github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Osquery: Update exported fields reference for osquery 5.10.2 (#171147)

Browse source 
## Summary

Update exported fields reference for osquery 5.10.2.

## Related PR

- Requires https://github.com/elastic/beats/pull/37115
- Requires https://github.com/elastic/integrations/pull/8488
This commit is contained in:
Aleksandr Maus 2023-11-15 10:22:36 -05:00 committed by GitHub
parent 12a09b8aba
commit ab7ebabbb4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 184 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

184
docs/osquery/exported-fields-reference.asciidoc
View file

@ -96,6 +96,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _wifi_networks.added_at_ - Time this network was added as a unix_time
*additional_properties* - keyword, text.text
* _windows_search.additional_properties_ - Comma separated list of columns to include in properties JSON
*address* - keyword, text.text
* _arp_cache.address_ - IPv4 address target
@ -141,6 +145,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _alf.allow_signed_enabled_ - 1 If allow signed mode is enabled else 0
*ambient_brightness_enabled* - keyword, text.text
* _connected_displays.ambient_brightness_enabled_ - The ambient brightness setting associated with the display. This will be 1 if enabled and is 0 if disabled or not supported.
*ami_id* - keyword, text.text
* _ec2_instance_metadata.ami_id_ - AMI ID used to launch this EC2 instance
@ -583,6 +591,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*bundle_version* - keyword, text.text
* _apps.bundle_version_ - Info properties CFBundleVersion label
* _safari_extensions.bundle_version_ - The version of the build that identifies an iteration of the bundle
*busy_state* - keyword, number.long
@ -777,11 +786,16 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _ntdomains.client_site_name_ - The name of the site where the domain controller is configured.
*cloud_id* - keyword, text.text
* _ycloud_instance_metadata.cloud_id_ - Cloud identifier for the VM
*cmdline* - keyword, text.text
* _bpf_process_events.cmdline_ - Command line arguments
* _docker_container_processes.cmdline_ - Complete argv
* _es_process_events.cmdline_ - Command line arguments (argv)
* _process_etw_events.cmdline_ - Command Line
* _process_events.cmdline_ - Command line arguments (argv)
* _processes.cmdline_ - Complete argv
@ -973,6 +987,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _interface_details.connection_status_ - State of the network adapter connection to the network.
*connection_type* - keyword, text.text
* _connected_displays.connection_type_ - The connection type associated with the display.
*consistency_scan_date* - keyword, number.long
* _time_machine_destinations.consistency_scan_date_ - Consistency scan date
@ -1024,6 +1042,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*copyright* - keyword, text.text
* _apps.copyright_ - Info properties NSHumanReadableCopyright label
* _safari_extensions.copyright_ - A human-readable copyright notice for the bundle
*core* - keyword, number.long
@ -1088,6 +1107,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _docker_info.cpu_shares_ - 1 if CPU share weighting support is enabled. 0 otherwise
*cpu_sockets* - keyword, number.long
* _system_info.cpu_sockets_ - Number of processor sockets in the system
*cpu_spec_ctrl_supported* - keyword, number.long
* _kva_speculative_info.cpu_spec_ctrl_supported_ - SPEC_CTRL MSR supported by CPU Microcode.
@ -1236,10 +1259,19 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _platform_info.date_ - Self-reported platform code update date
* _windows_update_history.date_ - Date and the time an update was applied
*date_created* - keyword, number.long
* _windows_search.date_created_ - The unix timestamp of when the item was created.
*date_modified* - keyword, number.long
* _windows_search.date_modified_ - The unix timestamp of when the item was last modified
*datetime* - keyword, text.text
* _crashes.datetime_ - Date/Time at which the crash occurred
* _powershell_events.datetime_ - System time at which the Powershell script event occurred
* _process_etw_events.datetime_ - Event timestamp in DATETIME format
* _syslog_events.datetime_ - Time known to syslog
* _time.datetime_ - Current date and time (ISO format) in UTC
* _windows_crashes.datetime_ - Timestamp (log format) of the crash
@ -1306,6 +1338,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _drivers.description_ - Driver description
* _firefox_addons.description_ - Addon-supplied description string
* _interface_details.description_ - Short description of the object a one-line string.
