Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-15 13:08:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 139
fleet/schema/fleet_schema.json
Eric 9dbf84fb4b
Website: Add pages for schema tables (#7679) 
* add osquery tables page

* update build script, add fleet schema folder

* update layout and page script

* add edit-page button, search, remove test attribute from fleet schema

* update styles

* syntax highlighting, update highlight.js, adjust layout

* lint fixes

* Update view-osquery-tables.js

* requested changes from 1:1

* requested changes

- Rename osquery-tables to osquery-table-details & update routes and policies
- Update wildcard input and tables details route
- Fix lint error
- adjust self-calling functions in page script
- rename function and adjust the order of functions in page script

* add osquery tables to builtStaticContent.markdownPages

* update schema folder readme

* add redirect for /tables

* update table input

* remove comment from stylesheet, update syntax highlighting, use variable names from colors.less

* update inputs in view action

* Updates from PR review

* fix lint error

* update syntax highlighting, table page styles

* Update build-static-content.js

* requested changes from code review

* Update build-static-content.js

* fix build script error

* remove string.replaceAll()

Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
2022-09-23 19:06:55 -05:00

961 lines
19 KiB
JSON
Raw Blame History

[
{
"name": "account_policy_data",
"examples": "Query the creation date of user accounts. You could also query the date of the last failed login attempt or password change.\n```\nSELECT strftime('%Y-%m-%d %H:%M:%S',creation_time,'unixepoch') AS creationdate FROM account_policy_data\n```"
},
{
"name": "alf",
"examples": "See the state of the Application Layer Firewall on a Mac. A result of 0 means it is disabled, 1 means it is enabled, and 2 means it is enabled and blocking all inbound connections. See our standard query library for an example policy query using this.\n```\nSELECT global_state FROM alf\n```"
},
{
"name": "alf_exceptions",
"examples": "List applications that are able to receive inbound connections across the firewall. This is practically useful when looking to see if vulnerable software is exposed to networks. A state of 0 means ____ and a state of 3 means ____\n```\nSELECT * FROM alf_exceptions\n```"
},
{
"name": "app_schemes",
"examples": "List applications that have registered the URL scheme \"mailto\" to handle email links.\n```\nSELECT * FROM app_schemes WHERE scheme='mailto'\n```"
},
{
"name": "apps",
"examples": "See the last time applications were used. Useful to know if a vulnerable application is being used as well as for licensing purposes.\n```\nSELECT *, strftime('%Y-%m-%d %H:%M:%S',last_opened_time,'unixepoch') as LastUseDate FROM apps WHERE last_opened_time!='-1.0'\n```"
},
{
"name": "arp_cache",
"examples": "List the content of the ARP cache. On systems located in an office or datacenter, you can use this to watch for network attacks by checking for gateway IPs that do not have the expected MAC address.\n```\nSELECT address, interface, mac FROM arp_cache\n```"
},
{
"name": "authorization_mechanisms",
"examples": "Discover privileged macOS authorization mechanisms, which could include third party software. Finding third party software using this means it is likely an important piece of software that should be kept very up to date.\n```\nSELECT * FROM authorization_mechanisms WHERE privileged='true'\n```"
},
{
"name": "authorizations",
"examples": "See macOS authorizations that have been modified since their creation. Useful for threat hunting.\n```\nSELECT * FROM authorizations WHERE created!=modified\n```"
},
{
"name": "etc_hosts",
"examples": "Identify host\"name\"s pointed to IP addresses using the hosts file. This technique is often abused by malware, but can also indicate services that do not have proper DNS configuration to be reached from workstations.\n```\nSELECT * FROM etc_hosts WHERE address!='127.0.0.1' AND address!='::1' AND address!='255.255.255.255'\n```",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "block_devices",
"examples": "Identify USB storage in use\n```\nSELECT * FROM block_devices WHERE type='USB'\n```"
},
{
"name": "certificates",
"examples": "Replace 1QAZ2WSX with your Apple Developer ID, if you have one. This query will then let you identify Macs that have a copy of your code signing and notarization certificates.\n```\nSELECT * FROM certificates WHERE common_\"name\" LIKE '%%1QAZ2SWX%%'\n```",
"columns": [
{
"name": "sid",
"platforms": [
"windows"
]
},
{
"name": "store_location",
"platforms": [
"windows"
]
},
{
"name": "store",
"platforms": [
"windows"
]
},
{
