osquery exports the following set of tables organized by platform. Treat them like SQLite tables:

SELECT address, mac, id.interface
FROM interface_details AS id, interface_addresses AS ia WHERE id.interface = ia.interface;

There are some operating-specific tables that apply to OS X, Ubuntu, or CentOS only. osquery stresses feature parity, minimizing tables that are not available to all platforms is a priority. Tables marked with [beta] may be subject to renaming or column changes.

() uses an event publisher
() requires kernel extension
() blacklisted
() performance impact

() treat as a primary key
() use to control table output
() required in WHERE clause
() utility, included in SDK

Release tags: 2.6.1 2.6.0 2.5.2 2.5.0 2.4.6

All Platforms

arp_cache

Address resolution cache, both static and dynamic (from ARP, NDP).
ColumnTypeDescription
address TEXT_TYPE IPv4 address target
mac TEXT_TYPE MAC address of broadcasted address
interface TEXT_TYPE Interface of the network for the MAC
permanent TEXT_TYPE 1 for true, 0 for false

carbon_black_info

Returns info about a Carbon Black sensor install.
ColumnTypeDescription
sensor_id INTEGER_TYPE Sensor ID of the Carbon Black sensor
config_name TEXT_TYPE Sensor group
collect_store_files INTEGER_TYPE If the sensor is configured to send back binaries to the Carbon Black server
collect_module_loads INTEGER_TYPE If the sensor is configured to capture module loads
collect_module_info INTEGER_TYPE If the sensor is configured to collect metadata of binaries
collect_file_mods INTEGER_TYPE If the sensor is configured to collect file modification events
collect_reg_mods INTEGER_TYPE If the sensor is configured to collect registry modification events
collect_net_conns INTEGER_TYPE If the sensor is configured to collect network connections
collect_processes INTEGER_TYPE If the sensor is configured to process events
collect_cross_processes INTEGER_TYPE If the sensor is configured to cross process events
collect_emet_events INTEGER_TYPE If the sensor is configured to EMET events
collect_data_file_writes INTEGER_TYPE If the sensor is configured to collect non binary file writes
collect_process_user_context INTEGER_TYPE If the sensor is configured to collect the user running a process
collect_sensor_operations INTEGER_TYPE Unknown
log_file_disk_quota_mb INTEGER_TYPE Event file disk quota in MB
log_file_disk_quota_percentage INTEGER_TYPE Event file disk quota in a percentage
protection_disabled INTEGER_TYPE If the sensor is configured to report tamper events
sensor_ip_addr TEXT_TYPE IP address of the sensor
sensor_backend_server TEXT_TYPE Carbon Black server
event_queue INTEGER_TYPE Size in bytes of Carbon Black event files on disk
binary_queue INTEGER_TYPE Size in bytes of binaries waiting to be sent to Carbon Black server

carves

Forensic Carves.
ColumnTypeDescription
time BIGINT_TYPE Time at which the carve was kicked off
sha256 TEXT_TYPE A SHA256 sum of the carved archive
size INTEGER_TYPE Size of the carved archive
path TEXT_TYPE The path of the requested carve
status TEXT_TYPE Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED
carve_guid TEXT_TYPE Identifying value of the carve session
carve INTEGER_TYPE Set this value to '1' to start a file carve
select * from carves where status like '%FAIL%'
select * from carves where path like '/Users/%/Downloads/%' and carve=1

chrome_extensions

Chrome browser extensions.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the extension
name TEXT_TYPE Extension display name
identifier TEXT_TYPE Extension identifier
version TEXT_TYPE Extension-supplied version
description TEXT_TYPE Extension-optional description
locale TEXT_TYPE Default locale supported by extension
update_url TEXT_TYPE Extension-supplied update URI
author TEXT_TYPE Optional extension author
persistent INTEGER_TYPE 1 If extension is persistent across all tabs else 0
path TEXT_TYPE Path to extension folder

cpuid

Useful CPU features from the cpuid ASM call.
ColumnTypeDescription
feature TEXT_TYPE Present feature flags
value TEXT_TYPE Bit value or string
output_register TEXT_TYPE Register used to for feature value
output_bit INTEGER_TYPE Bit in register value for feature value
input_eax TEXT_TYPE Value of EAX used

etc_hosts

Line-parsed /etc/hosts.
ColumnTypeDescription
address TEXT_TYPE IP address mapping
hostnames TEXT_TYPE Raw hosts mapping

etc_protocols

Line-parsed /etc/protocols.
ColumnTypeDescription
name TEXT_TYPE Protocol name
number INTEGER_TYPE Protocol number
alias TEXT_TYPE Protocol alias
comment TEXT_TYPE Comment with protocol description

etc_services

Line-parsed /etc/services.
ColumnTypeDescription
name TEXT_TYPE Service name
port INTEGER_TYPE Service port number
protocol TEXT_TYPE Transport protocol (TCP/UDP)
aliases TEXT_TYPE Optional space separated list of other names for a service
comment TEXT_TYPE Optional comment for a service.

hash

Filesystem hash data.
ColumnTypeDescription
path TEXT_TYPE Must provide a path or directory
directory TEXT_TYPE Must provide a path or directory
md5 TEXT_TYPE MD5 hash of provided filesystem data
sha1 TEXT_TYPE SHA1 hash of provided filesystem data
sha256 TEXT_TYPE SHA256 hash of provided filesystem data
select * from hash where path = '/etc/passwd'
select * from hash where directory = '/etc/'

interface_addresses

Network interfaces and relevant metadata.
ColumnTypeDescription
interface TEXT_TYPE Interface name
address TEXT_TYPE Specific address for interface
mask TEXT_TYPE Interface netmask
broadcast TEXT_TYPE Broadcast address for the interface
point_to_point TEXT_TYPE PtP address for the interface
type TEXT_TYPE Type of address. One of dhcp, manual, auto, other

interface_details

Detailed information and stats of network interfaces.
ColumnTypeDescription
interface TEXT_TYPE Interface name
mac TEXT_TYPE MAC of interface (optional)
type INTEGER_TYPE Interface type (includes virtual)
mtu INTEGER_TYPE Network MTU
metric INTEGER_TYPE Metric based on the speed of the interface
flags INTEGER_TYPE Flags (netdevice) for the device
ipackets BIGINT_TYPE Input packets
opackets BIGINT_TYPE Output packets
ibytes BIGINT_TYPE Input bytes
obytes BIGINT_TYPE Output bytes
ierrors BIGINT_TYPE Input errors
oerrors BIGINT_TYPE Output errors
idrops BIGINT_TYPE Input drops
odrops BIGINT_TYPE Output drops
collisions BIGINT_TYPE Packet Collisions detected
last_change BIGINT_TYPE Time of last device modification (optional)
description TEXT_TYPE Short description of the object—a one-line string.
manufacturer TEXT_TYPE Name of the network adapter's manufacturer.
connection_id TEXT_TYPE Name of the network connection as it appears in the Network Connections Control Panel program.
connection_status TEXT_TYPE State of the network adapter connection to the network.
enabled INTEGER_TYPE Indicates whether the adapter is enabled or not.
physical_adapter INTEGER_TYPE Indicates whether the adapter is a physical or a logical adapter.
speed INTEGER_TYPE Estimate of the current bandwidth in bits per second.
dhcp_enabled INTEGER_TYPE If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.
dhcp_lease_expires TEXT_TYPE Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_lease_obtained TEXT_TYPE Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_server TEXT_TYPE IP address of the dynamic host configuration protocol (DHCP) server.
dns_domain TEXT_TYPE Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.
dns_domain_suffix_search_order TEXT_TYPE Array of DNS domain suffixes to be appended to the end of host names during name resolution.
dns_host_name TEXT_TYPE Host name used to identify the local computer for authentication by some utilities.
dns_server_search_order TEXT_TYPE Array of server IP addresses to be used in querying for DNS servers.
select interface, mac, type, idrops as input_drops from interface_details;
select interface, mac, type, flags, (1<<8) as promisc_flag from interface_details where (flags & promisc_flag) > 0;
select interface, mac, type, flags, (1<<3) as loopback_flag from interface_details where (flags & loopback_flag) > 0;

kernel_info

Basic active kernel information.
ColumnTypeDescription
version TEXT_TYPE Kernel version
arguments TEXT_TYPE Kernel arguments
path TEXT_TYPE Kernel path
device TEXT_TYPE Kernel device identifier

listening_ports

Processes with listening (bound) network sockets/ports.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
port INTEGER_TYPE Transport layer port
protocol INTEGER_TYPE Transport protocol (TCP/UDP)
family INTEGER_TYPE Network protocol (IPv4, IPv6)
address TEXT_TYPE Specific address for bind

logged_in_users

Users with an active shell on the system.
ColumnTypeDescription
type TEXT_TYPE Login type
user TEXT_TYPE User login name
tty TEXT_TYPE Device name
host TEXT_TYPE Remote hostname
time INTEGER_TYPE Time entry was made
pid INTEGER_TYPE Process (or thread) ID

os_version

A single row containing the operating system name and version.
ColumnTypeDescription
name TEXT_TYPE Distribution or product name
version TEXT_TYPE Pretty, suitable for presentation, OS version
major INTEGER_TYPE Major release version
minor INTEGER_TYPE Minor release version
patch INTEGER_TYPE Optional patch release
build TEXT_TYPE Optional build-specific or variant string
platform TEXT_TYPE OS Platform or ID
platform_like TEXT_TYPE Closely related platforms
codename TEXT_TYPE OS version codename

platform_info

Information about EFI/UEFI/ROM and platform/boot.
ColumnTypeDescription
vendor TEXT_TYPE Platform code vendor
version TEXT_TYPE Platform code version
date TEXT_TYPE Self-reported platform code update date
revision TEXT_TYPE BIOS major and minor revision
address TEXT_TYPE Relative address of firmware mapping
size TEXT_TYPE Size in bytes of firmware
volume_size INTEGER_TYPE (Optional) size of firmware volume
extra TEXT_TYPE Platform-specific additional information

process_open_sockets

Processes which have open network sockets on the system.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
fd BIGINT_TYPE Socket file descriptor number
socket BIGINT_TYPE Socket handle or inode number
family INTEGER_TYPE Network protocol (IPv4, IPv6)
protocol INTEGER_TYPE Transport protocol (TCP/UDP)
local_address TEXT_TYPE Socket local address
remote_address TEXT_TYPE Socket remote address
local_port INTEGER_TYPE Socket local port
remote_port INTEGER_TYPE Socket remote port
path TEXT_TYPE For UNIX sockets (family=AF_UNIX), the domain path
select * from process_open_sockets where pid = 1

processes

All running processes on the host system.
ColumnTypeDescription
pid BIGINT_TYPE Process (or thread) ID
name TEXT_TYPE The process path or shorthand argv[0]
path TEXT_TYPE Path to executed binary
cmdline TEXT_TYPE Complete argv
state TEXT_TYPE Process state
cwd TEXT_TYPE Process current working directory
root TEXT_TYPE Process virtual root directory
uid BIGINT_TYPE Unsigned user ID
gid BIGINT_TYPE Unsigned group ID
euid BIGINT_TYPE Unsigned effective user ID
egid BIGINT_TYPE Unsigned effective group ID
suid BIGINT_TYPE Unsigned saved user ID
sgid BIGINT_TYPE Unsigned saved group ID
on_disk INTEGER_TYPE The process path exists yes=1, no=0, unknown=-1
wired_size BIGINT_TYPE Bytes of unpagable memory used by process
resident_size BIGINT_TYPE Bytes of private memory used by process
total_size BIGINT_TYPE Total virtual memory size
user_time BIGINT_TYPE CPU time spent in user space
system_time BIGINT_TYPE CPU time spent in kernel space
start_time BIGINT_TYPE Process start in seconds since boot (non-sleeping)
parent BIGINT_TYPE Process parent's PID
pgroup BIGINT_TYPE Process group
threads INTEGER_TYPE Number of threads used by process
nice INTEGER_TYPE Process nice level (-20 to 20, default 0)
select * from processes where pid = 1

routes

The active route table for the host system.
ColumnTypeDescription
destination TEXT_TYPE Destination IP address
netmask TEXT_TYPE Netmask length
gateway TEXT_TYPE Route gateway
source TEXT_TYPE Route source
flags INTEGER_TYPE Flags to describe route
interface TEXT_TYPE Route local interface
mtu INTEGER_TYPE Maximum Transmission Unit for the route
metric INTEGER_TYPE Cost of route. Lowest is preferred
type TEXT_TYPE Type of route

startup_items

Applications and binaries set as user/login startup items.
ColumnTypeDescription
name TEXT_TYPE Name of startup item
path TEXT_TYPE Path of startup item
args TEXT_TYPE Arguments provided to startup executable
type TEXT_TYPE Startup Item or Login Item
source TEXT_TYPE Directory or plist containing startup item
status TEXT_TYPE Startup status; either enabled or disabled
username TEXT_TYPE The user associated with the startup item

system_info

System information for identification.
ColumnTypeDescription
hostname TEXT_TYPE Network hostname including domain
uuid TEXT_TYPE Unique ID provided by the system
cpu_type TEXT_TYPE CPU type
cpu_subtype TEXT_TYPE CPU subtype
cpu_brand TEXT_TYPE CPU brand string, contains vendor and model
cpu_physical_cores INTEGER_TYPE Max number of CPU physical cores
cpu_logical_cores INTEGER_TYPE Max number of CPU logical cores
physical_memory BIGINT_TYPE Total physical memory in bytes
hardware_vendor TEXT_TYPE Hardware or board vendor
hardware_model TEXT_TYPE Hardware or board model
hardware_version TEXT_TYPE Hardware or board version
hardware_serial TEXT_TYPE Device or board serial number
computer_name TEXT_TYPE Friendly computer name (optional)
local_hostname TEXT_TYPE Local hostname (optional)

uptime

Track time passed since last boot.
ColumnTypeDescription
days INTEGER_TYPE Days of uptime
hours INTEGER_TYPE Hours of uptime
minutes INTEGER_TYPE Minutes of uptime
seconds INTEGER_TYPE Seconds of uptime
total_seconds BIGINT_TYPE Total uptime seconds

users

Local system users.
ColumnTypeDescription
uid BIGINT_TYPE User ID
gid BIGINT_TYPE Group ID (unsigned)
uid_signed BIGINT_TYPE User ID as int64 signed (Apple)
gid_signed BIGINT_TYPE Default group ID as int64 signed (Apple)
username TEXT_TYPE Username
description TEXT_TYPE Optional user description
directory TEXT_TYPE User's home directory
shell TEXT_TYPE User's configured default shell
uuid TEXT_TYPE User's UUID (Apple)
select * from users where uid = 1000
select * from users where username = 'root'
select count(*) from users u, user_groups ug where u.uid = ug.uid