* _kernel_keys.description_ - The key description.
* _keychain_acls.description_ - The description included with the ACL entry
* _keychain_items.description_ - Optional item description
* _logical_drives.description_ - The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'.
@ -1481,11 +1514,19 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _docker_container_stats.disk_write_ - Total disk write bytes
*display_id* - keyword, text.text
* _connected_displays.display_id_ - The display ID.
*display_name* - keyword, text.text
* _apps.display_name_ - Info properties CFBundleDisplayName label
* _services.display_name_ - Service Display name
*display_type* - keyword, text.text
* _connected_displays.display_type_ - The type of display.
*dns_domain* - keyword, text.text
* _interface_details.dns_domain_ - Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.
@ -1607,6 +1648,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _file_events.eid_ - Event ID
* _hardware_events.eid_ - Event ID
* _ntfs_journal_events.eid_ - Event ID
* _process_etw_events.eid_ - Event ID
* _process_events.eid_ - Event ID
* _process_file_events.eid_ - Event ID
* _selinux_events.eid_ - Event ID
@ -1837,6 +1879,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _bpf_process_events.exit_code_ - Exit code of the system call
* _bpf_socket_events.exit_code_ - Exit code of the system call
* _es_process_events.exit_code_ - Exit code of a process in case of an exit event
* _process_etw_events.exit_code_ - Exit Code - Present only on ProcessStop events
*expand* - keyword, number.long
@ -1854,6 +1897,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _curl_certificate.extended_key_usage_ - Extended usage of key in certificate
*extension_type* - keyword, text.text
* _safari_extensions.extension_type_ - Extension Type: WebOrAppExtension or LegacyExtension
*extensions* - keyword, text.text
* _osquery_info.extensions_ - osquery extensions status
@ -1865,6 +1912,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*extra* - keyword, text.text
* _asl.extra_ - Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.
* _os_version.extra_ - Optional extra release specification
* _platform_info.extra_ - Platform-specific additional information
*facility* - keyword, text.text
@ -2018,8 +2066,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _device_partitions.flags_ -
* _dns_cache.flags_ - DNS record flags
* _interface_details.flags_ - Flags (netdevice) for the device
* _kernel_keys.flags_ - A set of flags describing the state of the key.
* _mounts.flags_ - Mounted device flags
* _pipes.flags_ - The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes
* _process_etw_events.flags_ - Process Flags
* _routes.flags_ - Flags to describe route
*folder_id* - keyword, text.text
@ -2107,6 +2157,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _file.gid_ - Owning group ID
* _file_events.gid_ - Owning group ID
* _groups.gid_ - Unsigned int64 group ID
* _kernel_keys.gid_ - The group ID of the key.
* _package_bom.gid_ - Expected group of file or directory
* _process_events.gid_ - Group ID at process start
* _process_file_events.gid_ - The gid of the process performing the action
@ -2240,6 +2291,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _sudoers.header_ - Symbol for given rule
*header_pid* - keyword, number.long
* _process_etw_events.header_pid_ - Process ID of the process reporting the event
*header_size* - keyword, number.long
* _smbios_tables.header_size_ - Header size in bytes
@ -3081,6 +3136,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _magic.magic_db_files_ - Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc
*main* - keyword, number.long
* _connected_displays.main_ - If the display is the main display.
