Osquery tables list4/2/2023 ![]() ![]() This is a great starting place if coming from MySQL, PostgreSQL, or MSSQL. Please read SQL as understood by SQLite for reference. ![]() The osquery SQL language is a superset of SQLite's. Continue reading our deployment and development guides for a deep-dive into how SQL can power intrusion detection, incident response, process auditing, file integrity monitoring and more. Everything is SQL, and hopefully as expressive as possible. The world of osquery is centered around SQL: decorating, scheduling, differentials, eventing, targeting. Actions use primary keys as input and generate rows as output, and are best used when JOINing. Consider stat-ing a file, hashing a blob of data, parsing JSON, reading a SQLite database, traversing a directory, or requesting a user's list of installed browser plugins. We do not inspect event-time data in real-time, but rather buffer the events as they occur and represent that buffer as a table! Concept 'actions' can be represented too, you perform an action and generate tabular data. These are the same concepts with an 'event-like' twist. Now consider event streams: each event is a row, like a new USB device connection, or file attribute modification. When you want to inspect a concept, you SELECT the data, and the associated OS APIs are called in real-time. We can represent this type of data as a table with a single row and many columns, or a series of key/value rows. There are several informational things - like OS version, CPU features, memory details, UEFI platform vendor details - that are not tabular but rather a body of details with labeled data. ![]() Each concept becomes a SQL table, like processes, or sockets, the filesystem, a host alias, a running kernel module, etc. It may seem weird at first, but try to think of your operating system as a series of tabular concepts. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |