osquery exports the following set of tables organized by platform. Treat them like SQLite tables:

SELECT address, mac, id.interface
FROM interface_details AS id, interface_addresses AS ia WHERE id.interface = ia.interface;

There are some operating-specific tables that apply to OS X, Ubuntu, or CentOS only. osquery stresses feature parity, minimizing tables that are not available to all platforms is a priority. Tables marked with [beta] may be subject to renaming or column changes.

() uses an event publisher
() requires kernel extension
() blacklisted
() performance impact

() treat as a primary key
() use to control table output
() required in WHERE clause
() utility, included in SDK

Release tags: 2.6.1 2.6.0 2.5.2 2.5.0 2.4.6 2.2.0

All Platforms

carbon_black_info

Returns info about a Carbon Black sensor install
ColumnTypeDescription
sensor_id INTEGER_TYPE Sensor ID of the Carbon Black sensor
config_name TEXT_TYPE Sensor group
collect_store_files INTEGER_TYPE If the sensor is configured to send back binaries to the Carbon Black server
collect_module_loads INTEGER_TYPE If the sensor is configured to capture module loads
collect_module_info INTEGER_TYPE If the sensor is configured to collect metadata of binaries
collect_file_mods INTEGER_TYPE If the sensor is configured to collect file modification events
collect_reg_mods INTEGER_TYPE If the sensor is configured to collect registry modification events
collect_net_conns INTEGER_TYPE If the sensor is configured to collect network connections
collect_processes INTEGER_TYPE If the sensor is configured to process events
collect_cross_processes INTEGER_TYPE If the sensor is configured to cross process events
collect_emet_events INTEGER_TYPE If the sensor is configured to EMET events
collect_data_file_writes INTEGER_TYPE If the sensor is configured to collect non binary file writes
collect_process_user_context INTEGER_TYPE If the sensor is configured to collect the user running a process
collect_sensor_operations INTEGER_TYPE Unknown
log_file_disk_quota_mb INTEGER_TYPE Event file disk quota in MB
log_file_disk_quota_percentage INTEGER_TYPE Event file disk quota in a percentage
protection_disabled INTEGER_TYPE If the sensor is configured to report tamper events
sensor_ip_addr TEXT_TYPE IP address of the sensor
sensor_backend_server TEXT_TYPE Carbon Black server
event_queue INTEGER_TYPE Size in bytes of Carbon Black event files on disk
binary_queue INTEGER_TYPE Size in bytes of binaries waiting to be sent to Carbon Black server

chrome_extensions

Chrome browser extensions.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the extension
name TEXT_TYPE Extension display name
identifier TEXT_TYPE Extension identifier
version TEXT_TYPE Extension-supplied version
description TEXT_TYPE Extension-optional description
locale TEXT_TYPE Default locale supported by extension
update_url TEXT_TYPE Extension-supplied update URI
author TEXT_TYPE Optional extension author
persistent INTEGER_TYPE 1 If extension is persistent across all tabs else 0
path TEXT_TYPE Path to extension folder

cpuid

Useful CPU features from the cpuid ASM call.
ColumnTypeDescription
feature TEXT_TYPE Present feature flags
value TEXT_TYPE Bit value or string
output_register TEXT_TYPE Register used to for feature value
output_bit INTEGER_TYPE Bit in register value for feature value
input_eax TEXT_TYPE Value of EAX used

etc_hosts

Line-parsed /etc/hosts.
ColumnTypeDescription
address TEXT_TYPE IP address mapping
hostnames TEXT_TYPE Raw hosts mapping

etc_protocols

Line-parsed /etc/protocols.
ColumnTypeDescription
name TEXT_TYPE Protocol name
number INTEGER_TYPE Protocol number
alias TEXT_TYPE Protocol alias
comment TEXT_TYPE Comment with protocol description

etc_services

Line-parsed /etc/services.
ColumnTypeDescription
name TEXT_TYPE Service name
port INTEGER_TYPE Service port number
protocol TEXT_TYPE Transport protocol (TCP/UDP)
aliases TEXT_TYPE Optional space separated list of other names for a service
comment TEXT_TYPE Optional comment for a service.

interface_addresses

Network interfaces and relevant metadata.
ColumnTypeDescription
interface TEXT_TYPE Interface name
address TEXT_TYPE Specific address for interface
mask TEXT_TYPE Interface netmask
broadcast TEXT_TYPE Broadcast address for the interface
point_to_point TEXT_TYPE PtP address for the interface

interface_details

Detailed information and stats of network interfaces.
ColumnTypeDescription
interface TEXT_TYPE Interface name
mac TEXT_TYPE MAC of interface (optional)
type INTEGER_TYPE Interface type (includes virtual)
mtu INTEGER_TYPE Network MTU
metric INTEGER_TYPE Metric based on the speed of the interface
ipackets BIGINT_TYPE Input packets
opackets BIGINT_TYPE Output packets
ibytes BIGINT_TYPE Input bytes
obytes BIGINT_TYPE Output bytes
ierrors BIGINT_TYPE Input errors
oerrors BIGINT_TYPE Output errors
idrops BIGINT_TYPE Input drops
odrops BIGINT_TYPE Output drops
last_change BIGINT_TYPE Time of last device modification (optional)
description TEXT_TYPE Short description of the object—a one-line string.
manufacturer TEXT_TYPE Name of the network adapter's manufacturer.
connection_id TEXT_TYPE Name of the network connection as it appears in the Network Connections Control Panel program.
connection_status TEXT_TYPE State of the network adapter connection to the network.
enabled INTEGER_TYPE Indicates whether the adapter is enabled or not.
physical_adapter INTEGER_TYPE Indicates whether the adapter is a physical or a logical adapter.
speed INTEGER_TYPE Estimate of the current bandwidth in bits per second.
dhcp_enabled INTEGER_TYPE If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.
dhcp_lease_expires TEXT_TYPE Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_lease_obtained TEXT_TYPE Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_server TEXT_TYPE IP address of the dynamic host configuration protocol (DHCP) server.
dns_domain TEXT_TYPE Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'.
dns_domain_suffix_search_order TEXT_TYPE Array of DNS domain suffixes to be appended to the end of host names during name resolution.
dns_host_name TEXT_TYPE Host name used to identify the local computer for authentication by some utilities.
dns_server_search_order TEXT_TYPE Array of server IP addresses to be used in querying for DNS servers.

kernel_info

Basic active kernel information.
ColumnTypeDescription
version TEXT_TYPE Kernel version
arguments TEXT_TYPE Kernel arguments
path TEXT_TYPE Kernel path
device TEXT_TYPE Kernel device identifier

listening_ports

Processes with listening (bound) network sockets/ports.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
port INTEGER_TYPE Transport layer port
protocol INTEGER_TYPE Transport protocol (TCP/UDP)
family INTEGER_TYPE Network protocol (IPv4, IPv6)
address TEXT_TYPE Specific address for bind

os_version

A single row containing the operating system name and version.
ColumnTypeDescription
name TEXT_TYPE Distribution or product name
version TEXT_TYPE Pretty, suitable for presentation, OS version
major INTEGER_TYPE Major release version
minor INTEGER_TYPE Minor release version
patch INTEGER_TYPE Optional patch release
build TEXT_TYPE Optional build-specific or variant string
platform TEXT_TYPE OS Platform or ID
platform_like TEXT_TYPE Closely related platforms
codename TEXT_TYPE OS version codename

platform_info

Information about EFI/UEFI/ROM and platform/boot.
ColumnTypeDescription
vendor TEXT_TYPE Platform code vendor
version TEXT_TYPE Platform code version
date TEXT_TYPE Self-reported platform code update date
revision TEXT_TYPE BIOS major and minor revision
address TEXT_TYPE Relative address of firmware mapping
size TEXT_TYPE Size in bytes of firmware
volume_size INTEGER_TYPE (Optional) size of firmware volume
extra TEXT_TYPE Platform-specific additional information

process_open_sockets

Processes which have open network sockets on the system.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
fd BIGINT_TYPE Socket file descriptor number
socket BIGINT_TYPE Socket handle or inode number
family INTEGER_TYPE Network protocol (IPv4, IPv6)
protocol INTEGER_TYPE Transport protocol (TCP/UDP)
local_address TEXT_TYPE Socket local address
remote_address TEXT_TYPE Socket remote address
local_port INTEGER_TYPE Socket local port
remote_port INTEGER_TYPE Socket remote port
path TEXT_TYPE For UNIX sockets (family=AF_UNIX), the domain path
select * from process_open_sockets where pid = 1

processes

All running processes on the host system.
ColumnTypeDescription
pid BIGINT_TYPE Process (or thread) ID
name TEXT_TYPE The process path or shorthand argv[0]
path TEXT_TYPE Path to executed binary
cmdline TEXT_TYPE Complete argv
state TEXT_TYPE Process state
cwd TEXT_TYPE Process current working directory
root TEXT_TYPE Process virtual root directory
uid BIGINT_TYPE Unsigned user ID
gid BIGINT_TYPE Unsigned group ID
euid BIGINT_TYPE Unsigned effective user ID
egid BIGINT_TYPE Unsigned effective group ID
suid BIGINT_TYPE Unsigned saved user ID
sgid BIGINT_TYPE Unsigned saved group ID
on_disk INTEGER_TYPE The process path exists yes=1, no=0, unknown=-1
wired_size BIGINT_TYPE Bytes of unpagable memory used by process
resident_size BIGINT_TYPE Bytes of private memory used by process
total_size BIGINT_TYPE Total virtual memory size
user_time BIGINT_TYPE CPU time spent in user space
system_time BIGINT_TYPE CPU time spent in kernel space
start_time BIGINT_TYPE Process start in seconds since boot (non-sleeping)
parent BIGINT_TYPE Process parent's PID
pgroup BIGINT_TYPE Process group
threads INTEGER_TYPE Number of threads used by process
nice INTEGER_TYPE Process nice level (-20 to 20, default 0)
select * from processes where pid = 1

system_info

System information for identification.
ColumnTypeDescription
hostname TEXT_TYPE Network hostname including domain
uuid TEXT_TYPE Unique ID provided by the system
cpu_type TEXT_TYPE CPU type
cpu_subtype TEXT_TYPE CPU subtype
cpu_brand TEXT_TYPE CPU brand string, contains vendor and model
cpu_physical_cores INTEGER_TYPE Max number of CPU physical cores
cpu_logical_cores INTEGER_TYPE Max number of CPU logical cores
physical_memory BIGINT_TYPE Total physical memory in bytes
hardware_vendor TEXT_TYPE Hardware or board vendor
hardware_model TEXT_TYPE Hardware or board model
hardware_version TEXT_TYPE Hardware or board version
hardware_serial TEXT_TYPE Device or board serial number
computer_name TEXT_TYPE Friendly computer name (optional)

uptime

Track time passed since last boot.
ColumnTypeDescription
days INTEGER_TYPE Days of uptime
hours INTEGER_TYPE Hours of uptime
minutes INTEGER_TYPE Minutes of uptime
seconds INTEGER_TYPE Seconds of uptime
total_seconds BIGINT_TYPE Total uptime seconds

users

Local system users.
ColumnTypeDescription
uid BIGINT_TYPE User ID
gid BIGINT_TYPE Group ID (unsigned)
uid_signed BIGINT_TYPE User ID as int64 signed (Apple)
gid_signed BIGINT_TYPE Default group ID as int64 signed (Apple)
username TEXT_TYPE Username
description TEXT_TYPE Optional user description
directory TEXT_TYPE User's home directory
shell TEXT_TYPE User's configured default shell
uuid TEXT_TYPE User's UUID (Apple)
select * from users where uid = 1000
select * from users where username = 'root'
select count(*) from users u, user_groups ug where u.uid = ug.uid

Microsoft Windows

appcompat_shims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf
ColumnTypeDescription
executable TEXT_TYPE Name of the executable that is being shimmed. This is pulled from the registry.
path TEXT_TYPE This is the path to the SDB database.
description TEXT_TYPE Description of the SDB.
install_time INTEGER_TYPE Install time of the SDB
type TEXT_TYPE Type of the SDB database.
sdb_id TEXT_TYPE Unique GUID of the SDB.
select * from appcompat_shims;

drivers

Lists all installed and loaded Windows Drivers and their relevant data
ColumnTypeDescription
name TEXT_TYPE Driver name
display_name TEXT_TYPE Driver Display name
status TEXT_TYPE Driver Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED
start_type TEXT_TYPE Driver start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED
path TEXT_TYPE Path to Driver module
type TEXT_TYPE Driver Type: KERNEL, FILE_SYSTEM
inf TEXT_TYPE INF File: Associated inf file
select * from drivers

patches

Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).
ColumnTypeDescription
csname TEXT_TYPE The name of the host the patch is installed on.
hotfix_id TEXT_TYPE The KB ID of the patch.
caption TEXT_TYPE Short description of the patch.
description TEXT_TYPE Fuller description of the patch.
fix_comments TEXT_TYPE Additional comments about the patch.
installed_by TEXT_TYPE The system context in which the patch as installed.
install_date TEXT_TYPE Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.
installed_on TEXT_TYPE The date when the patch was installed.
select * from patches

programs

Rrepresents products as they are installed by Windows Installer. A product generally correlates to one installation package.
ColumnTypeDescription
name TEXT_TYPE Commonly used product name.
version TEXT_TYPE Product version information.
install_source TEXT_TYPE The installation source directory of the product.
language TEXT_TYPE The language of the product.
publisher TEXT_TYPE Name of the product supplier.
uninstall_string TEXT_TYPE Path and filename of the uninstaller.
install_date TEXT_TYPE Date that this product was installed on the system.
identifying_number TEXT_TYPE Product identification such as a serial number on software, or a die number on a hardware chip.
select * from programs

registry

All of the Windows registry hives.
ColumnTypeDescription
hive TEXT_TYPE The parent registry hive where the key and value exist
key TEXT_TYPE Name of the key to search for
subkey TEXT_TYPE Name of the subkey for a given HIVE and key
name TEXT_TYPE Name of the registry value entry
type TEXT_TYPE Type of data associated with the registry value
data TEXT_TYPE Data content of registry value
mtime BIGINT_TYPE timestamp of the most recent registry write
select * from registry

services

Lists all installed Windows Services and its relevant data
ColumnTypeDescription
name TEXT_TYPE Service name
service_type TEXT_TYPE Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)
display_name TEXT_TYPE Service Display name
status TEXT_TYPE Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED
pid INTEGER_TYPE the Process ID of the service
start_type TEXT_TYPE Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED
win32_exit_code INTEGER_TYPE The error code that the service uses to report an error that occurs when it is starting or stopping
service_exit_code INTEGER_TYPE The service-specific error code that the service returns when an error occurs while the service is starting or stopping
path TEXT_TYPE Path to Service Executable
module_path TEXT_TYPE Path to ServiceDll
description TEXT_TYPE Service Description
user_account TEXT_TYPE The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\UserName. If the account belongs to the built-in domain, the name can be of the form .\UserName.
select * from services

shared_resources

Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.
ColumnTypeDescription
description TEXT_TYPE A textual description of the object
install_date TEXT_TYPE Indicates when the object was installed. Lack of a value does not indicate that the object is not installed
status TEXT_TYPE String that indicates the current status of the object
allow_maximum INTEGER_TYPE Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.
maximum_allowed INTEGER_TYPE Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.
name TEXT_TYPE Alias given to a path set up as a share on a computer system running Windows.
path TEXT_TYPE Local path of the Windows share.
type INTEGER_TYPE Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.
select * from shared_resources

wmi_cli_event_consumers

WMI CommandLineEventConsumer, which can be used for persistance on Windows. https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
ColumnTypeDescription
name TEXT_TYPE Unique name of a consumer.
command_line_template TEXT_TYPE Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.
executable_path TEXT_TYPE Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select filter,consumer,query,command_line_template,wcec.name from wmi_cli_event_consumers wcec left outer join wmi_filter_consumer_binding wcb on consumer = wcec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;

wmi_event_filters

Lists WMI event filters
ColumnTypeDescription
name TEXT_TYPE Unique identifier of an event filter.
query TEXT_TYPE Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.
query_language TEXT_TYPE Query language that the query is written in.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select * from wmi_event_filters

wmi_filter_consumer_binding

Lists the relationship between event consumers and filters.
ColumnTypeDescription
consumer TEXT_TYPE Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.
filter TEXT_TYPE Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select * from wmi_filter_consumer_binding

wmi_script_event_consumers

WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
ColumnTypeDescription
name TEXT_TYPE Unique identifier for the event consumer.
scripting_engine TEXT_TYPE Name of the scripting engine to use, for example, 'VBScript'. This property cannot be NULL.
script_file_name TEXT_TYPE Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.
script_text TEXT_TYPE Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.
class TEXT_TYPE The name of the class.
relative_path TEXT_TYPE Relative path to the class or instance.
select filter,consumer,query,scripting_engine,script_file_name,script_text,wsec.name from wmi_script_event_consumers wsec left outer join wmi_filter_consumer_binding wcb on consumer = wsec.relative_path left outer join wmi_event_filters wef on wef.relative_path = wcb.filter;

POSIX-compatible Plaforms

acpi_tables

Firmware ACPI functional table common metadata and content.
ColumnTypeDescription
name TEXT_TYPE ACPI table name
size INTEGER_TYPE Size of compiled table data
md5 TEXT_TYPE MD5 hash of table content

arp_cache

Address resolution cache, both static and dynamic (from ARP, NDP).
ColumnTypeDescription
address TEXT_TYPE IPv4 address target
mac TEXT_TYPE MAC address of broadcasted address
interface TEXT_TYPE Interface of the network for the MAC
permanent TEXT_TYPE 1 for true, 0 for false

augeas

Configuration files parsed by augeas.
ColumnTypeDescription
node TEXT_TYPE The node path of the configuration item
value TEXT_TYPE The value of the configuration item
label TEXT_TYPE The label of the configuration item
path TEXT_TYPE The path to the configuration file
select * from augeas where path = '/etc/hosts'

authorized_keys

A line-delimited authorized_keys table.
ColumnTypeDescription
uid BIGINT_TYPE The local owner of authorized_keys file
algorithm TEXT_TYPE algorithim of key
key TEXT_TYPE parsed authorized keys line
key_file TEXT_TYPE Path to the authorized_keys file

block_devices

Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.
ColumnTypeDescription
name TEXT_TYPE Block device name
parent TEXT_TYPE Block device parent name
vendor TEXT_TYPE Block device vendor string
model TEXT_TYPE Block device model string identifier
size BIGINT_TYPE Block device size in bytes
uuid TEXT_TYPE Block device Universally Unique Identifier
type TEXT_TYPE Block device type string
label TEXT_TYPE Block device label string

crontab

Line parsed values from system and user cron/tab.
ColumnTypeDescription
event TEXT_TYPE The job @event name (rare)
minute TEXT_TYPE The exact minute for the job
hour TEXT_TYPE The hour of the day for the job
day_of_month TEXT_TYPE The day of the month for the job
month TEXT_TYPE The month of the year for the job
day_of_week TEXT_TYPE The day of the week for the job
command TEXT_TYPE Raw command string
path TEXT_TYPE File parsed

device_file

Similar to the file table, but use TSK and allow block address access.
ColumnTypeDescription
device TEXT_TYPE Absolute file path to device node
partition TEXT_TYPE A partition number
path TEXT_TYPE A logical path within the device node
filename TEXT_TYPE Name portion of file path
inode BIGINT_TYPE Filesystem inode number
uid BIGINT_TYPE Owning user ID
gid BIGINT_TYPE Owning group ID
mode TEXT_TYPE Permission bits
size BIGINT_TYPE Size of file in bytes
block_size INTEGER_TYPE Block size of filesystem
atime BIGINT_TYPE Last access time
mtime BIGINT_TYPE Last modification time
ctime BIGINT_TYPE Creation time
hard_links INTEGER_TYPE Number of hard links
type TEXT_TYPE File status

device_hash

Similar to the hash table, but use TSK and allow block address access.
ColumnTypeDescription
device TEXT_TYPE Absolute file path to device node
partition TEXT_TYPE A partition number
inode BIGINT_TYPE Filesystem inode number
md5 TEXT_TYPE MD5 hash of provided inode data
sha1 TEXT_TYPE SHA1 hash of provided inode data
sha256 TEXT_TYPE SHA256 hash of provided inode data

device_partitions

Use TSK to enumerate details about partitions on a disk device.
ColumnTypeDescription
device TEXT_TYPE Absolute file path to device node
partition INTEGER_TYPE A partition number or description
label TEXT_TYPE
type TEXT_TYPE
offset BIGINT_TYPE
blocks_size BIGINT_TYPE Byte size of each block
blocks BIGINT_TYPE Number of blocks
inodes BIGINT_TYPE Number of meta nodes
flags INTEGER_TYPE

disk_encryption

Disk Encryption
ColumnTypeDescription
name TEXT_TYPE Disk name
uuid TEXT_TYPE Disk Universally Unique Identifier
encrypted INTEGER_TYPE 1 If encrypted: true (disk is encrypted), else 0
type TEXT_TYPE Description of cipher type and mode if available
uid TEXT_TYPE Currently authenticated user if available (Apple)
user_uuid TEXT_TYPE UUID of authenticated user if available (Apple)

dns_resolvers

Resolvers used by this host
ColumnTypeDescription
id INTEGER_TYPE Address type index or order
type TEXT_TYPE Address type: sortlist, nameserver, search
address TEXT_TYPE Resolver IP/IPv6 address
netmask TEXT_TYPE Address (sortlist) netmask length
options BIGINT_TYPE Resolver options

file_events

Track time/action changes to files specified in configuration data.
ColumnTypeDescription
target_path TEXT_TYPE The path associated with the event
category TEXT_TYPE The category of the file defined in the config
action TEXT_TYPE Change action (UPDATE, REMOVE, etc)
transaction_id BIGINT_TYPE ID used during bulk update
inode BIGINT_TYPE Filesystem inode number
uid BIGINT_TYPE Owning user ID
gid BIGINT_TYPE Owning group ID
mode TEXT_TYPE Permission bits
size BIGINT_TYPE Size of file in bytes
atime BIGINT_TYPE Last access time
mtime BIGINT_TYPE Last modification time
ctime BIGINT_TYPE Last status change time
md5 TEXT_TYPE The MD5 of the file after change
sha1 TEXT_TYPE The SHA1 of the file after change
sha256 TEXT_TYPE The SHA256 of the file after change
hashed INTEGER_TYPE 1 if the file was hashed, 0 if not, -1 if hashing failed
time BIGINT_TYPE Time of file event

firefox_addons

Firefox browser extensions, webapps, and addons.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the addon
name TEXT_TYPE Addon display name
identifier TEXT_TYPE Addon identifier
creator TEXT_TYPE Addon-supported creator string
type TEXT_TYPE Extension, addon, webapp
version TEXT_TYPE Addon-supplied version string
description TEXT_TYPE Addon-supplied description string
source_url TEXT_TYPE URL that installed the addon
visible INTEGER_TYPE 1 If the addon is shown in browser else 0
active INTEGER_TYPE 1 If the addon is active else 0
disabled INTEGER_TYPE 1 If the addon is application-disabled else 0
autoupdate INTEGER_TYPE 1 If the addon applies background updates else 0
native INTEGER_TYPE 1 If the addon includes binary components else 0
location TEXT_TYPE Global, profile location
path TEXT_TYPE Path to plugin bundle

groups

Local system groups.
ColumnTypeDescription
gid BIGINT_TYPE Unsigned int64 group ID
gid_signed BIGINT_TYPE A signed int64 version of gid
groupname TEXT_TYPE Canonical local group name
select * from groups where gid = 0

hardware_events

Hardware (PCI/USB/HID) events from UDEV or IOKit.
ColumnTypeDescription
action TEXT_TYPE Remove, insert, change properties, etc
path TEXT_TYPE Local device path assigned (optional)
type TEXT_TYPE Type of hardware and hardware event
driver TEXT_TYPE Driver claiming the device
vendor TEXT_TYPE Hardware device vendor
vendor_id TEXT_TYPE Hex encoded Hardware vendor identifier
model TEXT_TYPE Hardware device model
model_id TEXT_TYPE Hex encoded Hardware model identifier
serial TEXT_TYPE Device serial (optional)
revision TEXT_TYPE Device revision (optional)
time BIGINT_TYPE Time of hardware event

known_hosts

A line-delimited known_hosts table.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the known_hosts file
key TEXT_TYPE parsed authorized keys line
key_file TEXT_TYPE Path to known_hosts file

last

System logins and logouts.
ColumnTypeDescription
username TEXT_TYPE Entry username
tty TEXT_TYPE Entry terminal
pid INTEGER_TYPE Process (or thread) ID
type INTEGER_TYPE Entry type, according to ut_type types (utmp.h)
time INTEGER_TYPE Entry timestamp
host TEXT_TYPE Entry hostname

logged_in_users

Users with an active shell on the system.
ColumnTypeDescription
type TEXT_TYPE Login type
user TEXT_TYPE User login name
tty TEXT_TYPE Device name
host TEXT_TYPE Remote hostname
time INTEGER_TYPE Time entry was made
pid INTEGER_TYPE Process (or thread) ID

magic

Magic number recognition library table.
ColumnTypeDescription
path TEXT_TYPE Absolute path to target file
data TEXT_TYPE Magic number data from libmagic
mime_type TEXT_TYPE MIME type data from libmagic
mime_encoding TEXT_TYPE MIME encoding data from libmagic

mounts

System mounted devices and filesystems (not process specific).
ColumnTypeDescription
device TEXT_TYPE Mounted device
device_alias TEXT_TYPE Mounted device alias
path TEXT_TYPE Mounted device path
type TEXT_TYPE Mounted device type
blocks_size BIGINT_TYPE Block size in bytes
blocks BIGINT_TYPE Mounted device used blocks
blocks_free BIGINT_TYPE Mounted device free blocks
blocks_available BIGINT_TYPE Mounted device available blocks
inodes BIGINT_TYPE Mounted device used inodes
inodes_free BIGINT_TYPE Mounted device free inodes
flags TEXT_TYPE Mounted device flags

opera_extensions

Opera browser extensions.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the extension
name TEXT_TYPE Extension display name
identifier TEXT_TYPE Extension identifier
version TEXT_TYPE Extension-supplied version
description TEXT_TYPE Extension-optional description
locale TEXT_TYPE Default locale supported by extension
update_url TEXT_TYPE Extension-supplied update URI
author TEXT_TYPE Optional extension author
persistent INTEGER_TYPE 1 If extension is persistent across all tabs else 0
path TEXT_TYPE Path to extension folder

pci_devices

PCI devices active on the host system.
ColumnTypeDescription
pci_slot TEXT_TYPE PCI Device used slot
pci_class TEXT_TYPE PCI Device class
driver TEXT_TYPE PCI Device used driver
vendor TEXT_TYPE PCI Device vendor
vendor_id TEXT_TYPE Hex encoded PCI Device vendor identifier
model TEXT_TYPE PCI Device model
model_id TEXT_TYPE Hex encoded PCI Device model identifier

process_envs

A key/value table of environment variables for each process.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
key TEXT_TYPE Environment variable name
value TEXT_TYPE Environment variable value
select * from process_envs where pid = 1
select pe.* from process_envs pe, (select * from processes limit 10) p where p.pid = pe.pid;

process_events

Track time/action process executions.
ColumnTypeDescription
pid BIGINT_TYPE Process (or thread) ID
path TEXT_TYPE Path of executed file
mode BIGINT_TYPE File mode permissions
cmdline TEXT_TYPE Command line arguments (argv)
cmdline_size BIGINT_TYPE Actual size (bytes) of command line arguments
env TEXT_TYPE Environment variables delimited by spaces
env_count BIGINT_TYPE Number of environment variables
env_size BIGINT_TYPE Actual size (bytes) of environment list
uid BIGINT_TYPE User ID at process start
euid BIGINT_TYPE Effective user ID at process start
gid BIGINT_TYPE Group ID at process start
egid BIGINT_TYPE Effective group ID at process start
owner_uid BIGINT_TYPE File owner user ID
owner_gid BIGINT_TYPE File owner group ID
atime BIGINT_TYPE File last access in UNIX time
mtime BIGINT_TYPE File modification in UNIX time
ctime BIGINT_TYPE File last metadata change in UNIX time
btime BIGINT_TYPE File creation in UNIX time
overflows TEXT_TYPE List of structures that overflowed
parent BIGINT_TYPE Process parent's PID
time BIGINT_TYPE Time of execution in UNIX time
uptime BIGINT_TYPE Time of execution in system uptime

process_memory_map

Process memory mapped files and pseudo device/regions.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread) ID
start TEXT_TYPE Virtual start address (hex)
end TEXT_TYPE Virtual end address (hex)
permissions TEXT_TYPE r=read, w=write, x=execute, p=private (cow)
offset BIGINT_TYPE Offset into mapped path
device TEXT_TYPE MA:MI Major/minor device ID
inode INTEGER_TYPE Mapped path inode, 0 means uninitialized (BSS)
path TEXT_TYPE Path to mapped file or mapped type
pseudo INTEGER_TYPE 1 If path is a pseudo path, else 0
select * from process_memory_map where pid = 1

process_open_files

File descriptors for each process.
ColumnTypeDescription
pid BIGINT_TYPE Process (or thread) ID
fd BIGINT_TYPE Process-specific file descriptor number
path TEXT_TYPE Filesystem path of descriptor
select * from process_open_files where pid = 1

routes

The active route table for the host system.
ColumnTypeDescription
destination TEXT_TYPE Destination IP address
netmask TEXT_TYPE Netmask length
gateway TEXT_TYPE Route gateway
source TEXT_TYPE Route source
flags INTEGER_TYPE Flags to describe route
interface TEXT_TYPE Route local interface
mtu INTEGER_TYPE Maximum Transmission Unit for the route
metric INTEGER_TYPE Cost of route. Lowest is preferred
type TEXT_TYPE Type of route

shell_history

A line-delimited (command) table of per-user .*_history data.
ColumnTypeDescription
uid BIGINT_TYPE Shell history owner
time INTEGER_TYPE Entry timestamp
command TEXT_TYPE Unparsed date/line/command history line
history_file TEXT_TYPE Path to the .*_history for this user

smbios_tables

BIOS (DMI) structure common details and content.
ColumnTypeDescription
number INTEGER_TYPE Table entry number
type INTEGER_TYPE Table entry type
description TEXT_TYPE Table entry description
handle INTEGER_TYPE Table entry handle
header_size INTEGER_TYPE Header size in bytes
size INTEGER_TYPE Table entry size in bytes
md5 TEXT_TYPE MD5 hash of table entry

sudoers

Rules for running commands as other users via sudo.
ColumnTypeDescription
header TEXT_TYPE Symbol for given rule
rule_details TEXT_TYPE Rule definition

suid_bin

suid binaries in common locations.
ColumnTypeDescription
path TEXT_TYPE Binary path
username TEXT_TYPE Binary owner username
groupname TEXT_TYPE Binary owner group
permissions TEXT_TYPE Binary permissions

system_controls

sysctl names, values, and settings information.
ColumnTypeDescription
name TEXT_TYPE Full sysctl MIB name
oid TEXT_TYPE Control MIB
subsystem TEXT_TYPE Subsystem ID, control type
current_value TEXT_TYPE Value of setting
config_value TEXT_TYPE The MIB value set in /etc/sysctl.conf
type TEXT_TYPE Data type

usb_devices

USB devices that are actively plugged into the host system.
ColumnTypeDescription
usb_address INTEGER_TYPE USB Device used address
usb_port INTEGER_TYPE USB Device used port
vendor TEXT_TYPE USB Device vendor string
vendor_id TEXT_TYPE Hex encoded USB Device vendor identifier
model TEXT_TYPE USB Device model string
model_id TEXT_TYPE Hex encoded USB Device model identifier
serial TEXT_TYPE USB Device serial connection
removable INTEGER_TYPE 1 If USB device is removable else 0

user_groups

Local system user group relationships.
ColumnTypeDescription
uid BIGINT_TYPE User ID
gid BIGINT_TYPE Group ID

user_ssh_keys

Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the key file
path TEXT_TYPE Path to key file
encrypted INTEGER_TYPE 1 if key is encrypted, 0 otherwise

yara

Track YARA matches for files or PIDs.
ColumnTypeDescription
path TEXT_TYPE The path scanned
matches TEXT_TYPE List of YARA matches
count INTEGER_TYPE Number of YARA matches
sig_group TEXT_TYPE Signature group used
sigfile TEXT_TYPE Signature file used
strings TEXT_TYPE Matching strings
tags TEXT_TYPE Matching tags
select * from yara where path = '/etc/passwd'
select * from yara where path LIKE '/etc/%'
select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'

yara_events

Track YARA matches for files specified in configuration data.
ColumnTypeDescription
target_path TEXT_TYPE The path scanned
category TEXT_TYPE The category of the file
action TEXT_TYPE Change action (UPDATE, REMOVE, etc)
transaction_id BIGINT_TYPE ID used during bulk update
matches TEXT_TYPE List of YARA matches
count INTEGER_TYPE Number of YARA matches
time BIGINT_TYPE Time of the scan
strings TEXT_TYPE Matching strings
tags TEXT_TYPE Matching tags

Ubuntu, CentOS

apt_sources

Current list of APT repositories or software channels.
ColumnTypeDescription
name TEXT_TYPE Repository name
base_uri TEXT_TYPE Repository base URI
package_cache_file TEXT_TYPE Repository cache file
release TEXT_TYPE Release name
component TEXT_TYPE Repository component
version TEXT_TYPE Repository source version
maintainer TEXT_TYPE Repository maintainer
site TEXT_TYPE Repository site

cpu_time

Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.
ColumnTypeDescription
core INTEGER_TYPE Name of the cpu (core)
user BIGINT_TYPE Time spent in user mode
nice BIGINT_TYPE Time spent in user mode with low priority (nice)
system BIGINT_TYPE Time spent in system mode
idle BIGINT_TYPE Time spent in the idle task
iowait BIGINT_TYPE Time spent waiting for I/O to complete
irq BIGINT_TYPE Time spent servicing interrupts
softirq BIGINT_TYPE Time spent servicing softirqs
steal BIGINT_TYPE Time spent in other operating systems when running in a virtualized environment
guest BIGINT_TYPE Time spent running a virtual CPU for a guest OS under the control of the Linux kernel
guest_nice BIGINT_TYPE Time spent running a niced guest

deb_packages

The installed DEB package database.
ColumnTypeDescription
name TEXT_TYPE Package name
version TEXT_TYPE Package version
source TEXT_TYPE Package source
size BIGINT_TYPE Package size in bytes
arch TEXT_TYPE Package architecture
revision TEXT_TYPE Package revision

iptables

Linux IP packet filtering and NAT tool.
ColumnTypeDescription
filter_name TEXT_TYPE Packet matching filter table name.
chain TEXT_TYPE Size of module content.
policy TEXT_TYPE Policy that applies for this rule.
target TEXT_TYPE Target that applies for this rule.
protocol INTEGER_TYPE Protocol number identification.
src_ip TEXT_TYPE Source IP address.
src_mask TEXT_TYPE Source IP address mask.
iniface TEXT_TYPE Input interface for the rule.
iniface_mask TEXT_TYPE Input interface mask for the rule.
dst_ip TEXT_TYPE Destination IP address.
dst_mask TEXT_TYPE Destination IP address mask.
outiface TEXT_TYPE Output interface for the rule.
outiface_mask TEXT_TYPE Output interface mask for the rule.
match TEXT_TYPE Matching rule that applies.
packets INTEGER_TYPE Number of matching packets for this rule.
bytes INTEGER_TYPE Number of matching bytes for this rule.

kernel_integrity

Various Linux kernel integrity checked attributes.
ColumnTypeDescription
sycall_addr_modified INTEGER_TYPE 0 or 1, for whether a syscall table pointer is modified
text_segment_hash TEXT_TYPE Hash value for the kernel's .text memory segment

kernel_modules

Linux kernel modules both loaded and within the load search path.
ColumnTypeDescription
name TEXT_TYPE Module name
size TEXT_TYPE Size of module content
used_by TEXT_TYPE Module reverse dependencies
status TEXT_TYPE Kernel module status
address TEXT_TYPE Kernel module address

memory_info

Main memory information, in bytes
ColumnTypeDescription
memory_total BIGINT_TYPE Total amount of physical RAM, in bytes
memory_free BIGINT_TYPE The amount of physical RAM, in bytes, left unused by the system
buffers BIGINT_TYPE The amount of physical RAM, in bytes, used for file buffers
cached BIGINT_TYPE The amount of physical RAM, in bytes, used as cache memory
swap_cached BIGINT_TYPE The amount of swap, in bytes, used as cache memory
active BIGINT_TYPE The total amount of buffer or page cache memory, in bytes, that is in active use
inactive BIGINT_TYPE The total amount of buffer or page cache memory, in bytes, that are free and available
swap_total BIGINT_TYPE The total amount of swap available, in bytes
swap_free BIGINT_TYPE The total amount of swap free, in bytes

memory_map

OS memory region map.
ColumnTypeDescription
name TEXT_TYPE Region name
start TEXT_TYPE Start address of memory region
end TEXT_TYPE End address of memory region

msr

Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.
ColumnTypeDescription
processor_number BIGINT_TYPE The processor number as reported in /proc/cpuinfo
turbo_disabled BIGINT_TYPE Whether the turbo feature is disabled.
turbo_ratio_limit BIGINT_TYPE The turbo feature ratio limit.
platform_info BIGINT_TYPE Platform information.
perf_ctl BIGINT_TYPE Performance setting for the processor.
perf_status BIGINT_TYPE Performance status for the processor.
feature_control BIGINT_TYPE Bitfield controling enabled features.
rapl_power_limit BIGINT_TYPE Run Time Average Power Limiting power limit.
rapl_energy_status BIGINT_TYPE Run Time Average Power Limiting energy status.
rapl_power_units BIGINT_TYPE Run Time Average Power Limiting power units.

portage_keywords

A summary about portage configurations like keywords, mask and unmask.
ColumnTypeDescription
package TEXT_TYPE Package name
version TEXT_TYPE The version which are affected by the use flags, empty means all
keyword TEXT_TYPE The keyword applied to the package
mask INTEGER_TYPE If the package is masked
unmask INTEGER_TYPE If the package is unmasked

portage_packages

Current list of installed packages
ColumnTypeDescription
package TEXT_TYPE Package name
version TEXT_TYPE The version which are affected by the use flags, empty means all
slot TEXT_TYPE The slot used by package
build_time BIGINT_TYPE Unix time when package was built
repository TEXT_TYPE From which repository the ebuild was used
eapi BIGINT_TYPE The eapi for the ebuild
size BIGINT_TYPE The size of the package
world INTEGER_TYPE If package is in the world file

portage_use

List of enabled portage USE values for specific package.
ColumnTypeDescription
package TEXT_TYPE Package name
version TEXT_TYPE The version of the installed package
use TEXT_TYPE USE flag which has been enabled for package

rpm_package_files

RPM packages that are currently installed on the host system.
ColumnTypeDescription
package TEXT_TYPE RPM package name
path TEXT_TYPE Path name
username TEXT_TYPE File default username from info DB
groupname TEXT_TYPE File default groupname from info DB
mode TEXT_TYPE File permissions mode from info DB
size BIGINT_TYPE Expected file size in bytes from RPM info DB
sha256 TEXT_TYPE SHA256 file digest from RPM info DB

rpm_packages

RPM packages that are currently installed on the host system.
ColumnTypeDescription
name TEXT_TYPE RPM package name
version TEXT_TYPE Package version
release TEXT_TYPE Package release
source TEXT_TYPE Source RPM package name (optional)
size BIGINT_TYPE Package size in bytes
sha1 TEXT_TYPE SHA1 hash of the package contents
arch TEXT_TYPE Architecture(s) supported

shared_memory

OS shared memory regions.
ColumnTypeDescription
shmid INTEGER_TYPE Shared memory segment ID
owner_uid BIGINT_TYPE User ID of owning process
creator_uid BIGINT_TYPE User ID of creator process
pid BIGINT_TYPE Process ID to last use the segment
creator_pid BIGINT_TYPE Process ID that created the segment
atime BIGINT_TYPE Attached time
dtime BIGINT_TYPE Detached time
ctime BIGINT_TYPE Changed time
permissions TEXT_TYPE Memory segment permissions
size BIGINT_TYPE Size in bytes
attached INTEGER_TYPE Number of attached processes
status TEXT_TYPE Destination/attach status
locked INTEGER_TYPE 1 if segment is locked else 0

socket_events

Track network socket opens and closes.
ColumnTypeDescription
action TEXT_TYPE The socket action (bind, listen, close)
pid BIGINT_TYPE Process (or thread) ID
path TEXT_TYPE Path of executed file
fd TEXT_TYPE The file description for the process socket
success INTEGER_TYPE The socket open attempt status
family INTEGER_TYPE The Internet protocol family ID
protocol INTEGER_TYPE The network protocol ID
local_address TEXT_TYPE Local address associated with socket
remote_address TEXT_TYPE Remote address associated with socket
local_port INTEGER_TYPE Local network protocol port number
remote_port INTEGER_TYPE Remote network protocol port number
socket TEXT_TYPE The local path (UNIX domain socket only)
time BIGINT_TYPE Time of execution in UNIX time
uptime BIGINT_TYPE Time of execution in system uptime

syslog

ColumnTypeDescription
time BIGINT_TYPE Current unix epoch time
datetime TEXT_TYPE Time known to syslog
host TEXT_TYPE Hostname configured for syslog
severity INTEGER_TYPE Syslog severity
facility TEXT_TYPE Syslog facility
tag TEXT_TYPE The syslog tag
message TEXT_TYPE The syslog message

user_events

Track user events from the audit framework.
ColumnTypeDescription
uid BIGINT_TYPE User ID
pid BIGINT_TYPE Process (or thread) ID
message TEXT_TYPE Path of executed file
type INTEGER_TYPE The file description for the process socket
path TEXT_TYPE The socket open attempt status
address TEXT_TYPE The Internet protocol family ID
terminal TEXT_TYPE The network protocol ID
time BIGINT_TYPE Time of execution in UNIX time
uptime BIGINT_TYPE Time of execution in system uptime