*maintainer* - keyword, text.text
* _apt_sources.maintainer_ - Repository maintainer
@ -3098,6 +3157,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _lxd_networks.managed_ - 1 if network created by LXD, 0 otherwise
*mandatory_label* - keyword, text.text
* _process_etw_events.mandatory_label_ - Primary token mandatory label sid - Present only on ProcessStart events
*manifest_hash* - keyword, text.text
* _chrome_extensions.manifest_hash_ - The SHA256 hash of the manifest.json file
@ -3114,6 +3177,14 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _battery.manufacture_date_ - The date the battery was manufactured UNIX Epoch
*manufactured_week* - keyword, number.long
* _connected_displays.manufactured_week_ - The manufacture week of the display. This field is 0 if not supported
*manufactured_year* - keyword, number.long
* _connected_displays.manufactured_year_ - The manufacture year of the display. This field is 0 if not supported
*manufacturer* - keyword, text.text
* _battery.manufacturer_ - The battery manufacturer's name
@ -3170,6 +3241,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _pipes.max_instances_ - The maximum number of instances creatable for this pipe
*max_results* - keyword, number.long
* _windows_search.max_results_ - Maximum number of results returned by windows api, set to -1 for unlimited
*max_rows* - keyword, number.long
* _unified_log.max_rows_ - the max number of rows returned (defaults to 100)
@ -3258,6 +3333,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _memory_info.memory_available_ - The amount of physical RAM, in bytes, available for starting new applications, without swapping
*memory_cached* - keyword, number.long
* _docker_container_stats.memory_cached_ - Memory cached
*memory_device_handle* - keyword, text.text
* _memory_device_mapped_addresses.memory_device_handle_ - Handle of the memory device structure associated with this structure
@ -3400,6 +3479,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _battery.minutes_until_empty_ - The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated
*mirror* - keyword, number.long
* _connected_displays.mirror_ - If the display is mirrored or not. This field is 1 if mirrored and 0 if not mirrored.
*mirrorlist* - keyword, text.text
* _yum_sources.mirrorlist_ - Mirrorlist URL
@ -3515,6 +3598,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _browser_plugins.name_ - Plugin display name
* _chocolatey_packages.name_ - Package display name
* _chrome_extensions.name_ - Extension display name
* _connected_displays.name_ - The name of the display.
* _cups_destinations.name_ - Name of the printer
* _deb_packages.name_ - Package name
* _disk_encryption.name_ - Disk name
@ -3580,6 +3664,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _temperature_sensors.name_ - Name of temperature source
* _windows_firewall_rules.name_ - Friendly name of the rule
* _windows_optional_features.name_ - Name of the feature
* _windows_search.name_ - The name of the item
* _windows_security_products.name_ - Name of product
* _wmi_bios_info.name_ - Name of the Bios setting
* _wmi_cli_event_consumers.name_ - Unique name of a consumer.
@ -3702,6 +3787,14 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _cpu_info.number_of_cores_ - The number of cores of the CPU.
*number_of_efficiency_cores* - keyword, number.long
* _cpu_info.number_of_efficiency_cores_ - The number of efficiency cores of the CPU. Only available on Apple Silicon
*number_of_performance_cores* - keyword, number.long
* _cpu_info.number_of_performance_cores_ - The number of performance cores of the CPU. Only available on Apple Silicon
*object_name* - keyword, text.text
* _winbaseobj.object_name_ - Object Name
@ -3751,6 +3844,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _processes.on_disk_ - The process path exists yes=1, no=0, unknown=-1
*online* - keyword, number.long
* _connected_displays.online_ - The online status of the display. This field is 1 if the display is online and 0 if it is offline.
*online_cpus* - keyword, number.long
* _docker_container_stats.online_cpus_ - Online CPUs
@ -3880,6 +3977,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _tpm_info.owned_ - TPM is owned
*owner* - keyword, text.text
* _windows_search.owner_ - The owner of the item
*owner_gid* - keyword, number.long
* _process_events.owner_gid_ - File owner group ID
@ -3948,6 +4049,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _process_events.parent_ - Process parent's PID, or -1 if cannot be determined.