YARA

yara

Track YARA matches for files or PIDs.
ColumnTypeDescription
path TEXT_TYPE The path scanned
matches TEXT_TYPE List of YARA matches
count INTEGER_TYPE Number of YARA matches
sig_group TEXT_TYPE Signature group used
sigfile TEXT_TYPE Signature file used
strings TEXT_TYPE Matching strings
tags TEXT_TYPE Matching tags
select * from yara where path = '/etc/passwd'
select * from yara where path LIKE '/etc/%'
select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'

yara_events

Track YARA matches for files specified in configuration data.
ColumnTypeDescription
target_path TEXT_TYPE The path scanned
category TEXT_TYPE The category of the file
action TEXT_TYPE Change action (UPDATE, REMOVE, etc)
transaction_id BIGINT_TYPE ID used during bulk update
matches TEXT_TYPE List of YARA matches
count INTEGER_TYPE Number of YARA matches
strings TEXT_TYPE Matching strings
tags TEXT_TYPE Matching tags
time BIGINT_TYPE Time of the scan
eid TEXT_TYPE Event ID

The Sleuth Kit

device_file

Similar to the file table, but use TSK and allow block address access.
ColumnTypeDescription
device TEXT_TYPE Absolute file path to device node
partition TEXT_TYPE A partition number
path TEXT_TYPE A logical path within the device node
filename TEXT_TYPE Name portion of file path
inode BIGINT_TYPE Filesystem inode number
uid BIGINT_TYPE Owning user ID
gid BIGINT_TYPE Owning group ID
mode TEXT_TYPE Permission bits
size BIGINT_TYPE Size of file in bytes
block_size INTEGER_TYPE Block size of filesystem
atime BIGINT_TYPE Last access time
mtime BIGINT_TYPE Last modification time
ctime BIGINT_TYPE Creation time
hard_links INTEGER_TYPE Number of hard links
type TEXT_TYPE File status

device_hash

Similar to the hash table, but use TSK and allow block address access.
ColumnTypeDescription
device TEXT_TYPE Absolute file path to device node
partition TEXT_TYPE A partition number
inode BIGINT_TYPE Filesystem inode number
md5 TEXT_TYPE MD5 hash of provided inode data
sha1 TEXT_TYPE SHA1 hash of provided inode data
sha256 TEXT_TYPE SHA256 hash of provided inode data

device_partitions

Use TSK to enumerate details about partitions on a disk device.
ColumnTypeDescription
device TEXT_TYPE Absolute file path to device node
partition INTEGER_TYPE A partition number or description
label TEXT_TYPE
type TEXT_TYPE
offset BIGINT_TYPE
blocks_size BIGINT_TYPE Byte size of each block
blocks BIGINT_TYPE Number of blocks
inodes BIGINT_TYPE Number of meta nodes
flags INTEGER_TYPE

Microsoft Windows

appcompat_shims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.
ColumnTypeDescription
executable TEXT_TYPE Name of the executable that is being shimmed. This is pulled from the registry.
path TEXT_TYPE This is the path to the SDB database.
description TEXT_TYPE Description of the SDB.
install_time INTEGER_TYPE Install time of the SDB
type TEXT_TYPE Type of the SDB database.
sdb_id TEXT_TYPE Unique GUID of the SDB.
select * from appcompat_shims;

autoexec

Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled tasks, startup_items and more.
ColumnTypeDescription
path TEXT_TYPE Path to the executable
name TEXT_TYPE Name of the program
source TEXT_TYPE Source table of the autoexec item

drivers

Details for in-use Windows device drivers. This does not display installed but unused drivers.
ColumnTypeDescription
device_id TEXT_TYPE Device ID
device_name TEXT_TYPE Device name
image TEXT_TYPE Path to driver image file
description TEXT_TYPE Driver description
service TEXT_TYPE Driver service name, if one exists
service_key TEXT_TYPE Driver service registry key
version TEXT_TYPE Driver version
inf TEXT_TYPE Associated inf file
class TEXT_TYPE Device/driver class name
provider TEXT_TYPE Driver provider
manufacturer TEXT_TYPE Device manufacturer
driver_key TEXT_TYPE Driver key
date BIGINT_TYPE Driver date
select * from drivers

ie_extensions

Internet Explorer browser extensions.
ColumnTypeDescription
name TEXT_TYPE Extension display name
registry_path TEXT_TYPE Extension identifier
version TEXT_TYPE Version of the executable
path TEXT_TYPE Path to executable

patches

Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).
ColumnTypeDescription
csname TEXT_TYPE The name of the host the patch is installed on.
hotfix_id TEXT_TYPE The KB ID of the patch.
caption TEXT_TYPE Short description of the patch.
description TEXT_TYPE Fuller description of the patch.
fix_comments TEXT_TYPE Additional comments about the patch.
installed_by TEXT_TYPE The system context in which the patch as installed.
install_date TEXT_TYPE Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.
installed_on TEXT_TYPE The date when the patch was installed.
select * from patches

programs

Rrepresents products as they are installed by Windows Installer. A product generally correlates to one installation package.
ColumnTypeDescription
name TEXT_TYPE Commonly used product name.
version TEXT_TYPE Product version information.
install_source TEXT_TYPE The installation source directory of the product.
language TEXT_TYPE The language of the product.
publisher TEXT_TYPE Name of the product supplier.
uninstall_string TEXT_TYPE Path and filename of the uninstaller.
install_date TEXT_TYPE Date that this product was installed on the system.
identifying_number TEXT_TYPE Product identification such as a serial number on software, or a die number on a hardware chip.
select * from programs

registry

All of the Windows registry hives.
ColumnTypeDescription
key TEXT_TYPE Name of the key to search for
path TEXT_TYPE Full path to the value
name TEXT_TYPE Name of the registry value entry
type TEXT_TYPE Type of the registry value, or 'subkey' if item is a subkey
data TEXT_TYPE Data content of registry value
mtime BIGINT_TYPE timestamp of the most recent registry write
select * from registry
select * from registry where key like 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Run%'
select * from registry where path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'

scheduled_tasks

Lists all of the tasks in the Windows task scheduler.
ColumnTypeDescription
name TEXT_TYPE Name of the scheduled task
path TEXT_TYPE Path to the executable to be run
enabled INTEGER_TYPE Whether or not the scheduled task is enabled
state TEXT_TYPE State of the scheduled task
hidden INTEGER_TYPE Whether or not the task is visible in the UI
last_run_time INTEGER_TYPE Timestamp the task last ran
next_run_time INTEGER_TYPE Timestamp the task is scheduled to run next
last_run_message TEXT_TYPE Exit status message of the last task run
last_run_code TEXT_TYPE Exit status code of the last task run
select * from scheduled_tasks
select * from scheduled_tasks where hidden=1 and enabled=1

services

Lists all installed Windows services and their relevant data.
ColumnTypeDescription
name TEXT_TYPE Service name
service_type TEXT_TYPE Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)
display_name TEXT_TYPE Service Display name
status TEXT_TYPE Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED
pid INTEGER_TYPE the Process ID of the service
start_type TEXT_TYPE Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED
win32_exit_code INTEGER_TYPE The error code that the service uses to report an error that occurs when it is starting or stopping
service_exit_code INTEGER_TYPE The service-specific error code that the service returns when an error occurs while the service is starting or stopping
path TEXT_TYPE Path to Service Executable
module_path TEXT_TYPE Path to ServiceDll
description TEXT_TYPE Service Description
user_account TEXT_TYPE The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\UserName. If the account belongs to the built-in domain, the name can be of the form .\UserName.
select * from services

shared_resources

Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.
ColumnTypeDescription
description TEXT_TYPE A textual description of the object
install_date TEXT_TYPE Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.
status TEXT_TYPE String that indicates the current status of the object.
allow_maximum INTEGER_TYPE Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.
maximum_allowed INTEGER_TYPE Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.
name TEXT_TYPE Alias given to a path set up as a share on a computer system running Windows.
path TEXT_TYPE Local path of the Windows share.
type INTEGER_TYPE Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.
select * from shared_resources

windows_events

Windows Event logs.
ColumnTypeDescription
time BIGINT_TYPE Timestamp the event was received
datetime TEXT_TYPE System time at which the event occurred
source TEXT_TYPE Source or channel of the event
provider_name TEXT_TYPE Provider name of the event
provider_guid TEXT_TYPE Provider guid of the event
eventid INTEGER_TYPE Event ID of the event
task INTEGER_TYPE Task value associated with the event
level INTEGER_TYPE The severity level associated with the event
keywords BIGINT_TYPE A bitmask of the keywords defined in the event
data TEXT_TYPE Data associated with the event
eid TEXT_TYPE Event ID
select * from windows_events where eventid=4104 and channel='Security'

wmi_cli_event_consumers

WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.
ColumnTypeDescription
name TEXT_TYPE Unique name of a consumer.
command_line_template TEXT_TYPE Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.
executable_path TEXT_TYPE Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select filter,consumer,query,command_line_template,wcec.name from wmi_cli_event_consumers wcec left outer join wmi_filter_consumer_binding wcb on consumer = wcec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;

wmi_event_filters

Lists WMI event filters.
ColumnTypeDescription
name TEXT_TYPE Unique identifier of an event filter.
query TEXT_TYPE Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.
query_language TEXT_TYPE Query language that the query is written in.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select * from wmi_event_filters

wmi_filter_consumer_binding

Lists the relationship between event consumers and filters.
ColumnTypeDescription
consumer TEXT_TYPE Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.
filter TEXT_TYPE Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select * from wmi_filter_consumer_binding

wmi_script_event_consumers

WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.
ColumnTypeDescription
name TEXT_TYPE Unique identifier for the event consumer.
scripting_engine TEXT_TYPE Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL.
script_file_name TEXT_TYPE Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.
script_text TEXT_TYPE Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select filter,consumer,query,scripting_engine,script_file_name,script_text,wsec.name from wmi_script_event_consumers wsec left outer join wmi_filter_consumer_binding wcb on consumer = wsec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;

