Query Packs

We encourage osquery users and developers to share the broad queries that have large impact for systems orchestration, security visibility, and systems development triage. One immediate goal for the osquery community is a method to exchange important security and systems query sets in the form of "packs".

Query packs will be organized into a set of low-resource queries that add immediate signal and value to your enterprise.

Popular example queries

SELECT * FROM processes where on_disk = 0;

Quickly scan all process's executable paths to check if the binary still exists on disk. If the binary was replaced (with a newer version for example), on_disk will still equal '0'.

SELECT * FROM kernel_extensions WHERE name NOT LIKE 'com.apple.%' AND name != '__kernel__';

On OS X only you can identify third-party kernel extensions.

SELECT * FROM registry WHERE hive = 'HKEY_LOCAL_MACHINE' and key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run';

Return details for the CurrentVersion Run key within the Local Machine registry.

SELECT * FROM alf_exceptions ;

If users add firewall exceptions to the default OS X list of sharing services (e.g., SSH).

SELECT name, path, bundle_version, applescript_enabled, bundle_executable FROM apps ;

osquery exposes an OS X-specific 'apps' table that uses common Application search paths such as /Applications, /Users/*/Applications, and /Users/*/Downloads.

SELECT * FROM launchd ;

The 'launchd' table includes startup items (LaunchDaemons and LaunchAgents) from common search paths. At first this yields a large baseline of items, but does not change often.

SELECT uid, name, path, cmdline, port, address FROM listening_ports l, processes p WHERE l.pid=p.pid;

List the process information for processes listening on TCP/UDP ports.