* _processes.parent_ - Process parent's PID
*parent_process_sequence_number* - keyword, number.long
* _process_etw_events.parent_process_sequence_number_ - Parent Process Sequence Number - Present only on ProcessStart events
*parent_ref_number* - keyword, text.text
* _ntfs_journal_events.parent_ref_number_ - The ordinal that associates a journal record with a filename's parent directory
@ -4071,6 +4176,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _package_receipts.path_ - Path of receipt plist
* _plist.path_ - (required) read preferences from a plist
* _prefetch.path_ - Prefetch file path.
* _process_etw_events.path_ - Path of executed binary
* _process_events.path_ - Path of executed file
* _process_file_events.path_ - The path associated with the event
* _process_memory_map.path_ - Path to mapped file or mapped type
@ -4098,6 +4204,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _user_ssh_keys.path_ - Path to key file
* _userassist.path_ - Application file path.
* _windows_crashes.path_ - Path of the executable file for the crashed process
* _windows_search.path_ - The full path of the item.
* _yara.path_ - The path scanned
*pci_class* - keyword, text.text
@ -4172,6 +4279,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*permissions* - keyword, text.text
* _chrome_extensions.permissions_ - The permissions required by the extension
* _kernel_keys.permissions_ - The key permissions, expressed as four hexadecimalbytes containing, from left to right, thepossessor, user, group, and other permissions.
* _process_memory_map.permissions_ - r=read, w=write, x=execute, p=private (cow)
* _shared_memory.permissions_ - Memory segment permissions
* _suid_bin.permissions_ - Binary permissions
@ -4227,6 +4335,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _osquery_info.pid_ - Process (or thread/handle) ID
* _pipes.pid_ - Process ID of the process to which the pipe belongs
* _process_envs.pid_ - Process (or thread) ID
* _process_etw_events.pid_ - Process ID
* _process_events.pid_ - Process (or thread) ID
* _process_file_events.pid_ - Process ID
* _process_memory_map.pid_ - Process (or thread) ID
@ -4268,12 +4377,21 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _suid_bin.pid_with_namespace_ - Pids that contain a namespace
* _user_ssh_keys.pid_with_namespace_ - Pids that contain a namespace
* _users.pid_with_namespace_ - Pids that contain a namespace
* _yara.pid_with_namespace_ - Pids that contain a namespace
* _yum_sources.pid_with_namespace_ - Pids that contain a namespace
*pids* - keyword, number.long
* _docker_container_stats.pids_ - Number of processes
*pixels* - keyword, text.text
* _connected_displays.pixels_ - The number of pixels of the display.
*pk_hash* - keyword, text.text
* _keychain_items.pk_hash_ - Hash of associated public key (SHA1 of subjectPublicKey, see RFC 8520 4.2.1.2)
*placement_group_id* - keyword, text.text
* _azure_instance_metadata.placement_group_id_ - Placement group for the VM scale set
@ -4359,6 +4477,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*ppid* - keyword, number.long
* _process_etw_events.ppid_ - Parent Process ID
* _process_file_events.ppid_ - Parent process ID
*pre_cpu_kernelmode_usage* - keyword, number.long
@ -4381,6 +4500,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _docker_container_stats.pre_system_cpu_usage_ - Last read CPU system usage
*predicate* - keyword, text.text
* _unified_log.predicate_ - predicate to search (see `log help predicates`), note that this is merged into the predicate created from the column constraints
*prefix* - keyword, text.text
* _homebrew_packages.prefix_ - Homebrew install prefix
@ -4420,6 +4543,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _event_taps.process_being_tapped_ - The process ID of the target application
*process_sequence_number* - keyword, number.long
* _process_etw_events.process_sequence_number_ - Process Sequence Number - Present only on ProcessStart events
*process_type* - keyword, text.text
* _launchd.process_type_ - Key describes the intended purpose of the job
@ -4444,6 +4571,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _cpu_info.processor_type_ - The processor type, such as Central, Math, or Video.
*product_id* - keyword, text.text
* _connected_displays.product_id_ - The product ID of the display.