Darwin (OS X)

ad_config

OS X Active Directory configuration.
ColumnTypeDescription
name TEXT_TYPE The OS X-specific configuration name
domain TEXT_TYPE Active Directory trust domain
option TEXT_TYPE Canonical name of option
value TEXT_TYPE Variable typed option value

alf

OS X application layer firewall (ALF) service details.
ColumnTypeDescription
allow_signed_enabled INTEGER_TYPE 1 If allow signed mode is enabled else 0
firewall_unload INTEGER_TYPE 1 If firewall unloading enabled else 0
global_state INTEGER_TYPE 1 If the firewall start by default else 0
logging_enabled INTEGER_TYPE 1 If logging mode is enabled else 0
logging_option INTEGER_TYPE Firewall logging option
stealth_enabled INTEGER_TYPE 1 If stealth mode is enabled else 0
version TEXT_TYPE Application Layer Firewall version

alf_exceptions

OS X application layer firewall (ALF) service exceptions.
ColumnTypeDescription
path TEXT_TYPE Path to the executable that is excepted
state INTEGER_TYPE Firewall exception state

alf_explicit_auths

ALF services explicitly allowed to perform networking.
ColumnTypeDescription
process TEXT_TYPE Process name explicitly allowed

alf_services

OS X application layer firewall (Firewall) services.
ColumnTypeDescription
service TEXT_TYPE Firewalled service name
process TEXT_TYPE Process name
state INTEGER_TYPE Firewall service state

app_schemes

OS X application schemes and handlers (e.g., http, file, mailto.
ColumnTypeDescription
scheme TEXT_TYPE Name of the scheme/protocol
handler TEXT_TYPE Application label for the handler
enabled INTEGER_TYPE 1 if this handler is the OS default, else 0
external INTEGER_TYPE 1 if this handler does NOT exist on OS X by default, else 0
protected INTEGER_TYPE 1 if this handler is protected (reserved) by OS X, else 0

apps

OS X applications installed in known search paths (e.g., /Applications).
ColumnTypeDescription
name TEXT_TYPE Name of the Name.app folder
path TEXT_TYPE Absolute and full Name.app path
bundle_executable TEXT_TYPE Info properties CFBundleExecutable label
bundle_identifier TEXT_TYPE Info properties CFBundleIdentifier label
bundle_name TEXT_TYPE Info properties CFBundleName label
bundle_short_version TEXT_TYPE Info properties CFBundleShortVersionString label
bundle_version TEXT_TYPE Info properties CFBundleVersion label
bundle_package_type TEXT_TYPE Info properties CFBundlePackageType label
environment TEXT_TYPE Application-set environment variables
element TEXT_TYPE Does the app identify as a background agent
compiler TEXT_TYPE Info properties DTCompiler label
development_region TEXT_TYPE Info properties CFBundleDevelopmentRegion label
display_name TEXT_TYPE Info properties CFBundleDisplayName label
info_string TEXT_TYPE Info properties CFBundleGetInfoString label
minimum_system_version TEXT_TYPE Minimum version of OS X required for the app to run
category TEXT_TYPE The UTI that categorizes the app for the App Store
applescript_enabled TEXT_TYPE Info properties NSAppleScriptEnabled label
copyright TEXT_TYPE Info properties NSHumanReadableCopyright label

asl

Queries the Apple System Log data structure for system events
ColumnTypeDescription
time INTEGER_TYPE Unix timestamp. Set automatically
time_nano_sec INTEGER_TYPE Nanosecond time.
host TEXT_TYPE Sender's address (set by the server).
sender TEXT_TYPE Sender's identification string. Default is process name.
facility TEXT_TYPE Sender's facility. Default is 'user'.
pid INTEGER_TYPE Sending process ID encoded as a string. Set automatically.
gid BIGINT_TYPE GID that sent the log message (set by the server).
uid BIGINT_TYPE UID that sent the log message (set by the server).
level INTEGER_TYPE Log level number. See levels in asl.h.
message TEXT_TYPE Message text.
ref_pid INTEGER_TYPE Reference PID for messages proxied by launchd
ref_proc TEXT_TYPE Reference process for messages proxied by launchd
extra TEXT_TYPE Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.

authorization_mechanisms

OS X Authorization mechanisms database.
ColumnTypeDescription
label TEXT_TYPE Label of the authorization right
plugin TEXT_TYPE Authorization plugin name
mechanism TEXT_TYPE Name of the mechanism that will be called
privileged TEXT_TYPE If privileged it will run as root, else as an anonymous user
entry TEXT_TYPE The whole string entry
select * from authorization_mechanisms;
select * from authorization_mechanisms where label = 'system.login.console';
select * from authorization_mechanisms where label = 'authenticate';

authorizations

OS X Authorization rights database.
ColumnTypeDescription
label TEXT_TYPE Item name, usually in reverse domain format
modified TEXT_TYPE Label top-level key
allow_root TEXT_TYPE Label top-level key
timeout TEXT_TYPE Label top-level key
version TEXT_TYPE Label top-level key
tries TEXT_TYPE Label top-level key
authenticate_user TEXT_TYPE Label top-level key
shared TEXT_TYPE Label top-level key
comment TEXT_TYPE Label top-level key
created TEXT_TYPE Label top-level key
class TEXT_TYPE Label top-level key
session_owner TEXT_TYPE Label top-level key
select * from authorizations;
select * from authorizations where label = 'system.login.console';
select * from authorizations where label = 'authenticate';
select * from authorizations where label = 'system.preferences.softwareupdate';

browser_plugins

All C/NPAPI browser plugin details for all users.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the plugin
name TEXT_TYPE Plugin display name
identifier TEXT_TYPE Plugin identifier
version TEXT_TYPE Plugin short version
sdk TEXT_TYPE Build SDK used to compile plugin
description TEXT_TYPE Plugin description text
development_region TEXT_TYPE Plugin language-localization
native INTEGER_TYPE Plugin requires native execution
path TEXT_TYPE Path to plugin bundle
disabled INTEGER_TYPE Is the plugin disabled. 1 = Disabled

certificates

Certificate Authorities installed in Keychains/ca-bundles.
ColumnTypeDescription
common_name TEXT_TYPE Certificate CommonName
subject TEXT_TYPE Certificate distinguished name
issuer TEXT_TYPE Certificate issuer distinguished name
ca INTEGER_TYPE 1 if CA: true (certificate is an authority) else 0
self_signed INTEGER_TYPE 1 if self-signed, else 0
not_valid_before TEXT_TYPE Lower bound of valid date
not_valid_after TEXT_TYPE Certificate expiration data
signing_algorithm TEXT_TYPE Signing algorithm used
key_algorithm TEXT_TYPE Key algorithm used
key_strength TEXT_TYPE Key size used for RSA/DSA, or curve name
key_usage TEXT_TYPE Certificate key usage and extended key usage
subject_key_id TEXT_TYPE SKID an optionally included SHA1
authority_key_id TEXT_TYPE AKID an optionally included SHA1
sha1 TEXT_TYPE SHA1 hash of the raw certificate contents
path TEXT_TYPE Path to Keychain or PEM bundle

crashes

Application and System Crash Logs
ColumnTypeDescription
type TEXT_TYPE Type of crash log
pid BIGINT_TYPE Process (or thread) ID of the crashed process
path TEXT_TYPE Path to the crashed process
crash_path TEXT_TYPE Location of log file
identifier TEXT_TYPE Identifier of the crashed process
version TEXT_TYPE Version info of the crashed process
parent BIGINT_TYPE Parent PID of the crashed process
responsible TEXT_TYPE Process responsible for the crashed process
uid INTEGER_TYPE User ID of the crashed process
datetime TEXT_TYPE Date/Time at which the crash occurred
crashed_thread BIGINT_TYPE Thread ID which crashed
stack_trace TEXT_TYPE Most recent frame from the stack trace
exception_type TEXT_TYPE Exception type of the crash
exception_codes TEXT_TYPE Exception codes from the crash
exception_notes TEXT_TYPE Exception notes from the crash
registers TEXT_TYPE The value of the system registers

disk_events

Track DMG disk image events (appearance/disappearance) when opened.
ColumnTypeDescription
action TEXT_TYPE Appear or disappear
path TEXT_TYPE Path of the DMG file accessed
name TEXT_TYPE Disk event name
bsd_name TEXT_TYPE Disk event BSD name
uuid TEXT_TYPE UUID of the volume inside DMG if available
size BIGINT_TYPE Size of partition in bytes
ejectable INTEGER_TYPE 1 if ejectable, 0 if not
mountable INTEGER_TYPE 1 if mountable, 0 if not
writable INTEGER_TYPE 1 if writable, 0 if not
content TEXT_TYPE Disk event content
media_name TEXT_TYPE Disk event media name string
vendor TEXT_TYPE Disk event vendor string
filesystem TEXT_TYPE Filesystem if available
checksum TEXT_TYPE UDIF Master checksum if available (CRC32)
time BIGINT_TYPE Time of appearance/disappearance in UNIX time

extended_attributes

Get the extended attributes for files (similar to Windows ADS)
ColumnTypeDescription
path TEXT_TYPE Absolute file path
directory TEXT_TYPE Directory of file(s)
key TEXT_TYPE Name of the value generated from the extended attribute
value TEXT_TYPE The parsed information from the attribute
base64 INTEGER_TYPE 1 if the value is base64 encoded else 0