LLDPD

lldp_neighbors

LLDP neighbors of interfaces.
ColumnTypeDescription
interface TEXT_TYPE Interface name
rid INTEGER_TYPE Neighbor chassis index
chassis_id_type TEXT_TYPE Neighbor chassis ID type
chassis_id TEXT_TYPE Neighbor chassis ID value
chassis_sysname TEXT_TYPE CPU brand string, contains vendor and model
chassis_sys_description INTEGER_TYPE Max number of CPU physical cores
chassis_bridge_capability_available INTEGER_TYPE Chassis bridge capability availability
chassis_bridge_capability_enabled INTEGER_TYPE Is chassis bridge capability enabled.
chassis_router_capability_available INTEGER_TYPE Chassis router capability availability
chassis_router_capability_enabled INTEGER_TYPE Chassis router capability enabled
chassis_repeater_capability_available INTEGER_TYPE Chassis repeater capability availability
chassis_repeater_capability_enabled INTEGER_TYPE Chassis repeater capability enabled
chassis_wlan_capability_available INTEGER_TYPE Chassis wlan capability availability
chassis_wlan_capability_enabled INTEGER_TYPE Chassis wlan capability enabled
chassis_tel_capability_available INTEGER_TYPE Chassis telephone capability availability
chassis_tel_capability_enabled INTEGER_TYPE Chassis telephone capability enabled
chassis_docsis_capability_available INTEGER_TYPE Chassis DOCSIS capability availability
chassis_docsis_capability_enabled INTEGER_TYPE Chassis DOCSIS capability enabled
chassis_station_capability_available INTEGER_TYPE Chassis station capability availability
chassis_station_capability_enabled INTEGER_TYPE Chassis station capability enabled
chassis_other_capability_available INTEGER_TYPE Chassis other capability availability
chassis_other_capability_enabled INTEGER_TYPE Chassis other capability enabled
chassis_mgmt_ips TEXT_TYPE Comma delimited list of chassis management IPS
port_id_type TEXT_TYPE Port ID type
port_id TEXT_TYPE Port ID value
port_description TEXT_TYPE Port description
port_ttl BIGINT_TYPE Age of neighbor port
port_mfs BIGINT_TYPE Port max frame size
port_aggregation_id TEXT_TYPE Port aggregation ID
port_autoneg_supported INTEGER_TYPE Auto negotiation supported
port_autoneg_enabled INTEGER_TYPE Is auto negotiation enabled
port_mau_type TEXT_TYPE MAU type
port_autoneg_10baset_hd_enabled INTEGER_TYPE 10Base-T HD auto negotiation enabled
port_autoneg_10baset_fd_enabled INTEGER_TYPE 10Base-T FD auto negotiation enabled
port_autoneg_100basetx_hd_enabled INTEGER_TYPE 100Base-TX HD auto negotiation enabled
port_autoneg_100basetx_fd_enabled INTEGER_TYPE 100Base-TX FD auto negotiation enabled
port_autoneg_100baset2_hd_enabled INTEGER_TYPE 100Base-T2 HD auto negotiation enabled
port_autoneg_100baset2_fd_enabled INTEGER_TYPE 100Base-T2 FD auto negotiation enabled
port_autoneg_100baset4_hd_enabled INTEGER_TYPE 100Base-T4 HD auto negotiation enabled
port_autoneg_100baset4_fd_enabled INTEGER_TYPE 100Base-T4 FD auto negotiation enabled
port_autoneg_1000basex_hd_enabled INTEGER_TYPE 1000Base-X HD auto negotiation enabled
port_autoneg_1000basex_fd_enabled INTEGER_TYPE 1000Base-X FD auto negotiation enabled
port_autoneg_1000baset_hd_enabled INTEGER_TYPE 1000Base-T HD auto negotiation enabled
port_autoneg_1000baset_fd_enabled INTEGER_TYPE 1000Base-T FD auto negotiation enabled
power_device_type TEXT_TYPE Dot3 power device type
power_mdi_supported INTEGER_TYPE MDI power supported
power_mdi_enabled INTEGER_TYPE Is MDI power enabled
power_paircontrol_enabled INTEGER_TYPE Is power pair control enabled
power_pairs TEXT_TYPE Dot3 power pairs
power_class TEXT_TYPE Power class
power_8023at_enabled INTEGER_TYPE Is 802.3at enabled
power_8023at_power_type TEXT_TYPE 802.3at power type
power_8023at_power_source TEXT_TYPE 802.3at power source
power_8023at_power_priority TEXT_TYPE 802.3at power priority
power_8023at_power_allocated TEXT_TYPE 802.3at power allocated
power_8023at_power_requested TEXT_TYPE 802.3at power requested
med_device_type TEXT_TYPE Chassis MED type
med_capability_capabilities INTEGER_TYPE Is MED capabilities enabled
med_capability_policy INTEGER_TYPE Is MED policy capability enabled
med_capability_location INTEGER_TYPE Is MED location capability enabled
med_capability_mdi_pse INTEGER_TYPE Is MED MDI PSE capability enabled
med_capability_mdi_pd INTEGER_TYPE Is MED MDI PD capability enabled
med_capability_inventory INTEGER_TYPE Is MED inventory capability enabled
med_policies TEXT_TYPE Comma delimited list of MED policies
vlans TEXT_TYPE Comma delimited list of vlan ids
pvid TEXT_TYPE Primary VLAN id
ppvids_supported TEXT_TYPE Comma delimited list of supported PPVIDs
ppvids_enabled TEXT_TYPE Comma delimited list of enabled PPVIDs
pids TEXT_TYPE Comma delimited list of PIDs

POSIX-compatible Plaforms

acpi_tables

Firmware ACPI functional table common metadata and content.
ColumnTypeDescription
name TEXT_TYPE ACPI table name
size INTEGER_TYPE Size of compiled table data
md5 TEXT_TYPE MD5 hash of table content

augeas

Configuration files parsed by augeas.
ColumnTypeDescription
node TEXT_TYPE The node path of the configuration item
value TEXT_TYPE The value of the configuration item
label TEXT_TYPE The label of the configuration item
path TEXT_TYPE The path to the configuration file
select * from augeas where path = '/etc/hosts'

authorized_keys

A line-delimited authorized_keys table.
ColumnTypeDescription
uid BIGINT_TYPE The local owner of authorized_keys file
algorithm TEXT_TYPE algorithim of key
key TEXT_TYPE parsed authorized keys line
key_file TEXT_TYPE Path to the authorized_keys file

block_devices

Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.
ColumnTypeDescription
name TEXT_TYPE Block device name
parent TEXT_TYPE Block device parent name
vendor TEXT_TYPE Block device vendor string
model TEXT_TYPE Block device model string identifier
size BIGINT_TYPE Block device size in bytes
uuid TEXT_TYPE Block device Universally Unique Identifier
type TEXT_TYPE Block device type string
label TEXT_TYPE Block device label string

cpu_time

Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.
ColumnTypeDescription
core INTEGER_TYPE Name of the cpu (core)
user BIGINT_TYPE Time spent in user mode
nice BIGINT_TYPE Time spent in user mode with low priority (nice)
system BIGINT_TYPE Time spent in system mode
idle BIGINT_TYPE Time spent in the idle task
iowait BIGINT_TYPE Time spent waiting for I/O to complete
irq BIGINT_TYPE Time spent servicing interrupts
softirq BIGINT_TYPE Time spent servicing softirqs
steal BIGINT_TYPE Time spent in other operating systems when running in a virtualized environment
guest BIGINT_TYPE Time spent running a virtual CPU for a guest OS under the control of the Linux kernel
guest_nice BIGINT_TYPE Time spent running a niced guest

crontab

Line parsed values from system and user cron/tab.
ColumnTypeDescription
event TEXT_TYPE The job @event name (rare)
minute TEXT_TYPE The exact minute for the job
hour TEXT_TYPE The hour of the day for the job
day_of_month TEXT_TYPE The day of the month for the job
month TEXT_TYPE The month of the year for the job
day_of_week TEXT_TYPE The day of the week for the job
command TEXT_TYPE Raw command string
path TEXT_TYPE File parsed

disk_encryption

Disk encryption status and information.
ColumnTypeDescription
name TEXT_TYPE Disk name
uuid TEXT_TYPE Disk Universally Unique Identifier
encrypted INTEGER_TYPE 1 If encrypted: true (disk is encrypted), else 0
type TEXT_TYPE Description of cipher type and mode if available
uid TEXT_TYPE Currently authenticated user if available (Apple)
user_uuid TEXT_TYPE UUID of authenticated user if available (Apple)

dns_resolvers

Resolvers used by this host.
ColumnTypeDescription
id INTEGER_TYPE Address type index or order
type TEXT_TYPE Address type: sortlist, nameserver, search
address TEXT_TYPE Resolver IP/IPv6 address
netmask TEXT_TYPE Address (sortlist) netmask length
options BIGINT_TYPE Resolver options

docker_container_labels

Docker container labels.
ColumnTypeDescription
id TEXT_TYPE Container ID
key TEXT_TYPE Label key
value TEXT_TYPE Optional label value
select * from docker_container_labels
select * from docker_container_labels where id = '1234567890abcdef'
select * from docker_container_labels where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'

docker_container_mounts

Docker container mounts.
ColumnTypeDescription
id TEXT_TYPE Container ID
type TEXT_TYPE Type of mount (bind, volume)
name TEXT_TYPE Optional mount name
source TEXT_TYPE Source path on host
destination TEXT_TYPE Destination path inside container
driver TEXT_TYPE Driver providing the mount
mode TEXT_TYPE Mount options (rw, ro)
rw INTEGER_TYPE 1 if read/write. 0 otherwise
propagation TEXT_TYPE Mount propagation
select * from docker_container_mounts
select * from docker_container_mounts where id = '1234567890abcdef'
select * from docker_container_mounts where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'

docker_container_networks

Docker container networks.
ColumnTypeDescription
id TEXT_TYPE Container ID
name TEXT_TYPE Network name
network_id TEXT_TYPE Network ID
endpoint_id TEXT_TYPE Endpoint ID
gateway TEXT_TYPE Gateway
ip_address TEXT_TYPE IP address
ip_prefix_len INTEGER_TYPE IP subnet prefix length
ipv6_gateway TEXT_TYPE IPv6 gateway
ipv6_address TEXT_TYPE IPv6 address
ipv6_prefix_len INTEGER_TYPE IPv6 subnet prefix length
mac_address TEXT_TYPE MAC address
select * from docker_container_networks
select * from docker_container_networks where id = '1234567890abcdef'
select * from docker_container_networks where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'

docker_container_ports

Docker container ports.
ColumnTypeDescription
id TEXT_TYPE Container ID
type TEXT_TYPE Protocol (tcp, udp)
port INTEGER_TYPE Port inside the container
host_ip TEXT_TYPE Host IP address on which public port is listening
host_port INTEGER_TYPE Host port
select * from docker_container_ports
select * from docker_container_ports where id = '1234567890abcdef'
select * from docker_container_ports where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'

docker_container_processes

Docker container processes.
ColumnTypeDescription
id TEXT_TYPE Container ID
pid BIGINT_TYPE Process ID
name TEXT_TYPE The process path or shorthand argv[0]
cmdline TEXT_TYPE Complete argv
state TEXT_TYPE Process state
uid BIGINT_TYPE User ID
gid BIGINT_TYPE Group ID
euid BIGINT_TYPE Effective user ID
egid BIGINT_TYPE Effective group ID
suid BIGINT_TYPE Saved user ID
sgid BIGINT_TYPE Saved group ID
wired_size BIGINT_TYPE Bytes of unpagable memory used by process
resident_size BIGINT_TYPE Bytes of private memory used by process
total_size BIGINT_TYPE Total virtual memory size
start_time BIGINT_TYPE Process start in seconds since boot (non-sleeping)
parent BIGINT_TYPE Process parent's PID
pgroup BIGINT_TYPE Process group
threads INTEGER_TYPE Number of threads used by process
nice INTEGER_TYPE Process nice level (-20 to 20, default 0)
user TEXT_TYPE User name
time TEXT_TYPE Cumulative CPU time. [DD-]HH:MM:SS format
cpu DOUBLE_TYPE CPU utilization as percentage
mem DOUBLE_TYPE Memory utilization as percentage
select * from docker_container_processes where id = '1234567890abcdef'
select * from docker_container_processes where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'

docker_container_stats

Docker container statistics. Queries on this table take at least one second.
ColumnTypeDescription
id TEXT_TYPE Container ID
name TEXT_TYPE Container name
pids INTEGER_TYPE Number of processes
read BIGINT_TYPE UNIX time when stats were read
preread BIGINT_TYPE UNIX time when stats were last read
interval BIGINT_TYPE Difference between read and preread in nano-seconds
disk_read BIGINT_TYPE Total disk read bytes
disk_write BIGINT_TYPE Total disk write bytes
num_procs INTEGER_TYPE Number of processors
cpu_total_usage BIGINT_TYPE Total CPU usage
cpu_kernelmode_usage BIGINT_TYPE CPU kernel mode usage
cpu_usermode_usage BIGINT_TYPE CPU user mode usage
system_cpu_usage BIGINT_TYPE CPU system usage
online_cpus INTEGER_TYPE Online CPUs
pre_cpu_total_usage BIGINT_TYPE Last read total CPU usage
pre_cpu_kernelmode_usage BIGINT_TYPE Last read CPU kernel mode usage
pre_cpu_usermode_usage BIGINT_TYPE Last read CPU user mode usage
pre_system_cpu_usage BIGINT_TYPE Last read CPU system usage
pre_online_cpus INTEGER_TYPE Last read online CPUs
memory_usage BIGINT_TYPE Memory usage
memory_max_usage BIGINT_TYPE Memory maximum usage
memory_limit BIGINT_TYPE Memory limit
network_rx_bytes BIGINT_TYPE Total network bytes read
network_tx_bytes BIGINT_TYPE Total network bytes transmitted
select * from docker_container_stats where id = 'de8cfdc74c850967'
select * from docker_container_stats where id = 'de8cfdc74c850967fd3832e128f4d12e2d5476a4aea282734bfb7e57f66fce2f'

docker_containers

Docker containers information.
ColumnTypeDescription
id TEXT_TYPE Container ID
name TEXT_TYPE Container name
image TEXT_TYPE Docker image (name) used to launch this container
image_id TEXT_TYPE Docker image ID
command TEXT_TYPE Command with arguments
created BIGINT_TYPE Time of creation as UNIX time
state TEXT_TYPE Container state (created, restarting, running, removing, paused, exited, dead)
status TEXT_TYPE Container status information
select * from docker_containers where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'
select * from docker_containers where name = '/hello'