"name": "username",
"platforms": [
"windows"
]
},
{
"name": "store_id",
"platforms": [
"windows"
]
},
{
"name": "issuer2",
"platforms": [
"linux",
"darwin"
]
},
{
"name": "subject2",
"platforms": [
"linux",
"darwin"
]
}
]
},
{
"name": "cpu_time",
"examples": "Identify overworked CPUs using a ratio of system to user CPU usage. Here, a ratio of 2 was arbitrarily chosen.\n```\nSELECT * FROM cpu_time WHERE user/system>2\n```"
},
{
"name": "cups_destinations",
"examples": "Identify the types of printers connected to computers. This query works for both network and local printers.\n```\nSELECT * FROM cups_destinations WHERE option_\"name\"='printer-info'\n```"
},
{
"name": "cups_jobs",
"examples": "See what file format are being printed to what printer. This is useful for identifying systems that print a lot, which can help you ensure they have access to faster printers. Using this table, you could also highlight slow print jobs that might benefit from troubleshooting.\n```\nSELECT destination, format, strftime('%Y-%m-%d %H:%M:%S',creation_time,'unixepoch') AS creationDate FROM cups_jobs \n```"
},
{
"name": "cpuid",
"examples": "Identify Intel powered Macs that support a specific Intel CPU feature, such as sgx1.\n```\nSELECT * from cpuid WHERE feature='sgx1'\n```"
},
{
"name": "device_firmware",
"examples": "Identify the firmware version of hardware on a Mac, such as the SSD controller in this case. Older versions might indicate a problem with software updates, and this information can be useful when troubleshooting various issues.\n```\nSELECT * FROM device_firmware WHERE device='AppleANS3NVMeController'\n```"
},
{
"name": "disk_encryption",
"examples": "A policy query to check if Filevault disk encryption is enabled on a Mac.\n```\nSELECT 1 FROM disk_encryption WHERE user_uuid IS NOT '' AND filevault_status = 'on' LIMIT 1\n```",
"columns":[
{
"name": "uid",
"platforms": [
"darwin"
]
},
{
"name": "user_uuid",
"platforms": [
"darwin"
]
},
{
"name": "filevault_status",
"platforms": [
"darwin"
]
}
]
},
{
"name": "disk_events",
"examples": "This is an evented table, and as such, is more useful if you are sending osquery logs to a SIEM or other centralized destination via Fleet. Events must be enabled. This query will contain the list of all actions related to connecting and removing disks, including SMB drives and USB storage, which can be very useful for investigative purposes.\n```\nSELECT * FROM disk_events\n```"
},
{
"name": "groups",
"columns": [
{
"name": "group_sid",
"platforms": [
"windows"
]
},
{
"name": "comment",
"platforms": [
"windows"
]
},
{
"name": "is_hidden",
"platforms": [
"darwin"
]
},
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
],
"notes": "* On Windows, `gid` and `gid_signed` are always the same"
},
{
"name": "hash",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "mount_namespace_id",
"platforms": [
"linux"
]
}
]
},
{
"name": "interface_addresses",
"columns": [
{
"name": "friendly_name",
"platforms": [
"windows"
]
}
]
},
{
"name": "interface_details",
"columns": [
{
"name": "link_speed",
"platforms": [
"linux",
"darwin"
]
},
{
"name": "pci_slot",
"platforms": [
"linux"
]
},
{
"name": "friendly_name",
"platforms": [
"windows"
]
},
{
"name": "description",
"platforms": [
"windows"
]
},
{
"name": "manufacturer",
"platforms": [
"windows"
]
},
{
"name": "connection_id",
"platforms": [
"windows"
]
},
{
"name": "connection_status",
"platforms": [
"windows"
]
},
{
"name": "enabled",
"platforms": [
"windows"
]
},
{
"name": "physical_adapter",
"platforms": [
"windows"
]
},
{
"name": "speed",
"platforms": [
"windows"
]
},
{
"name": "service",
"platforms": [
"windows"
]
},
{
"name": "dhcp_enabled",
"platforms": [
"windows"
]
},
{
"name": "dhcp_lease_expires",
"platforms": [
"windows"
]
},
{
"name": "dhcp_lease_obtained",
"platforms": [
"windows"
]
},
{
"name": "dhcp_server",
"platforms": [
"windows"
]
},
{
"name": "dns_domain",
"platforms": [
"windows"
]
},
{
"name": "dns_domain_suffix_search_order",
"platforms": [
"windows"
]
},
{
"name": "dns_host_name",
"platforms": [
"windows"
]
},
{
"name": "dns_server_search_order",
"platforms": [
"windows"
]
}
]
},
{
"name": "apt_sources",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "deb_packages",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "mount_namespace_id",
"platforms": [
"linux"
]
}
]
},
{
"name": "rpm_packages",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "mount_namespace_id",
"platforms": [
"linux"
]
}
]
},
{
"name": "yum_sources",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "listening_ports",
"columns": [
{
"name": "net_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "logged_in_users",
"columns": [
{
"name": "sid",
"platforms": [
"windows"
]
},
{
"name": "registry_hive",