fan_speed_sensors

Fan speeds.
ColumnTypeDescription
fan TEXT_TYPE Fan number
name TEXT_TYPE Fan name
actual INTEGER_TYPE Actual speed
min INTEGER_TYPE Minimum speed
max INTEGER_TYPE Maximum speed
target INTEGER_TYPE Target speed

homebrew_packages

The installed homebrew package database.
ColumnTypeDescription
name TEXT_TYPE Package name
path TEXT_TYPE Package install path
version TEXT_TYPE Current 'linked' version

iokit_devicetree

The IOKit registry matching the DeviceTree plane.
ColumnTypeDescription
name TEXT_TYPE Device node name
class TEXT_TYPE Best matching device class (most-specific category)
id BIGINT_TYPE IOKit internal registry ID
parent BIGINT_TYPE Parent device registry ID
device_path TEXT_TYPE Device tree path
service INTEGER_TYPE 1 if the device conforms to IOService else 0
busy_state INTEGER_TYPE 1 if the device is in a busy state else 0
retain_count INTEGER_TYPE The device reference count
depth INTEGER_TYPE Device nested depth

iokit_registry

The full IOKit registry without selecting a plane.
ColumnTypeDescription
name TEXT_TYPE Default name of the node
class TEXT_TYPE Best matching device class (most-specific category)
id BIGINT_TYPE IOKit internal registry ID
parent BIGINT_TYPE Parent registry ID
busy_state INTEGER_TYPE 1 if the node is in a busy state else 0
retain_count INTEGER_TYPE The node reference count
depth INTEGER_TYPE Node nested depth

kernel_extensions

OS X's kernel extensions, both loaded and within the load search path.
ColumnTypeDescription
idx INTEGER_TYPE Extension load tag or index
refs INTEGER_TYPE Reference count
size BIGINT_TYPE Bytes of wired memory used by extension
name TEXT_TYPE Extension label
version TEXT_TYPE Extension version
linked_against TEXT_TYPE Indexes of extensions this extension is linked against
path TEXT_TYPE Optional path to extension bundle

kernel_panics

Kernel Panics
ColumnTypeDescription
path TEXT_TYPE Location of log file
time TEXT_TYPE Formatted time of the event
registers TEXT_TYPE A space delimited line of register:value pairs
frame_backtrace TEXT_TYPE Backtrace of the crashed module
module_backtrace TEXT_TYPE Modules appearing in the crashed module's backtrace
dependencies TEXT_TYPE Module dependencies existing in crashed module's backtrace
name TEXT_TYPE Process name corresponding to crashed thread
os_version TEXT_TYPE Version of the operating system
kernel_version TEXT_TYPE Version of the system kernel
system_model TEXT_TYPE Physical system model, for example 'MacBookPro12,1 (Mac-E43C1C25D4880AD6)'
uptime BIGINT_TYPE System uptime at kernel panic in nanoseconds
last_loaded TEXT_TYPE Last loaded module before panic
last_unloaded TEXT_TYPE Last unloaded module before panic

keychain_acls

Applications that have ACL entries in the keychain.
ColumnTypeDescription
keychain_path TEXT_TYPE The path of the keychain
authorizations TEXT_TYPE A space delimited set of authorization attributes
path TEXT_TYPE The path of the authorized application
description TEXT_TYPE The description included with the ACL entry
label TEXT_TYPE An optional label tag that may be included with the keychain entry
select label, description, authorizations, path, count(path) as c from keychain_acls where label != '' and path != '' group by label having c > 1;

keychain_items

Generic details about keychain items
ColumnTypeDescription
label TEXT_TYPE Generic item name
description TEXT_TYPE Optional item description
comment TEXT_TYPE Optional keychain comment
created TEXT_TYPE Data item was created
modified TEXT_TYPE Date of last modification
type TEXT_TYPE Keychain item type (class)
path TEXT_TYPE Path to keychain containing item

launchd

LaunchAgents and LaunchDaemons from default search paths.
ColumnTypeDescription
path TEXT_TYPE Path to daemon or agent plist
name TEXT_TYPE File name of plist (used by launchd)
label TEXT_TYPE Daemon or agent service name
program TEXT_TYPE Path to target program
run_at_load TEXT_TYPE Should the program run on launch load
keep_alive TEXT_TYPE Should the process be restarted if killed
on_demand TEXT_TYPE Deprecated key, replaced by keep_alive
disabled TEXT_TYPE Skip loading this daemon or agent on boot
username TEXT_TYPE Run this daemon or agent as this username
groupname TEXT_TYPE Run this daemon or agent as this group
stdout_path TEXT_TYPE Pipe stdout to a target path
stderr_path TEXT_TYPE Pipe stderr to a target path
start_interval TEXT_TYPE Frecuency of running in seconds
program_arguments TEXT_TYPE Command line arguments passed to program
watch_paths TEXT_TYPE Key that launches daemon or agent if path is modified
queue_directories TEXT_TYPE Similar to watch_paths but only with non-empty directories
inetd_compatibility TEXT_TYPE Run this daemon or agent as it was launched from inetd
start_on_mount TEXT_TYPE Run daemon or agent every time a filesystem is mounted
root_directory TEXT_TYPE Key used to specify a directory to chroot to before launch
working_directory TEXT_TYPE Key used to specify a directory to chdir to before launch
process_type TEXT_TYPE Key describes the intended purpose of the job

launchd_overrides

Override keys, per user, for LaunchDaemons and Agents.
ColumnTypeDescription
label TEXT_TYPE Daemon or agent service name
key TEXT_TYPE Name of the override key
value TEXT_TYPE Overriden value
uid BIGINT_TYPE User ID applied to the override, 0 applies to all
path TEXT_TYPE Path to daemon or agent plist

managed_policies

The managed configuration policies from AD, MDM, MCX, etc.
ColumnTypeDescription
domain TEXT_TYPE System or manager-chosen domain key
uuid TEXT_TYPE Optional UUID assigned to policy set
name TEXT_TYPE Policy key name
value TEXT_TYPE Policy value
username TEXT_TYPE Policy applies only this user
manual INTEGER_TYPE 1 if policy was loaded manually, otherwise 0

nfs_shares

NFS shares exported by the host.
ColumnTypeDescription
share TEXT_TYPE Filesystem path to the share
options TEXT_TYPE Options string set on the export share
readonly INTEGER_TYPE 1 if the share is exported readonly else 0

nvram

Apple NVRAM variable listing.
ColumnTypeDescription
name TEXT_TYPE Variable name
type TEXT_TYPE Data type (CFData, CFString, etc)
value TEXT_TYPE Raw variable data

package_bom

OS X package bill of materials (BOM) file list.
ColumnTypeDescription
filepath TEXT_TYPE Package file or directory
uid INTEGER_TYPE Expected user of file or directory
gid INTEGER_TYPE Expected group of file or directory
mode INTEGER_TYPE Expected permissions
size BIGINT_TYPE Expected file size
modified_time INTEGER_TYPE Timestamp the file was installed
path TEXT_TYPE Path of package bom
select * from package_bom where path = '/var/db/receipts/com.apple.pkg.MobileDevice.bom'

package_install_history

OS X package install history.
ColumnTypeDescription
package_id TEXT_TYPE Label packageIdentifiers
time INTEGER_TYPE Label date as UNIX timestamp
name TEXT_TYPE Package display name
version TEXT_TYPE Package display version
source TEXT_TYPE Install source: usually the installer process name
content_type TEXT_TYPE Package content_type (optional)

package_receipts

OS X package receipt details.
ColumnTypeDescription
package_id TEXT_TYPE Package domain identifier
package_filename TEXT_TYPE Filename of original .pkg file
version TEXT_TYPE Installed package version
location TEXT_TYPE Optional relative install path on volume
install_time DOUBLE_TYPE Timestamp of install time
installer_name TEXT_TYPE Name of installer process
path TEXT_TYPE Path of receipt plist
select * from package_bom where path = '/var/db/receipts/com.apple.pkg.MobileDevice.bom'

power_sensors

Machine power (currents, voltages, wattages, etc) sensors.
ColumnTypeDescription
key TEXT_TYPE The SMC key on OS X
category TEXT_TYPE The sensor category: currents, voltage, wattage
name TEXT_TYPE Name of power source
value TEXT_TYPE Power in Watts
select * from power_sensors where category = 'voltage'

preferences

OS X defaults and managed preferences.
ColumnTypeDescription
domain TEXT_TYPE Application ID usually in com.name.product format
key TEXT_TYPE Preference top-level key
subkey TEXT_TYPE Intemediate key path, includes lists/dicts
value TEXT_TYPE String value of most CF types
forced INTEGER_TYPE 1 if the value is forced/managed, else 0
path TEXT_TYPE (optional) read preferences from a plist
select * from preferences where domain = 'loginwindow'
select * from preferences where path = '/Library/Preferences/loginwindow.plist'