docker_image_labels

Docker image labels.
ColumnTypeDescription
id TEXT_TYPE Image ID
key TEXT_TYPE Label key
value TEXT_TYPE Optional label value
select * from docker_image_labels
select * from docker_image_labels where id = '1234567890abcdef'
select * from docker_image_labels where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'

docker_images

Docker images information.
ColumnTypeDescription
id TEXT_TYPE Image ID
created BIGINT_TYPE Time of creation as UNIX time
size_bytes BIGINT_TYPE Size of image in bytes
tags TEXT_TYPE Comma-separated list of repository tags
select * from docker_images
select * from docker_images where id = '6a2f32de169d'
select * from docker_images where id = '6a2f32de169d14e6f8a84538eaa28f2629872d7d4f580a303b296c60db36fbd7'

docker_info

Docker system information.
ColumnTypeDescription
id TEXT_TYPE Docker system ID
containers INTEGER_TYPE Total number of containers
containers_running INTEGER_TYPE Number of containers currently running
containers_paused INTEGER_TYPE Number of containers in paused state
containers_stopped INTEGER_TYPE Number of containers in stopped state
images INTEGER_TYPE Number of images
storage_driver TEXT_TYPE Storage driver
memory_limit INTEGER_TYPE 1 if memory limit support is enabled. 0 otherwise
swap_limit INTEGER_TYPE 1 if swap limit support is enabled. 0 otherwise
kernel_memory INTEGER_TYPE 1 if kernel memory limit support is enabled. 0 otherwise
cpu_cfs_period INTEGER_TYPE 1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise
cpu_cfs_quota INTEGER_TYPE 1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise
cpu_shares INTEGER_TYPE 1 if CPU share weighting support is enabled. 0 otherwise
cpu_set INTEGER_TYPE 1 if CPU set selection support is enabled. 0 otherwise
ipv4_forwarding INTEGER_TYPE 1 if IPv4 forwarding is enabled. 0 otherwise
bridge_nf_iptables INTEGER_TYPE 1 if bridge netfilter iptables is enabled. 0 otherwise
bridge_nf_ip6tables INTEGER_TYPE 1 if bridge netfilter ip6tables is enabled. 0 otherwise
oom_kill_disable INTEGER_TYPE 1 if Out-of-memory kill is disabled. 0 otherwise
logging_driver TEXT_TYPE Logging driver
cgroup_driver TEXT_TYPE Control groups driver
kernel_version TEXT_TYPE Kernel version
os TEXT_TYPE Operating system
os_type TEXT_TYPE Operating system type
architecture TEXT_TYPE Hardware architecture
cpus INTEGER_TYPE Number of CPUs
memory BIGINT_TYPE Total memory
http_proxy TEXT_TYPE HTTP proxy
https_proxy TEXT_TYPE HTTPS proxy
no_proxy TEXT_TYPE Comma-separated list of domain extensions proxy should not be used for
name TEXT_TYPE Name of the docker host
server_version TEXT_TYPE Server version
root_dir TEXT_TYPE Docker root directory
select * from docker_info

docker_network_labels

Docker network labels.
ColumnTypeDescription
id TEXT_TYPE Network ID
key TEXT_TYPE Label key
value TEXT_TYPE Optional label value
select * from docker_network_labels
select * from docker_network_labels where id = '1234567890abcdef'
select * from docker_network_labels where id = '11b2399e1426d906e62a0c357650e363426d6c56dbe2f35cbaa9b452250e3355'

docker_networks

Docker networks information.
ColumnTypeDescription
id TEXT_TYPE Network ID
name TEXT_TYPE Network name
driver TEXT_TYPE Network driver
created BIGINT_TYPE Time of creation as UNIX time
enable_ipv6 INTEGER_TYPE 1 if IPv6 is enabled on this network. 0 otherwise
subnet TEXT_TYPE Network subnet
gateway TEXT_TYPE Network gateway
select * from docker_networks
select * from docker_networks where id = 'cfd2ffd49439'
select * from docker_networks where id = 'cfd2ffd494395b75d77539761df40cde06a2b6b497e0c9c1adc6c5a79539bfad'

docker_version

Docker version information.
ColumnTypeDescription
version TEXT_TYPE Docker version
api_version TEXT_TYPE API version
min_api_version TEXT_TYPE Minimum API version supported
git_commit TEXT_TYPE Docker build git commit
go_version TEXT_TYPE Go version
os TEXT_TYPE Operating system
arch TEXT_TYPE Hardware architecture
kernel_version TEXT_TYPE Kernel version
build_time TEXT_TYPE Build time
select version from docker_version

docker_volume_labels

Docker volume labels.
ColumnTypeDescription
name TEXT_TYPE Volume name
key TEXT_TYPE Label key
value TEXT_TYPE Optional label value
select * from docker_volume_labels
select * from docker_volume_labels where name = 'btrfs'

docker_volumes

Docker volumes information.
ColumnTypeDescription
name TEXT_TYPE Volume name
driver TEXT_TYPE Volume driver
mount_point TEXT_TYPE Mount point
type TEXT_TYPE Volume type
select * from docker_volumes
select * from docker_volumes where name = 'btrfs'

file_events

Track time/action changes to files specified in configuration data.
ColumnTypeDescription
target_path TEXT_TYPE The path associated with the event
category TEXT_TYPE The category of the file defined in the config
action TEXT_TYPE Change action (UPDATE, REMOVE, etc)
transaction_id BIGINT_TYPE ID used during bulk update
inode BIGINT_TYPE Filesystem inode number
uid BIGINT_TYPE Owning user ID
gid BIGINT_TYPE Owning group ID
mode TEXT_TYPE Permission bits
size BIGINT_TYPE Size of file in bytes
atime BIGINT_TYPE Last access time
mtime BIGINT_TYPE Last modification time
ctime BIGINT_TYPE Last status change time
md5 TEXT_TYPE The MD5 of the file after change
sha1 TEXT_TYPE The SHA1 of the file after change
sha256 TEXT_TYPE The SHA256 of the file after change
hashed INTEGER_TYPE 1 if the file was hashed, 0 if not, -1 if hashing failed
time BIGINT_TYPE Time of file event
eid TEXT_TYPE Event ID

firefox_addons

Firefox browser extensions, webapps, and addons.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the addon
name TEXT_TYPE Addon display name
identifier TEXT_TYPE Addon identifier
creator TEXT_TYPE Addon-supported creator string
type TEXT_TYPE Extension, addon, webapp
version TEXT_TYPE Addon-supplied version string
description TEXT_TYPE Addon-supplied description string
source_url TEXT_TYPE URL that installed the addon
visible INTEGER_TYPE 1 If the addon is shown in browser else 0
active INTEGER_TYPE 1 If the addon is active else 0
disabled INTEGER_TYPE 1 If the addon is application-disabled else 0
autoupdate INTEGER_TYPE 1 If the addon applies background updates else 0
native INTEGER_TYPE 1 If the addon includes binary components else 0
location TEXT_TYPE Global, profile location
path TEXT_TYPE Path to plugin bundle

groups

Local system groups.
ColumnTypeDescription
gid BIGINT_TYPE Unsigned int64 group ID
gid_signed BIGINT_TYPE A signed int64 version of gid
groupname TEXT_TYPE Canonical local group name
select * from groups where gid = 0

hardware_events

Hardware (PCI/USB/HID) events from UDEV or IOKit.
ColumnTypeDescription
action TEXT_TYPE Remove, insert, change properties, etc
path TEXT_TYPE Local device path assigned (optional)
type TEXT_TYPE Type of hardware and hardware event
driver TEXT_TYPE Driver claiming the device
vendor TEXT_TYPE Hardware device vendor
vendor_id TEXT_TYPE Hex encoded Hardware vendor identifier
model TEXT_TYPE Hardware device model
model_id TEXT_TYPE Hex encoded Hardware model identifier
serial TEXT_TYPE Device serial (optional)
revision TEXT_TYPE Device revision (optional)
time BIGINT_TYPE Time of hardware event
eid TEXT_TYPE Event ID

known_hosts

A line-delimited known_hosts table.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the known_hosts file
key TEXT_TYPE parsed authorized keys line
key_file TEXT_TYPE Path to known_hosts file

last

System logins and logouts.
ColumnTypeDescription
username TEXT_TYPE Entry username
tty TEXT_TYPE Entry terminal
pid INTEGER_TYPE Process (or thread) ID
type INTEGER_TYPE Entry type, according to ut_type types (utmp.h)
time INTEGER_TYPE Entry timestamp
host TEXT_TYPE Entry hostname

load_average

Displays information about the system wide load averages.
ColumnTypeDescription
period TEXT_TYPE Period over which the average is calculated.
average TEXT_TYPE Load average over the specified period.
select * from load_average;

magic

Magic number recognition library table.
ColumnTypeDescription
path TEXT_TYPE Absolute path to target file
data TEXT_TYPE Magic number data from libmagic
mime_type TEXT_TYPE MIME type data from libmagic
mime_encoding TEXT_TYPE MIME encoding data from libmagic

mounts

System mounted devices and filesystems (not process specific).
ColumnTypeDescription
device TEXT_TYPE Mounted device
device_alias TEXT_TYPE Mounted device alias
path TEXT_TYPE Mounted device path
type TEXT_TYPE Mounted device type
blocks_size BIGINT_TYPE Block size in bytes
blocks BIGINT_TYPE Mounted device used blocks
blocks_free BIGINT_TYPE Mounted device free blocks
blocks_available BIGINT_TYPE Mounted device available blocks
inodes BIGINT_TYPE Mounted device used inodes
inodes_free BIGINT_TYPE Mounted device free inodes
flags TEXT_TYPE Mounted device flags

opera_extensions

Opera browser extensions.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the extension
name TEXT_TYPE Extension display name
identifier TEXT_TYPE Extension identifier
version TEXT_TYPE Extension-supplied version
description TEXT_TYPE Extension-optional description
locale TEXT_TYPE Default locale supported by extension
update_url TEXT_TYPE Extension-supplied update URI
author TEXT_TYPE Optional extension author
persistent INTEGER_TYPE 1 If extension is persistent across all tabs else 0
path TEXT_TYPE Path to extension folder

pci_devices

PCI devices active on the host system.
ColumnTypeDescription
pci_slot TEXT_TYPE PCI Device used slot
pci_class TEXT_TYPE PCI Device class
driver TEXT_TYPE PCI Device used driver
vendor TEXT_TYPE PCI Device vendor
vendor_id TEXT_TYPE Hex encoded PCI Device vendor identifier
model TEXT_TYPE PCI Device model
model_id TEXT_TYPE Hex encoded PCI Device model identifier

process_envs

A key/value table of environment variables for each process.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
key TEXT_TYPE Environment variable name
value TEXT_TYPE Environment variable value
select * from process_envs where pid = 1
select pe.* from process_envs pe, (select * from processes limit 10) p where p.pid = pe.pid;

process_events

Track time/action process executions.
ColumnTypeDescription
pid BIGINT_TYPE Process (or thread) ID
path TEXT_TYPE Path of executed file
mode BIGINT_TYPE File mode permissions
cmdline TEXT_TYPE Command line arguments (argv)
cmdline_size BIGINT_TYPE Actual size (bytes) of command line arguments
env TEXT_TYPE Environment variables delimited by spaces
env_count BIGINT_TYPE Number of environment variables
env_size BIGINT_TYPE Actual size (bytes) of environment list
cwd TEXT_TYPE The process current working directory
auid BIGINT_TYPE Audit User ID at process start
uid BIGINT_TYPE User ID at process start
euid BIGINT_TYPE Effective user ID at process start
gid BIGINT_TYPE Group ID at process start
egid BIGINT_TYPE Effective group ID at process start
owner_uid BIGINT_TYPE File owner user ID
owner_gid BIGINT_TYPE File owner group ID
atime BIGINT_TYPE File last access in UNIX time
mtime BIGINT_TYPE File modification in UNIX time
ctime BIGINT_TYPE File last metadata change in UNIX time
btime BIGINT_TYPE File creation in UNIX time
overflows TEXT_TYPE List of structures that overflowed
parent BIGINT_TYPE Process parent's PID
time BIGINT_TYPE Time of execution in UNIX time
uptime BIGINT_TYPE Time of execution in system uptime
eid TEXT_TYPE Event ID

process_memory_map

Process memory mapped files and pseudo device/regions.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
start TEXT_TYPE Virtual start address (hex)
end TEXT_TYPE Virtual end address (hex)
permissions TEXT_TYPE r=read, w=write, x=execute, p=private (cow)
offset BIGINT_TYPE Offset into mapped path
device TEXT_TYPE MA:MI Major/minor device ID
inode INTEGER_TYPE Mapped path inode, 0 means uninitialized (BSS)
path TEXT_TYPE Path to mapped file or mapped type
pseudo INTEGER_TYPE 1 If path is a pseudo path, else 0
select * from process_memory_map where pid = 1

process_open_files

File descriptors for each process.
ColumnTypeDescription
pid BIGINT_TYPE Process (or thread) ID
fd BIGINT_TYPE Process-specific file descriptor number
path TEXT_TYPE Filesystem path of descriptor
select * from process_open_files where pid = 1

