      }
+    ]
+  },
  {
    "name": "wmi_bios_info",
    "description": "Lists important information from the system bios.",
				`@ -0,0 +1 @@`
				`* Add es_process_file_events, password_policy and windows_update_history to osquery tables`