mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 16:39:01 +00:00
55df14a23e
For #16784. These tables require joining against `users`: + `chrome_extension_content_scripts` + `chrome_extensions` + `firefox_addons` + `vscode_extensions` + `browser_plugins` + `crashes` + `preferences` + `safari_extensions` + `ssh_configs` + `user_ssh_keys` + `authorized_keys` + `known_hosts` + `shell_history` --------- Co-authored-by: Eric <eashaw@sailsjs.com>
22 lines
541 B
YAML
22 lines
541 B
YAML
name: shell_history
|
|
examples: >-
|
|
```
|
|
|
|
SELECT * FROM users CROSS JOIN shell_history USING (uid);
|
|
|
|
```
|
|
|
|
See command line executions and related timestamps. Useful for threat hunting
|
|
when a device is suspected of being compromised.
|
|
|
|
```
|
|
|
|
SELECT u.username, s.command, s.time FROM users u CROSS JOIN shell_history s USING (uid);
|
|
|
|
```
|
|
columns:
|
|
- name: uid
|
|
|
|
|
|
notes: >-
|
|
- Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table)
|