mirror of
https://github.com/fleetdm/fleet
synced 2026-05-22 16:39:01 +00:00
02437a098e
Closes: #19271 Closes: #19286 Changes: - Updated the example in the schema folder readme - Updated the block scalar used in Fleet's osquery override documentation (`>-` » `|-`) and removed extra newlines - Updated the block scalar used in URLs used to create new yaml override files - Regenerated osqeury_fleet_schema.json
11 lines
700 B
YAML
11 lines
700 B
YAML
name: event_taps
|
|
examples: |-
|
|
Identify processes that have a tap into the system, such as access to
|
|
keystrokes, and view details on the executable including signature status,
|
|
team identifier if signed and the authority that emitted the signing
|
|
certificate. This can be used to detect keyloggers and other malicious
|
|
applications.
|
|
|
|
```
|
|
SELECT t.event_tapped, s.identifier, s.signed, s.team_identifier, s.authority FROM event_taps t JOIN processes p ON p.pid = t.tapping_process JOIN signature s on s.path = p.path WHERE s.identifier !='com.apple.ViewBridgeAuxiliary' AND s.identifier !='com.apple.universalaccessd' AND s.identifier !='com.apple.accessibility.AXVisualSupportAgent';
|
|
```
|