prometheus_metrics

Network interfaces and relevant metadata.
ColumnTypeDescription
target_name TEXT_TYPE Address of prometheus target
metric_name TEXT_TYPE Name of collected Prometheus metric
metric_value DOUBLE_TYPE Value of collected Prometheus metric
timestamp_ms BIGINT_TYPE Unix timestamp of collected data in MS

python_packages

Python packages installed in a system.
ColumnTypeDescription
name TEXT_TYPE Package display name
version TEXT_TYPE Package-supplied version
summary TEXT_TYPE Package-supplied summary
author TEXT_TYPE Optional package author
license TEXT_TYPE License under which package is launched
path TEXT_TYPE Path at which this module resides

shell_history

A line-delimited (command) table of per-user .*_history data.
ColumnTypeDescription
uid BIGINT_TYPE Shell history owner
time INTEGER_TYPE Entry timestamp
command TEXT_TYPE Unparsed date/line/command history line
history_file TEXT_TYPE Path to the .*_history for this user

smbios_tables

BIOS (DMI) structure common details and content.
ColumnTypeDescription
number INTEGER_TYPE Table entry number
type INTEGER_TYPE Table entry type
description TEXT_TYPE Table entry description
handle INTEGER_TYPE Table entry handle
header_size INTEGER_TYPE Header size in bytes
size INTEGER_TYPE Table entry size in bytes
md5 TEXT_TYPE MD5 hash of table entry

sudoers

Rules for running commands as other users via sudo.
ColumnTypeDescription
header TEXT_TYPE Symbol for given rule
rule_details TEXT_TYPE Rule definition

suid_bin

suid binaries in common locations.
ColumnTypeDescription
path TEXT_TYPE Binary path
username TEXT_TYPE Binary owner username
groupname TEXT_TYPE Binary owner group
permissions TEXT_TYPE Binary permissions

system_controls

sysctl names, values, and settings information.
ColumnTypeDescription
name TEXT_TYPE Full sysctl MIB name
oid TEXT_TYPE Control MIB
subsystem TEXT_TYPE Subsystem ID, control type
current_value TEXT_TYPE Value of setting
config_value TEXT_TYPE The MIB value set in /etc/sysctl.conf
type TEXT_TYPE Data type

usb_devices

USB devices that are actively plugged into the host system.
ColumnTypeDescription
usb_address INTEGER_TYPE USB Device used address
usb_port INTEGER_TYPE USB Device used port
vendor TEXT_TYPE USB Device vendor string
vendor_id TEXT_TYPE Hex encoded USB Device vendor identifier
model TEXT_TYPE USB Device model string
model_id TEXT_TYPE Hex encoded USB Device model identifier
serial TEXT_TYPE USB Device serial connection
removable INTEGER_TYPE 1 If USB device is removable else 0

user_groups

Local system user group relationships.
ColumnTypeDescription
uid BIGINT_TYPE User ID
gid BIGINT_TYPE Group ID

user_ssh_keys

Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the key file
path TEXT_TYPE Path to key file
encrypted INTEGER_TYPE 1 if key is encrypted, 0 otherwise

FreeBSD

fbsd_kmods

Loaded FreeBSD kernel modules.
ColumnTypeDescription
name TEXT_TYPE Module name
size INTEGER_TYPE Size of module content
refs INTEGER_TYPE Module reverse dependencies
address TEXT_TYPE Kernel module address

pkg_packages

pkgng packages that are currently installed on the host system.
ColumnTypeDescription
name TEXT_TYPE Package name
version TEXT_TYPE Package version
flatsize BIGINT_TYPE Package size in bytes
arch TEXT_TYPE Architecture(s) supported

Ubuntu, CentOS

apt_sources

Current list of APT repositories or software channels.
ColumnTypeDescription
name TEXT_TYPE Repository name
base_uri TEXT_TYPE Repository base URI
package_cache_file TEXT_TYPE Repository cache file
release TEXT_TYPE Release name
component TEXT_TYPE Repository component
version TEXT_TYPE Repository source version
maintainer TEXT_TYPE Repository maintainer
site TEXT_TYPE Repository site

deb_packages

The installed DEB package database.
ColumnTypeDescription
name TEXT_TYPE Package name
version TEXT_TYPE Package version
source TEXT_TYPE Package source
size BIGINT_TYPE Package size in bytes
arch TEXT_TYPE Package architecture
revision TEXT_TYPE Package revision

ec2_instance_metadata

EC2 instance metadata.
ColumnTypeDescription
instance_id TEXT_TYPE EC2 instance ID
instance_type TEXT_TYPE EC2 instance type
architecture TEXT_TYPE Hardware architecture of this EC2 instance
region TEXT_TYPE AWS region in which this instance launched
availability_zone TEXT_TYPE Availability zone in which this instance launched
local_hostname TEXT_TYPE Private IPv4 DNS hostname of the first interface of this instance
local_ipv4 TEXT_TYPE Private IPv4 address of the first interface of this instance
mac TEXT_TYPE MAC address for the first network interface of this EC2 instance
security_groups TEXT_TYPE Comma separated list of security group names
iam_arn TEXT_TYPE If there is an IAM role associated with the instance, contains instance profile ARN
ami_id TEXT_TYPE AMI ID used to launch this EC2 instance
reservation_id TEXT_TYPE ID of the reservation
account_id TEXT_TYPE AWS account ID which owns this EC2 instance
ssh_public_key TEXT_TYPE SSH public key. Only available if supplied at instance launch time
select * from ec2_instance_metadata

ec2_instance_tags

EC2 instance tag key value pairs.
ColumnTypeDescription
instance_id TEXT_TYPE EC2 instance ID
key TEXT_TYPE Tag key
value TEXT_TYPE Tag value
select * from ec2_instance_tags

iptables

Linux IP packet filtering and NAT tool.
ColumnTypeDescription
filter_name TEXT_TYPE Packet matching filter table name.
chain TEXT_TYPE Size of module content.
policy TEXT_TYPE Policy that applies for this rule.
target TEXT_TYPE Target that applies for this rule.
protocol INTEGER_TYPE Protocol number identification.
src_ip TEXT_TYPE Source IP address.
src_mask TEXT_TYPE Source IP address mask.
iniface TEXT_TYPE Input interface for the rule.
iniface_mask TEXT_TYPE Input interface mask for the rule.
dst_ip TEXT_TYPE Destination IP address.
dst_mask TEXT_TYPE Destination IP address mask.
outiface TEXT_TYPE Output interface for the rule.
outiface_mask TEXT_TYPE Output interface mask for the rule.
match TEXT_TYPE Matching rule that applies.
packets INTEGER_TYPE Number of matching packets for this rule.
bytes INTEGER_TYPE Number of matching bytes for this rule.

kernel_integrity

Various Linux kernel integrity checked attributes.
ColumnTypeDescription
sycall_addr_modified INTEGER_TYPE 0 or 1, for whether a syscall table pointer is modified
text_segment_hash TEXT_TYPE Hash value for the kernel's .text memory segment

kernel_modules

Linux kernel modules both loaded and within the load search path.
ColumnTypeDescription
name TEXT_TYPE Module name
size TEXT_TYPE Size of module content
used_by TEXT_TYPE Module reverse dependencies
status TEXT_TYPE Kernel module status
address TEXT_TYPE Kernel module address

md_devices

Software RAID array settings.
ColumnTypeDescription
device_name TEXT_TYPE md device name
status TEXT_TYPE Current state of the array
raid_level INTEGER_TYPE Current raid level of the array
size BIGINT_TYPE size of the array in blocks
chunk_size BIGINT_TYPE chunk size in bytes
raid_disks INTEGER_TYPE Number of configured RAID disks in array
nr_raid_disks INTEGER_TYPE Number of partitions or disk devices to comprise the array
working_disks INTEGER_TYPE Number of working disks in array
active_disks INTEGER_TYPE Number of active disks in array
failed_disks INTEGER_TYPE Number of active disks in array
spare_disks INTEGER_TYPE Number of active disks in array
superblock_state TEXT_TYPE State of the superblock
superblock_version TEXT_TYPE Version of the superblock
superblock_update_time BIGINT_TYPE Unix timestamp of last update
bitmap_on_mem TEXT_TYPE Pages allocated in in-memory bitmap, if enabled
bitmap_chunk_size TEXT_TYPE Bitmap chunk size
bitmap_external_file TEXT_TYPE External referenced bitmap file
recovery_progress TEXT_TYPE Progress of the recovery activity
recovery_finish TEXT_TYPE Estimated duration of recovery activity
recovery_speed TEXT_TYPE Speed of recovery activity
resync_progress TEXT_TYPE Progress of the resync activity
resync_finish TEXT_TYPE Estimated duration of resync activity
resync_speed TEXT_TYPE Speed of resync activity
reshape_progress TEXT_TYPE Progress of the reshape activity
reshape_finish TEXT_TYPE Estimated duration of reshape activity
reshape_speed TEXT_TYPE Speed of reshape activity
check_array_progress TEXT_TYPE Progress of the resync activity
check_array_finish TEXT_TYPE Estimated duration of resync activity
check_array_speed TEXT_TYPE Speed of resync activity
unused_devices TEXT_TYPE Unused devices
other TEXT_TYPE Other information associated with array from /proc/mdstat

md_drives

Drive devices used for Software RAID.
ColumnTypeDescription
md_device_name TEXT_TYPE md device name
drive_name TEXT_TYPE Drive device name
slot INTEGER_TYPE Slot position of disk
state TEXT_TYPE State of the drive

md_personalities

Software RAID setting supported by the kernel.
ColumnTypeDescription
name TEXT_TYPE Name of personality supported by kernel

memory_info

Main memory information in bytes.
ColumnTypeDescription
memory_total BIGINT_TYPE Total amount of physical RAM, in bytes
memory_free BIGINT_TYPE The amount of physical RAM, in bytes, left unused by the system
buffers BIGINT_TYPE The amount of physical RAM, in bytes, used for file buffers
cached BIGINT_TYPE The amount of physical RAM, in bytes, used as cache memory
swap_cached BIGINT_TYPE The amount of swap, in bytes, used as cache memory
active BIGINT_TYPE The total amount of buffer or page cache memory, in bytes, that is in active use
inactive BIGINT_TYPE The total amount of buffer or page cache memory, in bytes, that are free and available
swap_total BIGINT_TYPE The total amount of swap available, in bytes
swap_free BIGINT_TYPE The total amount of swap free, in bytes

memory_map

OS memory region map.
ColumnTypeDescription
name TEXT_TYPE Region name
start TEXT_TYPE Start address of memory region
end TEXT_TYPE End address of memory region

msr

Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.
ColumnTypeDescription
processor_number BIGINT_TYPE The processor number as reported in /proc/cpuinfo
turbo_disabled BIGINT_TYPE Whether the turbo feature is disabled.
turbo_ratio_limit BIGINT_TYPE The turbo feature ratio limit.
platform_info BIGINT_TYPE Platform information.
perf_ctl BIGINT_TYPE Performance setting for the processor.
perf_status BIGINT_TYPE Performance status for the processor.
feature_control BIGINT_TYPE Bitfield controling enabled features.
rapl_power_limit BIGINT_TYPE Run Time Average Power Limiting power limit.
rapl_energy_status BIGINT_TYPE Run Time Average Power Limiting energy status.
rapl_power_units BIGINT_TYPE Run Time Average Power Limiting power units.