"platforms": [
"windows"
]
}
]
},
{
"name": "npm_packages",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "mount_namespace_id",
"platforms": [
"linux"
]
}
]
},
{
"name": "os_version",
"columns": [
{
"name": "install_date",
"platforms": [
"windows"
]
},
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "mount_namespace_id",
"platforms": [
"linux"
]
}
]
},
{
"name": "authorized_keys",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "crontab",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"windows"
]
}
]
},
{
"name": "dns_resolvers",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "docker_containers",
"columns": [
{
"name": "cgroup_namespace",
"platforms": [
"linux"
]
},
{
"name": "ipc_namespace",
"platforms": [
"linux"
]
},
{
"name": "mnt_namespace",
"platforms": [
"linux"
]
},
{
"name": "net_namespace",
"platforms": [
"linux"
]
},
{
"name": "pid_namespace",
"platforms": [
"linux"
]
},
{
"name": "user_namespace",
"platforms": [
"linux"
]
},
{
"name": "uts_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "pci_devices",
"columns": [
{
"name": "pci_class_id",
"platforms": [
"linux"
]
},
{
"name": "pci_subclass_id",
"platforms": [
"linux"
]
},
{
"name": "pci_subclass",
"platforms": [
"linux"
]
},
{
"name": "subsystem_vendor_id",
"platforms": [
"linux"
]
},
{
"name": "subsystem_vendor",
"platforms": [
"linux"
]
},
{
"name": "subsystem_model_id",
"platforms": [
"linux"
]
},
{
"name": "subsystem_model",
"platforms": [
"linux"
]
}
]
},
{
"name": "process_events",
"columns": [
{
"name": "status",
"platforms": [
"darwin"
]
},
{
"name": "fsuid",
"platforms": [
"linux"
]
},
{
"name": "suid",
"platforms": [
"linux"
]
},
{
"name": "fsgid",
"platforms": [
"linux"
]
},
{
"name": "sgid",
"platforms": [
"linux"
]
},
{
"name": "syscall",
"platforms": [
"linux"
]
}
]
},
{
"name": "suid_bin",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "system_controls",
"columns": [
{
"name": "field_name",
"platforms": [
"darwin"
]
}
]
},
{
"name": "process_open_sockets",
"columns": [
{
"name": "state",
"platforms": [
"windows",
"linux",
"darwin"
]
},
{
"name": "net_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "processes",
"columns": [
{
"name": "elevated_token",
"platforms": [
"windows"
]
},
{
"name": "secure_process",
"platforms": [
"windows"
]
},
{
"name": "protection_type",
"platforms": [
"windows"
]
},
{
"name": "virtual_process",
"platforms": [
"windows"
]
},
{
"name": "elapsed_time",
"platforms": [
"windows"
]
},
{
"name": "handle_count",
"platforms": [
"windows"
]
},
{
"name": "percent_processor_time",
"platforms": [
"windows"
]
},
{
"name": "upid",
"platforms": [
"darwin"
]
},
{
"name": "uppid",
"platforms": [
"darwin"
]
},
{
"name": "cpu_type",
"platforms": [
"darwin"
]
},
{
"name": "cpu_subtype",
"platforms": [
"darwin"
]
},
{
"name": "translated",
"platforms": [
"darwin"
]
}
]
},
{
"name": "python_packages",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "routes",
"columns": [
{
"name": "hopcount",
"platforms": [
"linux",
"darwin"
]
}
]
},
{
"name": "user_ssh_keys",
"columns": [
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "users",
"columns": [
{
"name": "type",
"platforms": [
"windows"
]
},
{
"name": "is_hidden",
"platforms": [
"darwin"
]
},
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
}
]
},
{
"name": "file",
"columns": [
{
"name": "attributes",
"platforms": [
"windows"
]
},
{
"name": "volume_serial",
"platforms": [
"windows"
]
},
{
"name": "file_id",
"platforms": [
"windows"
]
},
{
"name": "file_version",
"platforms": [
"windows"
]
},
{
"name": "product_version",
"platforms": [
"windows"
]
},
{
"name": "original_filename",
"platforms": [
"windows"
]
},
{
"name": "bsd_flags",
"platforms": [
"darwin"
]
},
{
"name": "pid_with_namespace",
"platforms": [
"linux"
]
},
{
"name": "mount_namespace_id",
"platforms": [
"linux"
]
}
]
},
{
"name": "time",
"columns": [
{
"name": "win_timestamp",
"platforms": [
"windows"
]
}
]
},
{
"name": "atom_packages",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "chrome_extension_content_scripts",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "chrome_extensions",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "crashes",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "preferences",
"columns": [
{
"name": "username",
"requires_user_context": true
}
]
},
{
"name": "safari_extensions",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "firefox_addons",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "known_hosts",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "shell_history",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
},
{
"name": "ssh_configs",
"columns": [
{
"name": "uid",
"requires_user_context": true
}
]
}
]
Reference in a new issue View git blame Copy permalink