mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 00:49:03 +00:00
5eafe1e2e0
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #35762 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] QA'd all new/changed functionality manually --------- Co-authored-by: Rachael Shaw <r@rachael.wtf>
14 lines
1.1 KiB
YAML
14 lines
1.1 KiB
YAML
name: userassist
|
|
columns:
|
|
- name: count
|
|
description: |-
|
|
Number of times the application has been executed.
|
|
_Note that `count` is a reserved word and should be wrapped in quotes when referencing this column in a query._
|
|
type: INTEGER
|
|
examples: |-
|
|
The User Assist featureset allows Windows to keep track of most recently used applications. Because of that, it is a useful datasource to pull from during investigations and incident response. The following example queries the userassist table and converts the last_execution_time into a human readable format (using UTC) and then sorts the results by this column, descending. It also joins the users table to change the user SID into a human readable username. The output from this query displays most recently used applications, sorted by most recent timestamp as well as the username of who ran it.
|
|
|
|
```
|
|
SELECT userassist.path, datetime(userassist.last_execution_time, 'unixepoch') AS timestamp_of_last_exec, userassist.count as execution_count, users.username FROM userassist join users ON users.uuid = userassist.sid ORDER BY timestamp_of_last_exec DESC;
|
|
```
|
|
|