*product_name* - keyword, text.text
* _tpm_info.product_name_ - Product name of the TPM
@ -4487,6 +4618,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _docker_container_mounts.propagation_ - Mount propagation
*properties* - keyword, text.text
* _windows_search.properties_ - Additional property values JSON
*protected* - keyword, number.long
* _app_schemes.protected_ - 1 if this handler is protected (reserved) by macOS, else 0
@ -4554,6 +4689,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _mdfind.query_ - The query that was run to find the file
* _osquery_schedule.query_ - The exact query to run
* _windows_search.query_ - Windows search query
* _wmi_event_filters.query_ - Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.
*query_language* - keyword, text.text
@ -4761,6 +4897,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _docker_container_processes.resident_size_ - Bytes of private memory used by process
* _processes.resident_size_ - Bytes of private memory used by process
*resolution* - keyword, text.text
* _connected_displays.resolution_ - The resolution of the display.
*resource_group_name* - keyword, text.text
* _azure_instance_metadata.resource_group_name_ - Resource group for the VM
@ -4829,6 +4969,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _time_machine_destinations.root_volume_uuid_ - Root UUID of backup volume
*rotation* - keyword, text.text
* _connected_displays.rotation_ - The orientation of the display.
*round_trip_time* - keyword, number.long
* _curl.round_trip_time_ - Time taken to complete the request
@ -4933,6 +5077,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _secureboot.secure_boot_ - Whether secure boot is enabled
*secure_mode* - keyword, number.long
* _secureboot.secure_mode_ - Secure mode for Intel-based macOS: 0 disabled, 1 full security, 2 medium security
*secure_process* - keyword, number.long
* _processes.secure_process_ - Process is secure (IUM) yes=1, no=0
@ -4992,7 +5140,9 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _authenticode.serial_number_ - The certificate serial number
* _battery.serial_number_ - The battery's unique serial number
* _connected_displays.serial_number_ - The serial number of the display. (may not be unique)
* _curl_certificate.serial_number_ - Certificate serial number
* _kernel_keys.serial_number_ - The serial key of the key.
* _memory_devices.serial_number_ - Serial number of memory device
*serial_port_enabled* - keyword, text.text
@ -5049,6 +5199,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*session_id* - keyword, number.long
* _logon_sessions.session_id_ - The Terminal Services session identifier.
* _process_etw_events.session_id_ - Session ID
* _winbaseobj.session_id_ - Terminal Services Session Id
*session_owner* - keyword, text.text
@ -5206,6 +5357,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _shared_memory.size_ - Size in bytes
* _smbios_tables.size_ - Table entry size in bytes
* _smc_keys.size_ - Reported size of data in bytes
* _windows_search.size_ - The item size in bytes.
*size_bytes* - keyword, number.long
@ -5243,6 +5395,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _cpu_time.softirq_ - Time spent servicing softirqs
*sort* - keyword, text.text
* _windows_search.sort_ - Sort for windows api
*source* - keyword, text.text
* _apt_sources.source_ - Source file
@ -5693,6 +5849,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _ntfs_journal_events.time_ - Time of file event
* _package_install_history.time_ - Label date as UNIX timestamp
* _powershell_events.time_ - Timestamp the event was received by the osquery event publisher
* _process_etw_events.time_ - Event timestamp in Unix format
* _process_events.time_ - Time of execution in UNIX time
* _process_file_events.time_ - Time of execution in UNIX time
* _seccomp_events.time_ - Time of execution in UNIX time
@ -5714,10 +5871,15 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _windows_eventlog.time_range_ - System time to selectively filter the events
*time_windows* - keyword, number.long
* _process_etw_events.time_windows_ - Event timestamp in Windows format
*timeout* - keyword, text.text
* _authorizations.timeout_ - Label top-level key
* _curl_certificate.timeout_ - Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout)
* _kernel_keys.timeout_ - The amount of time until the key will expire,expressed in human-readable form. The string perm heremeans that the key is permanent (no timeout). Thestring expd means that the key has already expired.