portage_keywords

A summary about portage configurations like keywords, mask and unmask.
ColumnTypeDescription
package TEXT_TYPE Package name
version TEXT_TYPE The version which are affected by the use flags, empty means all
keyword TEXT_TYPE The keyword applied to the package
mask INTEGER_TYPE If the package is masked
unmask INTEGER_TYPE If the package is unmasked

portage_packages

List of currently installed packages.
ColumnTypeDescription
package TEXT_TYPE Package name
version TEXT_TYPE The version which are affected by the use flags, empty means all
slot TEXT_TYPE The slot used by package
build_time BIGINT_TYPE Unix time when package was built
repository TEXT_TYPE From which repository the ebuild was used
eapi BIGINT_TYPE The eapi for the ebuild
size BIGINT_TYPE The size of the package
world INTEGER_TYPE If package is in the world file

portage_use

List of enabled portage USE values for specific package.
ColumnTypeDescription
package TEXT_TYPE Package name
version TEXT_TYPE The version of the installed package
use TEXT_TYPE USE flag which has been enabled for package

rpm_package_files

RPM packages that are currently installed on the host system.
ColumnTypeDescription
package TEXT_TYPE RPM package name
path TEXT_TYPE Path name
username TEXT_TYPE File default username from info DB
groupname TEXT_TYPE File default groupname from info DB
mode TEXT_TYPE File permissions mode from info DB
size BIGINT_TYPE Expected file size in bytes from RPM info DB
sha256 TEXT_TYPE SHA256 file digest from RPM info DB

rpm_packages

RPM packages that are currently installed on the host system.
ColumnTypeDescription
name TEXT_TYPE RPM package name
version TEXT_TYPE Package version
release TEXT_TYPE Package release
source TEXT_TYPE Source RPM package name (optional)
size BIGINT_TYPE Package size in bytes
sha1 TEXT_TYPE SHA1 hash of the package contents
arch TEXT_TYPE Architecture(s) supported

shared_memory

OS shared memory regions.
ColumnTypeDescription
shmid INTEGER_TYPE Shared memory segment ID
owner_uid BIGINT_TYPE User ID of owning process
creator_uid BIGINT_TYPE User ID of creator process
pid BIGINT_TYPE Process ID to last use the segment
creator_pid BIGINT_TYPE Process ID that created the segment
atime BIGINT_TYPE Attached time
dtime BIGINT_TYPE Detached time
ctime BIGINT_TYPE Changed time
permissions TEXT_TYPE Memory segment permissions
size BIGINT_TYPE Size in bytes
attached INTEGER_TYPE Number of attached processes
status TEXT_TYPE Destination/attach status
locked INTEGER_TYPE 1 if segment is locked else 0

socket_events

Track network socket opens and closes.
ColumnTypeDescription
action TEXT_TYPE The socket action (bind, listen, close)
pid BIGINT_TYPE Process (or thread) ID
path TEXT_TYPE Path of executed file
fd TEXT_TYPE The file description for the process socket
auid BIGINT_TYPE Audit User ID
success INTEGER_TYPE The socket open attempt status
family INTEGER_TYPE The Internet protocol family ID
protocol INTEGER_TYPE The network protocol ID
local_address TEXT_TYPE Local address associated with socket
remote_address TEXT_TYPE Remote address associated with socket
local_port INTEGER_TYPE Local network protocol port number
remote_port INTEGER_TYPE Remote network protocol port number
socket TEXT_TYPE The local path (UNIX domain socket only)
time BIGINT_TYPE Time of execution in UNIX time
uptime BIGINT_TYPE Time of execution in system uptime
eid TEXT_TYPE Event ID

syslog_events

ColumnTypeDescription
time BIGINT_TYPE Current unix epoch time
datetime TEXT_TYPE Time known to syslog
host TEXT_TYPE Hostname configured for syslog
severity INTEGER_TYPE Syslog severity
facility TEXT_TYPE Syslog facility
tag TEXT_TYPE The syslog tag
message TEXT_TYPE The syslog message
eid TEXT_TYPE Event ID

user_events

Track user events from the audit framework.
ColumnTypeDescription
uid BIGINT_TYPE User ID
auid BIGINT_TYPE Audit User ID
pid BIGINT_TYPE Process (or thread) ID
message TEXT_TYPE Path of executed file
type INTEGER_TYPE The file description for the process socket
path TEXT_TYPE The socket open attempt status
address TEXT_TYPE The Internet protocol family ID
terminal TEXT_TYPE The network protocol ID
time BIGINT_TYPE Time of execution in UNIX time
uptime BIGINT_TYPE Time of execution in system uptime
eid TEXT_TYPE Event ID

Darwin (OS X)

ad_config

OS X Active Directory configuration.
ColumnTypeDescription
name TEXT_TYPE The OS X-specific configuration name
domain TEXT_TYPE Active Directory trust domain
option TEXT_TYPE Canonical name of option
value TEXT_TYPE Variable typed option value

alf

OS X application layer firewall (ALF) service details.
ColumnTypeDescription
allow_signed_enabled INTEGER_TYPE 1 If allow signed mode is enabled else 0
firewall_unload INTEGER_TYPE 1 If firewall unloading enabled else 0
global_state INTEGER_TYPE 1 If the firewall start by default else 0
logging_enabled INTEGER_TYPE 1 If logging mode is enabled else 0
logging_option INTEGER_TYPE Firewall logging option
stealth_enabled INTEGER_TYPE 1 If stealth mode is enabled else 0
version TEXT_TYPE Application Layer Firewall version

alf_exceptions

OS X application layer firewall (ALF) service exceptions.
ColumnTypeDescription
path TEXT_TYPE Path to the executable that is excepted
state INTEGER_TYPE Firewall exception state

alf_explicit_auths

ALF services explicitly allowed to perform networking.
ColumnTypeDescription
process TEXT_TYPE Process name explicitly allowed

alf_services

OS X application layer firewall (Firewall) services.
ColumnTypeDescription
service TEXT_TYPE Firewalled service name
process TEXT_TYPE Process name
state INTEGER_TYPE Firewall service state

app_schemes

OS X application schemes and handlers (e.g., http, file, mailto).
ColumnTypeDescription
scheme TEXT_TYPE Name of the scheme/protocol
handler TEXT_TYPE Application label for the handler
enabled INTEGER_TYPE 1 if this handler is the OS default, else 0
external INTEGER_TYPE 1 if this handler does NOT exist on OS X by default, else 0
protected INTEGER_TYPE 1 if this handler is protected (reserved) by OS X, else 0

apps

OS X applications installed in known search paths (e.g., /Applications).
ColumnTypeDescription
name TEXT_TYPE Name of the Name.app folder
path TEXT_TYPE Absolute and full Name.app path
bundle_executable TEXT_TYPE Info properties CFBundleExecutable label
bundle_identifier TEXT_TYPE Info properties CFBundleIdentifier label
bundle_name TEXT_TYPE Info properties CFBundleName label
bundle_short_version TEXT_TYPE Info properties CFBundleShortVersionString label
bundle_version TEXT_TYPE Info properties CFBundleVersion label
bundle_package_type TEXT_TYPE Info properties CFBundlePackageType label
environment TEXT_TYPE Application-set environment variables
element TEXT_TYPE Does the app identify as a background agent
compiler TEXT_TYPE Info properties DTCompiler label
development_region TEXT_TYPE Info properties CFBundleDevelopmentRegion label
display_name TEXT_TYPE Info properties CFBundleDisplayName label
info_string TEXT_TYPE Info properties CFBundleGetInfoString label
minimum_system_version TEXT_TYPE Minimum version of OS X required for the app to run
category TEXT_TYPE The UTI that categorizes the app for the App Store
applescript_enabled TEXT_TYPE Info properties NSAppleScriptEnabled label
copyright TEXT_TYPE Info properties NSHumanReadableCopyright label

asl

Queries the Apple System Log data structure for system events.
ColumnTypeDescription
time INTEGER_TYPE Unix timestamp. Set automatically
time_nano_sec INTEGER_TYPE Nanosecond time.
host TEXT_TYPE Sender's address (set by the server).
sender TEXT_TYPE Sender's identification string. Default is process name.
facility TEXT_TYPE Sender's facility. Default is 'user'.
pid INTEGER_TYPE Sending process ID encoded as a string. Set automatically.
gid BIGINT_TYPE GID that sent the log message (set by the server).
uid BIGINT_TYPE UID that sent the log message (set by the server).
level INTEGER_TYPE Log level number. See levels in asl.h.
message TEXT_TYPE Message text.
ref_pid INTEGER_TYPE Reference PID for messages proxied by launchd
ref_proc TEXT_TYPE Reference process for messages proxied by launchd
extra TEXT_TYPE Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.

authorization_mechanisms

OS X Authorization mechanisms database.
ColumnTypeDescription
label TEXT_TYPE Label of the authorization right
plugin TEXT_TYPE Authorization plugin name
mechanism TEXT_TYPE Name of the mechanism that will be called
privileged TEXT_TYPE If privileged it will run as root, else as an anonymous user
entry TEXT_TYPE The whole string entry
select * from authorization_mechanisms;
select * from authorization_mechanisms where label = 'system.login.console';
select * from authorization_mechanisms where label = 'authenticate';

authorizations

OS X Authorization rights database.
ColumnTypeDescription
label TEXT_TYPE Item name, usually in reverse domain format
modified TEXT_TYPE Label top-level key
allow_root TEXT_TYPE Label top-level key
timeout TEXT_TYPE Label top-level key
version TEXT_TYPE Label top-level key
tries TEXT_TYPE Label top-level key
authenticate_user TEXT_TYPE Label top-level key
shared TEXT_TYPE Label top-level key
comment TEXT_TYPE Label top-level key
created TEXT_TYPE Label top-level key
class TEXT_TYPE Label top-level key
session_owner TEXT_TYPE Label top-level key
select * from authorizations;
select * from authorizations where label = 'system.login.console';
select * from authorizations where label = 'authenticate';
select * from authorizations where label = 'system.preferences.softwareupdate';

browser_plugins

All C/NPAPI browser plugin details for all users.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the plugin
name TEXT_TYPE Plugin display name
identifier TEXT_TYPE Plugin identifier
version TEXT_TYPE Plugin short version
sdk TEXT_TYPE Build SDK used to compile plugin
description TEXT_TYPE Plugin description text
development_region TEXT_TYPE Plugin language-localization
native INTEGER_TYPE Plugin requires native execution
path TEXT_TYPE Path to plugin bundle
disabled INTEGER_TYPE Is the plugin disabled. 1 = Disabled

certificates

Certificate Authorities installed in Keychains/ca-bundles.
ColumnTypeDescription
common_name TEXT_TYPE Certificate CommonName
subject TEXT_TYPE Certificate distinguished name
issuer TEXT_TYPE Certificate issuer distinguished name
ca INTEGER_TYPE 1 if CA: true (certificate is an authority) else 0
self_signed INTEGER_TYPE 1 if self-signed, else 0
not_valid_before TEXT_TYPE Lower bound of valid date
not_valid_after TEXT_TYPE Certificate expiration data
signing_algorithm TEXT_TYPE Signing algorithm used
key_algorithm TEXT_TYPE Key algorithm used
key_strength TEXT_TYPE Key size used for RSA/DSA, or curve name
key_usage TEXT_TYPE Certificate key usage and extended key usage
subject_key_id TEXT_TYPE SKID an optionally included SHA1
authority_key_id TEXT_TYPE AKID an optionally included SHA1
sha1 TEXT_TYPE SHA1 hash of the raw certificate contents
path TEXT_TYPE Path to Keychain or PEM bundle

crashes

Application, System, and Mobile App crash logs.
ColumnTypeDescription
type TEXT_TYPE Type of crash log
pid BIGINT_TYPE Process (or thread) ID of the crashed process
path TEXT_TYPE Path to the crashed process
crash_path TEXT_TYPE Location of log file
identifier TEXT_TYPE Identifier of the crashed process
version TEXT_TYPE Version info of the crashed process
parent BIGINT_TYPE Parent PID of the crashed process
responsible TEXT_TYPE Process responsible for the crashed process
uid INTEGER_TYPE User ID of the crashed process
datetime TEXT_TYPE Date/Time at which the crash occurred
crashed_thread BIGINT_TYPE Thread ID which crashed
stack_trace TEXT_TYPE Most recent frame from the stack trace
exception_type TEXT_TYPE Exception type of the crash
exception_codes TEXT_TYPE Exception codes from the crash
exception_notes TEXT_TYPE Exception notes from the crash
registers TEXT_TYPE The value of the system registers

device_firmware

A best-effort list of discovered firmware versions.
ColumnTypeDescription
type TEXT_TYPE Type of device
device TEXT_TYPE The device name
version TEXT_TYPE Firmware version

disk_events

Track DMG disk image events (appearance/disappearance) when opened.
ColumnTypeDescription
action TEXT_TYPE Appear or disappear
path TEXT_TYPE Path of the DMG file accessed
name TEXT_TYPE Disk event name
device TEXT_TYPE Disk event BSD name
uuid TEXT_TYPE UUID of the volume inside DMG if available
size BIGINT_TYPE Size of partition in bytes
ejectable INTEGER_TYPE 1 if ejectable, 0 if not
mountable INTEGER_TYPE 1 if mountable, 0 if not
writable INTEGER_TYPE 1 if writable, 0 if not
content TEXT_TYPE Disk event content
media_name TEXT_TYPE Disk event media name string
vendor TEXT_TYPE Disk event vendor string
filesystem TEXT_TYPE Filesystem if available
checksum TEXT_TYPE UDIF Master checksum if available (CRC32)
time BIGINT_TYPE Time of appearance/disappearance in UNIX time
eid TEXT_TYPE Event ID

event_taps

Returns information about installed event taps.
ColumnTypeDescription
enabled INTEGER_TYPE Is the Event Tap enabled
event_tap_id INTEGER_TYPE Unique ID for the Tap
event_tapped TEXT_TYPE The mask that identifies the set of events to be observed.
process_being_tapped INTEGER_TYPE The process ID of the target application
tapping_process INTEGER_TYPE The process ID of the application that created the event tap.

