diff --git a/changes/issue-7816-update-fleet-copy-of-osquery-tables b/changes/issue-7816-update-fleet-copy-of-osquery-tables new file mode 100644 index 0000000000..024376209b --- /dev/null +++ b/changes/issue-7816-update-fleet-copy-of-osquery-tables @@ -0,0 +1 @@ +* Add es_process_file_events, password_policy and windows_update_history to osquery tables diff --git a/frontend/osquery_tables.json b/frontend/osquery_tables.json index 24f1a1ed6f..7957875e4f 100644 --- a/frontend/osquery_tables.json +++ b/frontend/osquery_tables.json @@ -7555,6 +7555,104 @@ } ] }, + { + "name": "es_process_file_events", + "description": "Process execution events from EndpointSecurity.", + "url": "https://github.com/osquery/osquery/blob/master/specs/darwin/es_process_file_events.table", + "platforms": ["darwin"], + "evented": true, + "cacheable": false, + "columns": [ + { + "name": "version", + "description": "Version of EndpointSecurity event", + "type": "integer", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "seq_num", + "description": "Per event sequence number", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "global_seq_num", + "description": "Global sequence number", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "pid", + "description": "Process (or thread) ID", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "path", + "description": "Path of executed file", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "parent", + "description": "Parent process ID", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "dest_filename", + "description": "Destination filename for the event", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "event_type", + "description": "Type of EndpointSecurity event", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "time", + "description": "Time of execution in UNIX time", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "event_type", + "description": "Type of EndpointSecurity event", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "eid", + "description": "Event ID", + "type": "text", + "hidden": true, + "required": false, + "index": false + } + ] + }, { "name": "etc_hosts", "description": "Line-parsed /etc/hosts.", @@ -14441,6 +14539,48 @@ } ] }, + { + "name": "password_policy", + "description": "Password Policies for macOS.", + "url": "https://github.com/osquery/osquery/blob/master/specs/darwin/password_policy.table", + "platforms": ["darwin"], + "evented": false, + "cacheable": false, + "columns": [ + { + "name": "uid", + "description": "User ID for the policy if available", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "policy_identifier", + "description": "Policy Identifier", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "policy_content", + "description": "Policy content", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "policy_description", + "description": "Policy description", + "type": "text", + "hidden": false, + "required": false, + "index": false + } + ] + }, { "name": "patches", "description": "Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).", @@ -21805,6 +21945,112 @@ } ] }, + { + "name": "windows_update_history", + "description": "Provides the history of the windows update events.", + "url": "https://github.com/osquery/osquery/blob/master/specs/windows/windows_update_history.table", + "platforms": ["windows"], + "evented": false, + "cacheable": false, + "columns": [ + { + "name": "client_app_id", + "description": "Identifier of the client application that processed an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "date", + "description": "Date and the time an update was applied", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "description", + "description": "Description of an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "hresult", + "description": "HRESULT value that is returned from the operation on an update", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "operation", + "description": "Operation on an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "result_code", + "description": "Result of an operation on an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "server_selection", + "description": "Value that indicates which server provided an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "service_id", + "description": "Service identifier of an update service that is not a Windows update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "support_url", + "description": "Hyperlink to the language-specific support information for an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "title", + "description": "Title of an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "update_id", + "description": "Revision-independent identifier of an update", + "type": "text", + "hidden": false, + "required": false, + "index": false + }, + { + "name": "update_revision", + "description": "Revision number of an update", + "type": "bigint", + "hidden": false, + "required": false, + "index": false + } + ] + }, { "name": "wmi_bios_info", "description": "Lists important information from the system bios.",