*timestamp* - keyword, text.text
@ -5738,6 +5900,14 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _cups_jobs.title_ - Title of the printed job
* _windows_update_history.title_ - Title of an update
*token_elevation_status* - keyword, number.long
* _process_etw_events.token_elevation_status_ - Primary token elevation status - Present only on ProcessStart events
*token_elevation_type* - keyword, text.text
* _process_etw_events.token_elevation_type_ - Primary token elevation type - Present only on ProcessStart events
*total_seconds* - keyword, number.long
* _uptime.total_seconds_ - Total uptime seconds
@ -5803,6 +5973,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _hardware_events.type_ - Type of hardware and hardware event
* _interface_addresses.type_ - Type of address. One of dhcp, manual, auto, other, unknown
* _interface_details.type_ - Interface type (includes virtual)
* _kernel_keys.type_ - The key type.
* _keychain_items.type_ - Keychain item type (class)
* _last.type_ - Entry type, according to ut_type types (utmp.h)
* _logged_in_users.type_ - Login type
@ -5815,6 +5986,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _osquery_events.type_ - Either publisher or subscriber
* _osquery_extensions.type_ - SDK extension type: core, extension, or module
* _osquery_flags.type_ - Flag type
* _process_etw_events.type_ - Event Type (ProcessStart, ProcessStop)
* _process_open_pipes.type_ - Pipe Type: named vs unnamed/anonymous
* _registry.type_ - Type of the registry value, or 'subkey' if item is a subkey
* _routes.type_ - Type of route
@ -5828,6 +6000,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _user_events.type_ - The file description for the process socket
* _users.type_ - Whether the account is roaming (domain), local, or a system profile
* _windows_crashes.type_ - Type of crash log
* _windows_search.type_ - The item type
* _windows_security_products.type_ - Type of security product
* _xprotect_meta.type_ - Either plugin or extension
@ -5855,6 +6028,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _file.uid_ - Owning user ID
* _file_events.uid_ - Owning user ID
* _firefox_addons.uid_ - The local user that owns the addon
* _kernel_keys.uid_ - The user ID of the key owner.
* _known_hosts.uid_ - The local user that owns the known_hosts file
* _launchd_overrides.uid_ - User ID applied to the override, 0 applies to all
* _package_bom.uid_ - Expected user of file or directory
@ -5891,6 +6065,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _ibridge_info.unique_chip_id_ - Unique id of the iBridge controller
*unit_file_state* - keyword, text.text
* _systemd_units.unit_file_state_ - Whether the unit file is enabled, e.g. `enabled`, `masked`, `disabled`, etc
*unix_time* - keyword, number.long
* _time.unix_time_ - Current UNIX time in UTC
@ -5964,6 +6142,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _curl.url_ - The url for the request
* _lxd_cluster_members.url_ - URL of the node
*usage* - keyword, number.long
* _kernel_keys.usage_ - the number of threads and open file references thatrefer to this key.
*usb_address* - keyword, number.long
* _usb_devices.usb_address_ - USB Device used address
@ -6030,6 +6212,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
* _launchd.username_ - Run this daemon or agent as this username
* _managed_policies.username_ - Policy applies only this user
* _preferences.username_ - (optional) read preferences for a specific user
* _process_etw_events.username_ - User rights - primary token username
* _rpm_package_files.username_ - File default username from info DB
* _shadow.username_ - Username
* _startup_items.username_ - The user associated with the startup item
@ -6119,6 +6302,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq
*vendor_id* - keyword, text.text
* _connected_displays.vendor_id_ - The vendor ID of the display.
* _hardware_events.vendor_id_ - Hex encoded Hardware vendor identifier
* _pci_devices.vendor_id_ - Hex encoded PCI Device vendor identifier
* _usb_devices.vendor_id_ - Hex encoded USB Device vendor identifier