SELECT * FROM processes where on_disk = 0;

Quickly scan all process's executable paths to check if the binary still exists on disk. If the binary was replaced (with a newer version for example), on_disk will still equal '0'.

SELECT * FROM kernel_extensions WHERE name NOT LIKE 'com.apple.%' AND name != '__kernel__';

On OS X only you can identify third-party kernel extensions.

SELECT * FROM registry WHERE hive = 'HKEY_LOCAL_MACHINE' and key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run';

Return details for the CurrentVersion Run key within the Local Machine registry.

SELECT * FROM alf_exceptions ;

If users add firewall exceptions to the default OS X list of sharing services (e.g., SSH).

SELECT name, path, bundle_version, applescript_enabled, bundle_executable FROM apps ;

osquery exposes an OS X-specific 'apps' table that uses common Application search paths such as /Applications, /Users/*/Applications, and /Users/*/Downloads.

SELECT * FROM launchd ;

The 'launchd' table includes startup items (LaunchDaemons and LaunchAgents) from common search paths. At first this yields a large baseline of items, but does not change often.

SELECT uid, name, path, cmdline, port, address FROM listening_ports l, processes p WHERE l.pid=p.pid;

List the process information for processes listening on TCP/UDP ports.