extended_attributes

Returns the extended attributes for files (similar to Windows ADS).
ColumnTypeDescription
path TEXT_TYPE Absolute file path
directory TEXT_TYPE Directory of file(s)
key TEXT_TYPE Name of the value generated from the extended attribute
value TEXT_TYPE The parsed information from the attribute
base64 INTEGER_TYPE 1 if the value is base64 encoded else 0

fan_speed_sensors

Fan speeds.
ColumnTypeDescription
fan TEXT_TYPE Fan number
name TEXT_TYPE Fan name
actual INTEGER_TYPE Actual speed
min INTEGER_TYPE Minimum speed
max INTEGER_TYPE Maximum speed
target INTEGER_TYPE Target speed

gatekeeper

OS X Gatekeeper Details.
ColumnTypeDescription
assessments_enabled INTEGER_TYPE 1 If a Gatekeeper is enabled else 0
dev_id_enabled INTEGER_TYPE 1 If a Gatekeeper allows execution from identified developers else 0
version TEXT_TYPE Version of Gatekeeper's gke.bundle
opaque_version TEXT_TYPE Version of Gatekeeper's gkopaque.bundle

gatekeeper_approved_apps

Gatekeeper apps a user has allowed to run.
ColumnTypeDescription
path TEXT_TYPE Path of executable allowed to run
requirement TEXT_TYPE Code signing requirement language
ctime DOUBLE_TYPE Last change time
mtime DOUBLE_TYPE Last modification time

homebrew_packages

The installed homebrew package database.
ColumnTypeDescription
name TEXT_TYPE Package name
path TEXT_TYPE Package install path
version TEXT_TYPE Current 'linked' version

iokit_devicetree

The IOKit registry matching the DeviceTree plane.
ColumnTypeDescription
name TEXT_TYPE Device node name
class TEXT_TYPE Best matching device class (most-specific category)
id BIGINT_TYPE IOKit internal registry ID
parent BIGINT_TYPE Parent device registry ID
device_path TEXT_TYPE Device tree path
service INTEGER_TYPE 1 if the device conforms to IOService else 0
busy_state INTEGER_TYPE 1 if the device is in a busy state else 0
retain_count INTEGER_TYPE The device reference count
depth INTEGER_TYPE Device nested depth

iokit_registry

The full IOKit registry without selecting a plane.
ColumnTypeDescription
name TEXT_TYPE Default name of the node
class TEXT_TYPE Best matching device class (most-specific category)
id BIGINT_TYPE IOKit internal registry ID
parent BIGINT_TYPE Parent registry ID
busy_state INTEGER_TYPE 1 if the node is in a busy state else 0
retain_count INTEGER_TYPE The node reference count
depth INTEGER_TYPE Node nested depth

kernel_extensions

OS X's kernel extensions, both loaded and within the load search path.
ColumnTypeDescription
idx INTEGER_TYPE Extension load tag or index
refs INTEGER_TYPE Reference count
size BIGINT_TYPE Bytes of wired memory used by extension
name TEXT_TYPE Extension label
version TEXT_TYPE Extension version
linked_against TEXT_TYPE Indexes of extensions this extension is linked against
path TEXT_TYPE Optional path to extension bundle

kernel_panics

System kernel panic logs.
ColumnTypeDescription
path TEXT_TYPE Location of log file
time TEXT_TYPE Formatted time of the event
registers TEXT_TYPE A space delimited line of register:value pairs
frame_backtrace TEXT_TYPE Backtrace of the crashed module
module_backtrace TEXT_TYPE Modules appearing in the crashed module's backtrace
dependencies TEXT_TYPE Module dependencies existing in crashed module's backtrace
name TEXT_TYPE Process name corresponding to crashed thread
os_version TEXT_TYPE Version of the operating system
kernel_version TEXT_TYPE Version of the system kernel
system_model TEXT_TYPE Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)'
uptime BIGINT_TYPE System uptime at kernel panic in nanoseconds
last_loaded TEXT_TYPE Last loaded module before panic
last_unloaded TEXT_TYPE Last unloaded module before panic

keychain_acls

Applications that have ACL entries in the keychain.
ColumnTypeDescription
keychain_path TEXT_TYPE The path of the keychain
authorizations TEXT_TYPE A space delimited set of authorization attributes
path TEXT_TYPE The path of the authorized application
description TEXT_TYPE The description included with the ACL entry
label TEXT_TYPE An optional label tag that may be included with the keychain entry
select label, description, authorizations, path, count(path) as c from keychain_acls where label != '' and path != '' group by label having c > 1;

keychain_items

Generic details about keychain items.
ColumnTypeDescription
label TEXT_TYPE Generic item name
description TEXT_TYPE Optional item description
comment TEXT_TYPE Optional keychain comment
created TEXT_TYPE Data item was created
modified TEXT_TYPE Date of last modification
type TEXT_TYPE Keychain item type (class)
path TEXT_TYPE Path to keychain containing item

launchd

LaunchAgents and LaunchDaemons from default search paths.
ColumnTypeDescription
path TEXT_TYPE Path to daemon or agent plist
name TEXT_TYPE File name of plist (used by launchd)
label TEXT_TYPE Daemon or agent service name
program TEXT_TYPE Path to target program
run_at_load TEXT_TYPE Should the program run on launch load
keep_alive TEXT_TYPE Should the process be restarted if killed
on_demand TEXT_TYPE Deprecated key, replaced by keep_alive
disabled TEXT_TYPE Skip loading this daemon or agent on boot
username TEXT_TYPE Run this daemon or agent as this username
groupname TEXT_TYPE Run this daemon or agent as this group
stdout_path TEXT_TYPE Pipe stdout to a target path
stderr_path TEXT_TYPE Pipe stderr to a target path
start_interval TEXT_TYPE Frecuency of running in seconds
program_arguments TEXT_TYPE Command line arguments passed to program
watch_paths TEXT_TYPE Key that launches daemon or agent if path is modified
queue_directories TEXT_TYPE Similar to watch_paths but only with non-empty directories
inetd_compatibility TEXT_TYPE Run this daemon or agent as it was launched from inetd
start_on_mount TEXT_TYPE Run daemon or agent every time a filesystem is mounted
root_directory TEXT_TYPE Key used to specify a directory to chroot to before launch
working_directory TEXT_TYPE Key used to specify a directory to chdir to before launch
process_type TEXT_TYPE Key describes the intended purpose of the job

launchd_overrides

Override keys, per user, for LaunchDaemons and Agents.
ColumnTypeDescription
label TEXT_TYPE Daemon or agent service name
key TEXT_TYPE Name of the override key
value TEXT_TYPE Overriden value
uid BIGINT_TYPE User ID applied to the override, 0 applies to all
path TEXT_TYPE Path to daemon or agent plist

managed_policies

The managed configuration policies from AD, MDM, MCX, etc.
ColumnTypeDescription
domain TEXT_TYPE System or manager-chosen domain key
uuid TEXT_TYPE Optional UUID assigned to policy set
name TEXT_TYPE Policy key name
value TEXT_TYPE Policy value
username TEXT_TYPE Policy applies only this user
manual INTEGER_TYPE 1 if policy was loaded manually, otherwise 0

nfs_shares

NFS shares exported by the host.
ColumnTypeDescription
share TEXT_TYPE Filesystem path to the share
options TEXT_TYPE Options string set on the export share
readonly INTEGER_TYPE 1 if the share is exported readonly else 0

nvram

Apple NVRAM variable listing.
ColumnTypeDescription
name TEXT_TYPE Variable name
type TEXT_TYPE Data type (CFData, CFString, etc)
value TEXT_TYPE Raw variable data

package_bom

OS X package bill of materials (BOM) file list.
ColumnTypeDescription
filepath TEXT_TYPE Package file or directory
uid INTEGER_TYPE Expected user of file or directory
gid INTEGER_TYPE Expected group of file or directory
mode INTEGER_TYPE Expected permissions
size BIGINT_TYPE Expected file size
modified_time INTEGER_TYPE Timestamp the file was installed
path TEXT_TYPE Path of package bom
select * from package_bom where path = '/var/db/receipts/com.apple.pkg.MobileDevice.bom'

package_install_history

OS X package install history.
ColumnTypeDescription
package_id TEXT_TYPE Label packageIdentifiers
time INTEGER_TYPE Label date as UNIX timestamp
name TEXT_TYPE Package display name
version TEXT_TYPE Package display version
source TEXT_TYPE Install source: usually the installer process name
content_type TEXT_TYPE Package content_type (optional)

package_receipts

OS X package receipt details.
ColumnTypeDescription
package_id TEXT_TYPE Package domain identifier
package_filename TEXT_TYPE Filename of original .pkg file
version TEXT_TYPE Installed package version
location TEXT_TYPE Optional relative install path on volume
install_time DOUBLE_TYPE Timestamp of install time
installer_name TEXT_TYPE Name of installer process
path TEXT_TYPE Path of receipt plist
select * from package_bom where path = '/var/db/receipts/com.apple.pkg.MobileDevice.bom'

plist

Read and parse a plist file.
ColumnTypeDescription
key TEXT_TYPE Preference top-level key
subkey TEXT_TYPE Intemediate key path, includes lists/dicts
value TEXT_TYPE String value of most CF types
path TEXT_TYPE (optional) read preferences from a plist
select * from plist where path = '/Library/Preferences/loginwindow.plist'

power_sensors

Machine power (currents, voltages, wattages, etc) sensors.
ColumnTypeDescription
key TEXT_TYPE The SMC key on OS X
category TEXT_TYPE The sensor category: currents, voltage, wattage
name TEXT_TYPE Name of power source
value TEXT_TYPE Power in Watts
select * from power_sensors where category = 'voltage'

preferences

OS X defaults and managed preferences.
ColumnTypeDescription
domain TEXT_TYPE Application ID usually in com.name.product format
key TEXT_TYPE Preference top-level key
subkey TEXT_TYPE Intemediate key path, includes lists/dicts
value TEXT_TYPE String value of most CF types
forced INTEGER_TYPE 1 if the value is forced/managed, else 0
username TEXT_TYPE (optional) read preferences for a specific user
select * from preferences where domain = 'loginwindow'

process_file_events

Process file events (open and close) from kernel extension.
ColumnTypeDescription
action TEXT_TYPE The action taken on the file (OPEN, CLOSED, or CLOSED_MODIFIED)
pid BIGINT_TYPE Process ID of the process using the file
path TEXT_TYPE Path of file
parent BIGINT_TYPE Parent process ID of the process using the file
uid BIGINT_TYPE Real user ID of the user process using the file
euid BIGINT_TYPE Effective user ID of the process using the file
gid BIGINT_TYPE Real group ID of the process using the file
egid BIGINT_TYPE Effective group ID of the processs using the file
mode BIGINT_TYPE Indicates the mode of the file
owner_uid BIGINT_TYPE User ID of the owner of the file
owner_gid BIGINT_TYPE Group ID of the owner of the file
atime BIGINT_TYPE Time of last access in UNIX epoch time
mtime BIGINT_TYPE Time of last modification in UNIX epoch time
ctime BIGINT_TYPE Time of last status change
time BIGINT_TYPE Time of event in UNIX epoch time
uptime BIGINT_TYPE Time of event in system uptime
eid TEXT_TYPE Event ID

quicklook_cache

Files and thumbnails within OS X's Quicklook Cache.
ColumnTypeDescription
path TEXT_TYPE Path of file
rowid INTEGER_TYPE Quicklook file rowid key
fs_id TEXT_TYPE Quicklook file fs_id key
volume_id INTEGER_TYPE Parsed volume ID from fs_id
inode INTEGER_TYPE Parsed file ID (inode) from fs_id
mtime INTEGER_TYPE Parsed version date field
size BIGINT_TYPE Parsed version size field
label TEXT_TYPE Parsed version 'gen' field
last_hit_date INTEGER_TYPE Apple date format for last thumbnail cache hit
hit_count TEXT_TYPE Number of cache hits on thumbnail
icon_mode BIGINT_TYPE Thumbnail icon mode
cache_path TEXT_TYPE Path to cache data

safari_extensions

Safari browser extension details for all users.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the extension
name TEXT_TYPE Extension display name
identifier TEXT_TYPE Extension identifier
version TEXT_TYPE Extension long version
sdk TEXT_TYPE Bundle SDK used to compile extension
update_url TEXT_TYPE Extension-supplied update URI
author TEXT_TYPE Optional extension author
developer_id TEXT_TYPE Optional developer identifier
description TEXT_TYPE Optional extension description text
path TEXT_TYPE Path to extension XAR bundle
select count(*) from users JOIN safari_extensions using (uid)

sandboxes

OS X application sandboxes container details.
ColumnTypeDescription
label TEXT_TYPE UTI-format bundle or label ID
user TEXT_TYPE Sandbox owner
enabled INTEGER_TYPE Application sandboxings enabled on container
build_id TEXT_TYPE Sandbox-specific identifier
bundle_path TEXT_TYPE Application bundle used by the sandbox
path TEXT_TYPE Path to sandbox container directory

shared_folders

Folders available to others via SMB or AFP.
ColumnTypeDescription
name TEXT_TYPE The shared name of the folder as it appears to other users
path TEXT_TYPE Absolute path of shared folder on the local system

sharing_preferences

OS X Sharing preferences.
ColumnTypeDescription
screen_sharing INTEGER_TYPE 1 If screen sharing is enabled else 0
file_sharing INTEGER_TYPE 1 If file sharing is enabled else 0
printer_sharing INTEGER_TYPE 1 If printer sharing is enabled else 0
remote_login INTEGER_TYPE 1 If remote login is enabled else 0
remote_management INTEGER_TYPE 1 If remote management is enabled else 0
remote_apple_events INTEGER_TYPE 1 If remote apple events are enabled else 0
internet_sharing INTEGER_TYPE 1 If internet sharing is enabled else 0
bluetooth_sharing INTEGER_TYPE 1 If bluetooth sharing is enabled for any user else 0
disc_sharing INTEGER_TYPE 1 If CD or DVD sharing is enabled else 0

signature

File (executable, bundle, installer, disk) code signing status.
ColumnTypeDescription
path TEXT_TYPE Must provide a path or directory
signed INTEGER_TYPE 1 If the file is signed else 0
identifier TEXT_TYPE The signing identifier sealed into the signature
cdhash TEXT_TYPE SHA1 hash of the application Code Directory
team_identifier TEXT_TYPE The team signing identifier sealed into the signature
authority TEXT_TYPE Certificate Common Name
select * from signature where path = '/bin/ls'

sip_config

Apple's System Integrity Protection (rootless) status.
ColumnTypeDescription
config_flag TEXT_TYPE The System Integrity Protection config flag
enabled INTEGER_TYPE 1 if this configuration is enabled, otherwise 0
enabled_nvram INTEGER_TYPE 1 if this configuration is enabled, otherwise 0
select * from sip_config

smc_keys

Apple's system management controller keys.
ColumnTypeDescription
key TEXT_TYPE 4-character key
type TEXT_TYPE SMC-reported type literal type
size INTEGER_TYPE Reported size of data in bytes
value TEXT_TYPE A type-encoded representation of the key value
hidden INTEGER_TYPE 1 if this key is normally hidden, otherwise 0
select * from smc_keys where key = 'MOJO'

temperature_sensors

Machine's temperature sensors.
ColumnTypeDescription
key TEXT_TYPE The SMC key on OS X
name TEXT_TYPE Name of temperature source
celsius DOUBLE_TYPE Temperature in Celsius
fahrenheit DOUBLE_TYPE Temperature in Fahrenheit

time_machine_backups

Backups to drives using TimeMachine.
ColumnTypeDescription
destination_id TEXT_TYPE Time Machine destination ID
backup_date INTEGER_TYPE Backup Date
select alias, backup_date, td.destination_id, root_volume_uuid, encryption from time_machine_backups tb join time_machine_destinations td on (td.destination_id=tb.destination_id);

time_machine_destinations

Locations backed up to using Time Machine.
ColumnTypeDescription
alias TEXT_TYPE Human readable name of drive
destination_id TEXT_TYPE Time Machine destination ID
consistency_scan_date INTEGER_TYPE Consistency scan date
root_volume_uuid TEXT_TYPE Root UUID of backup volume
bytes_available INTEGER_TYPE Bytes available on volume
bytes_used INTEGER_TYPE Bytes used on volume
encryption TEXT_TYPE Last known encrypted state
select alias, backup_date, td.destination_id, root_volume_uuid, encryption from time_machine_backups tb join time_machine_destinations td on (td.destination_id=tb.destination_id);

virtual_memory_info

Darwin Virtual Memory statistics.
ColumnTypeDescription
free BIGINT_TYPE Total number of free pages.
active BIGINT_TYPE Total number of active pages.
inactive BIGINT_TYPE Total number of inactive pages.
speculative BIGINT_TYPE Total number of speculative pages.
throttled BIGINT_TYPE Total number of throttled pages.
wired BIGINT_TYPE Total number of wired down pages.
purgeable BIGINT_TYPE Total number of purgeable pages.
faults BIGINT_TYPE Total number of calls to vm_faults.
copy BIGINT_TYPE Total number of copy-on-write pages.
zero_fill BIGINT_TYPE Total number of zero filled pages.
reactivated BIGINT_TYPE Total number of reactivated pages.
purged BIGINT_TYPE Total number of purged pages.
file_backed BIGINT_TYPE Total number of file backed pages.
anonymous BIGINT_TYPE Total number of anonymous pages.
uncompressed BIGINT_TYPE Total number of uncompressed pages.
compressor BIGINT_TYPE The number of pages used to store compressed VM pages.
decompressed BIGINT_TYPE The total number of pages that have been decompressed by the VM compressor.
compressed BIGINT_TYPE The total number of pages that have been compressed by the VM compressor.
page_ins BIGINT_TYPE The total number of requests for pages from a pager.
page_outs BIGINT_TYPE Total number of pages paged out.
swap_ins BIGINT_TYPE The total number of compressed pages that have been swapped out to disk.
swap_outs BIGINT_TYPE The total number of compressed pages that have been swapped back in from disk.
select * from virtual_memory_info;

wifi_networks

OS X known/remembered Wi-Fi networks list.
ColumnTypeDescription
ssid TEXT_TYPE SSID octets of the network
network_name TEXT_TYPE Name of the network
security_type TEXT_TYPE Type of security on this network
last_connected INTEGER_TYPE Last time this netword was connected to as a unix_time
passpoint INTEGER_TYPE 1 if Passpoint is supported, 0 otherwise
possibly_hidden INTEGER_TYPE 1 if network is possibly a hidden network, 0 otherwise
roaming INTEGER_TYPE 1 if roaming is supported, 0 otherwise
roaming_profile TEXT_TYPE Describe the roaming profile, usually one of Single, Dual or Multi
captive_portal INTEGER_TYPE 1 if this network has a captive portal, 0 otherwise
auto_login INTEGER_TYPE 1 if auto login is enabled, 0 otherwise
temporarily_disabled INTEGER_TYPE 1 if this network is temporarily disabled, 0 otherwise
disabled INTEGER_TYPE 1 if this network is disabled, 0 otherwise

wifi_status

OS X current WiFi status.
ColumnTypeDescription
interface TEXT_TYPE Name of the interface
ssid TEXT_TYPE SSID octets of the network
bssid TEXT_TYPE The current basic service set identifier
network_name TEXT_TYPE Name of the network
country_code TEXT_TYPE The country code (ISO/IEC 3166-1:1997) for the network
security_type TEXT_TYPE Type of security on this network
rssi INTEGER_TYPE The current received signal strength indication (dbm)
noise INTEGER_TYPE The current noise measurement (dBm)
channel INTEGER_TYPE Channel number
channel_width INTEGER_TYPE Channel width
channel_band INTEGER_TYPE Channel band
transmit_rate TEXT_TYPE The current transmit rate
mode TEXT_TYPE The current operating mode for the Wi-Fi interface

wifi_survey

Scan for nearby WiFi networks.
ColumnTypeDescription
interface TEXT_TYPE Name of the interface
ssid TEXT_TYPE SSID octets of the network
bssid TEXT_TYPE The current basic service set identifier
network_name TEXT_TYPE Name of the network
country_code TEXT_TYPE The country code (ISO/IEC 3166-1:1997) for the network
rssi INTEGER_TYPE The current received signal strength indication (dbm)
noise INTEGER_TYPE The current noise measurement (dBm)
channel INTEGER_TYPE Channel number
channel_width INTEGER_TYPE Channel width
channel_band INTEGER_TYPE Channel band

xprotect_entries

Database of the machine's XProtect signatures.
ColumnTypeDescription
name TEXT_TYPE Description of XProtected malware
launch_type TEXT_TYPE Launch services content type
identity TEXT_TYPE XProtect identity (SHA1) of content
filename TEXT_TYPE Use this file name to match
filetype TEXT_TYPE Use this file type to match
optional INTEGER_TYPE Match any of the identities/patterns for this XProtect name
uses_pattern INTEGER_TYPE Uses a match pattern instead of identity

xprotect_meta

Database of the machine's XProtect browser-related signatures.
ColumnTypeDescription
identifier TEXT_TYPE Browser plugin or extension identifier
type TEXT_TYPE Either plugin or extension
developer_id TEXT_TYPE Developer identity (SHA1) of extension
min_version TEXT_TYPE The minimum allowed plugin version.

xprotect_reports

Database of XProtect matches (if user generated/sent an XProtect report).
ColumnTypeDescription
name TEXT_TYPE Description of XProtected malware
user_action TEXT_TYPE Action taken by user after prompted
time TEXT_TYPE Quarantine alert time

Utility

file

Interactive filesystem attributes and metadata.
ColumnTypeDescription
path TEXT_TYPE Absolute file path
directory TEXT_TYPE Directory of file(s)
filename TEXT_TYPE Name portion of file path
inode BIGINT_TYPE Filesystem inode number
uid BIGINT_TYPE Owning user ID
gid BIGINT_TYPE Owning group ID
mode TEXT_TYPE Permission bits
device BIGINT_TYPE Device ID (optional)
size BIGINT_TYPE Size of file in bytes
block_size INTEGER_TYPE Block size of filesystem
atime BIGINT_TYPE Last access time
mtime BIGINT_TYPE Last modification time
ctime BIGINT_TYPE Last status change time
btime BIGINT_TYPE (B)irth or (cr)eate time
hard_links INTEGER_TYPE Number of hard links
symlink INTEGER_TYPE 1 if the path is a symlink, otherwise 0
type TEXT_TYPE File status
select * from file where path = '/etc/passwd'
select * from file where directory = '/etc/'
select * from file where path LIKE '/etc/%'

osquery_events

Information about the event publishers and subscribers.
ColumnTypeDescription
name TEXT_TYPE Event publisher or subscriber name
publisher TEXT_TYPE Name of the associated publisher
type TEXT_TYPE Either publisher or subscriber
subscriptions INTEGER_TYPE Number of subscriptions the publisher received or subscriber used
events INTEGER_TYPE Number of events emitted or received since osquery started
refreshes INTEGER_TYPE Publisher only: number of runloop restarts
active INTEGER_TYPE 1 if the publisher or subscriber is active else 0

osquery_extensions

List of active osquery extensions.
ColumnTypeDescription
uuid BIGINT_TYPE The transient ID assigned for communication
name TEXT_TYPE Extension's name
version TEXT_TYPE Extenion's version
sdk_version TEXT_TYPE osquery SDK version used to build the extension
path TEXT_TYPE Path of the extenion's domain socket or library path
type TEXT_TYPE SDK extension type: extension or module

osquery_flags

Configurable flags that modify osquery's behavior.
ColumnTypeDescription
name TEXT_TYPE Flag name
type TEXT_TYPE Flag type
description TEXT_TYPE Flag description
default_value TEXT_TYPE Flag default value
value TEXT_TYPE Flag value
shell_only INTEGER_TYPE Is the flag shell only?

osquery_info

Top level information about the running version of osquery.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread/handle) ID
uuid TEXT_TYPE Unique ID provided by the system
instance_id TEXT_TYPE Unique, long-lived ID per instance of osquery
version TEXT_TYPE osquery toolkit version
config_hash TEXT_TYPE Hash of the working configuration state
config_valid INTEGER_TYPE 1 if the config was loaded and considered valid, else 0
extensions TEXT_TYPE osquery extensions status
build_platform TEXT_TYPE osquery toolkit build platform
build_distro TEXT_TYPE osquery toolkit platform distribution name (os version)
start_time INTEGER_TYPE UNIX time in seconds when the process started
watcher INTEGER_TYPE Process (or thread/handle) ID of optional watcher process

osquery_packs

Information about the current query packs that are loaded in osquery.
ColumnTypeDescription
name TEXT_TYPE The given name for this query pack
platform TEXT_TYPE Platforms this query is supported on
version TEXT_TYPE Minimum osquery version that this query will run on
shard INTEGER_TYPE Shard restriction limit, 1-100, 0 meaning no restriction
discovery_cache_hits INTEGER_TYPE The number of times that the discovery query used cached values since the last time the config was reloaded
discovery_executions INTEGER_TYPE The number of times that the discovery queries have been executed since the last time the config was reloaded
active INTEGER_TYPE Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.

osquery_registry

List the osquery registry plugins.
ColumnTypeDescription
registry TEXT_TYPE Name of the osquery registry
name TEXT_TYPE Name of the plugin item
owner_uuid INTEGER_TYPE Extension route UUID (0 for core)
internal INTEGER_TYPE 1 If the plugin is internal else 0
active INTEGER_TYPE 1 If this plugin is active else 0

osquery_schedule

Information about the current queries that are scheduled in osquery.
ColumnTypeDescription
name TEXT_TYPE The given name for this query
query TEXT_TYPE The exact query to run
interval INTEGER_TYPE The interval in seconds to run this query, not an exact interval
executions BIGINT_TYPE Number of times the query was executed
last_executed BIGINT_TYPE UNIX time stamp in seconds of the last completed execution
output_size BIGINT_TYPE Total number of bytes generated by the query
wall_time BIGINT_TYPE Total wall time spent executing
user_time BIGINT_TYPE Total user time spent executing
system_time BIGINT_TYPE Total system time spent executing
average_memory BIGINT_TYPE Average private memory left after executing

time

Track current date and time in the system.
ColumnTypeDescription
weekday TEXT_TYPE Current weekday in the system
year INTEGER_TYPE Current year in the system
month INTEGER_TYPE Current month in the system
day INTEGER_TYPE Current day in the system
hour INTEGER_TYPE Current hour in the system
minutes INTEGER_TYPE Current minutes in the system
seconds INTEGER_TYPE Current seconds in the system
timezone TEXT_TYPE Current timezone in the system
local_time INTEGER_TYPE Current local UNIX time in the system
local_timezone TEXT_TYPE Current local timezone in the system
unix_time INTEGER_TYPE Current UNIX time in the system, converted to UTC if --utc enabled
timestamp TEXT_TYPE Current timestamp (log format) in the system
datetime TEXT_TYPE Current date and time (ISO format) in the system
iso_8601 TEXT_TYPE Current time (ISO format) in the system