process_file_events

Process file events (open and close) from kernel extension.
ColumnTypeDescription
action TEXT_TYPE The action taken on the file (OPEN, CLOSED, or CLOSED_MODIFIED)
pid BIGINT_TYPE Process ID of the process using the file
path TEXT_TYPE Path of file
parent BIGINT_TYPE Parent process ID of the process using the file
uid BIGINT_TYPE Real user ID of the user process using the file
euid BIGINT_TYPE Effective user ID of the process using the file
gid BIGINT_TYPE Real group ID of the process using the file
egid BIGINT_TYPE Effective group ID of the processs using the file
mode BIGINT_TYPE Indicates the mode of the file
owner_uid BIGINT_TYPE User ID of the owner of the file
owner_gid BIGINT_TYPE Group ID of the owner of the file
atime BIGINT_TYPE Time of last access in UNIX epoch time
mtime BIGINT_TYPE Time of last modification in UNIX epoch time
ctime BIGINT_TYPE Time of last status change
time BIGINT_TYPE Time of event in UNIX epoch time
uptime BIGINT_TYPE Time of event in system uptime

quicklook_cache

Files and thumbnails within OS X's Quicklook Cache
ColumnTypeDescription
path TEXT_TYPE Path of file
rowid INTEGER_TYPE Quicklook file rowid key
fs_id TEXT_TYPE Quicklook file fs_id key
volume_id INTEGER_TYPE Parsed volume ID from fs_id
inode INTEGER_TYPE Parsed file ID (inode) from fs_id
mtime INTEGER_TYPE Parsed version date field
size BIGINT_TYPE Parsed version size field
label TEXT_TYPE Parsed version 'gen' field
last_hit_date INTEGER_TYPE Apple date format for last thumbnail cache hit
hit_count TEXT_TYPE Number of cache hits on thumbnail
icon_mode BIGINT_TYPE Thumbnail icon mode
cache_path TEXT_TYPE Path to cache data

safari_extensions

Safari browser extension details for all users.
ColumnTypeDescription
uid BIGINT_TYPE The local user that owns the extension
name TEXT_TYPE Extension display name
identifier TEXT_TYPE Extension identifier
version TEXT_TYPE Extension long version
sdk TEXT_TYPE Bundle SDK used to compile extension
update_url TEXT_TYPE Extension-supplied update URI
author TEXT_TYPE Optional extension author
developer_id TEXT_TYPE Optional developer identifier
description TEXT_TYPE Optional extension description text
path TEXT_TYPE Path to extension XAR bundle
select count(*) from users JOIN safari_extensions using (uid)

sandboxes

OS X application sandboxes container details.
ColumnTypeDescription
label TEXT_TYPE UTI-format bundle or label ID
user TEXT_TYPE Sandbox owner
enabled INTEGER_TYPE Application sandboxings enabled on container
build_id TEXT_TYPE Sandbox-specific identifier
bundle_path TEXT_TYPE Application bundle used by the sandbox
path TEXT_TYPE Path to sandbox container directory

signature

File (executable, bundle, installer, disk) code signing status.
ColumnTypeDescription
path TEXT_TYPE Must provide a path or directory
signed INTEGER_TYPE 1 If the file is signed else 0
identifier TEXT_TYPE The signing identifier sealed into the signature
cdhash TEXT_TYPE SHA1 hash of the application Code Directory
team_identifier TEXT_TYPE The team signing identifier sealed into the signature
authority TEXT_TYPE Certificate Common Name
select * from signature where path = '/bin/ls'

sip_config

Apple's System Integrity Protection (rootless) status
ColumnTypeDescription
config_flag TEXT_TYPE The System Integrity Protection config flag
enabled INTEGER_TYPE 1 if this configuration is enabled, otherwise 0
enabled_nvram INTEGER_TYPE 1 if this configuration is enabled, otherwise 0
select * from sip_config

smc_keys

Apple's system management controller keys.
ColumnTypeDescription
key TEXT_TYPE 4-character key
type TEXT_TYPE SMC-reported type literal type
size INTEGER_TYPE Reported size of data in bytes
value TEXT_TYPE A type-encoded representation of the key value
hidden INTEGER_TYPE 1 if this key is normally hidden, otherwise 0
select * from smc_keys where key = 'MOJO'

startup_items

Applications and binaries set as user/login startup items.
ColumnTypeDescription
name TEXT_TYPE Name of startup item
path TEXT_TYPE Path of startup item
type TEXT_TYPE Startup Item or Login Item
source TEXT_TYPE Directory or plist containing startup item

temperature_sensors

Machine's temperature sensors.
ColumnTypeDescription
key TEXT_TYPE The SMC key on OS X
name TEXT_TYPE Name of temperature source
celsius TEXT_TYPE Temperature in Celsius
fahrenheit TEXT_TYPE Temperature in Fahrenheit

wifi_networks

OS X known/remembered Wi-Fi networks list.
ColumnTypeDescription
ssid TEXT_TYPE SSID octets of the network
network_name TEXT_TYPE Name of the network
security_type TEXT_TYPE Type of security on this network
last_connected INTEGER_TYPE Last time this netword was connected to as a unix_time
passpoint INTEGER_TYPE 1 if Passpoint is supported, 0 otherwise
possibly_hidden INTEGER_TYPE 1 if network is possibly a hidden network, 0 otherwise
roaming INTEGER_TYPE 1 if roaming is supported, 0 otherwise
roaming_profile TEXT_TYPE Describe the roaming profile, usually one of Single, Dual or Multi
captive_portal INTEGER_TYPE 1 if this network has a captive portal, 0 otherwise
auto_login INTEGER_TYPE 1 if auto login is enabled, 0 otherwise
temporarily_disabled INTEGER_TYPE 1 if this network is temporarily disabled, 0 otherwise
disabled INTEGER_TYPE 1 if this network is disabled, 0 otherwise

wifi_status

OS X current WiFi status
ColumnTypeDescription
interface TEXT_TYPE Name of the interface
ssid TEXT_TYPE SSID octets of the network
bssid TEXT_TYPE The current basic service set identifier
network_name TEXT_TYPE Name of the network
security_type TEXT_TYPE Type of security on this network
rssi INTEGER_TYPE The current received signal strength indication (dbm)
noise INTEGER_TYPE The current noise measurement (dBm)
channel_width INTEGER_TYPE Channel width
channel_band INTEGER_TYPE Channel band
transmit_rate TEXT_TYPE The current transmit rate
mode TEXT_TYPE The current operating mode for the Wi-Fi interface

wifi_survey

Scan for nearby WiFi networks
ColumnTypeDescription
interface TEXT_TYPE Name of the interface
ssid TEXT_TYPE SSID octets of the network
bssid TEXT_TYPE The current basic service set identifier
network_name TEXT_TYPE Name of the network
rssi INTEGER_TYPE The current received signal strength indication (dbm)
noise INTEGER_TYPE The current noise measurement (dBm)
channel_width INTEGER_TYPE Channel width
channel_band INTEGER_TYPE Channel band

xprotect_entries

Database of the machine's XProtect signatures.
ColumnTypeDescription
name TEXT_TYPE Description of XProtected malware
launch_type TEXT_TYPE Launch services content type
identity TEXT_TYPE XProtect identity (SHA1) of content
filename TEXT_TYPE Use this file name to match
filetype TEXT_TYPE Use this file type to match
optional INTEGER_TYPE Match any of the identities/patterns for this XProtect name
uses_pattern INTEGER_TYPE Uses a match pattern instead of identity

xprotect_meta

Database of the machine's XProtect browser-related signatures.
ColumnTypeDescription
identifier TEXT_TYPE Browser plugin or extension identifier
type TEXT_TYPE Either plugin or extension
developer_id TEXT_TYPE Developer identity (SHA1) of extension
min_version TEXT_TYPE The minimum allowed plugin version.

xprotect_reports

Database of XProtect matches (if user generated/sent an XProtect report).
ColumnTypeDescription
name TEXT_TYPE Description of XProtected malware
user_action TEXT_TYPE Action taken by user after prompted
time TEXT_TYPE Quarantine alert time

Utility

file

Interactive filesystem attributes and metadata.
ColumnTypeDescription
path TEXT_TYPE Absolute file path
directory TEXT_TYPE Directory of file(s)
filename TEXT_TYPE Name portion of file path
inode BIGINT_TYPE Filesystem inode number
uid BIGINT_TYPE Owning user ID
gid BIGINT_TYPE Owning group ID
mode TEXT_TYPE Permission bits
device BIGINT_TYPE Device ID (optional)
size BIGINT_TYPE Size of file in bytes
block_size INTEGER_TYPE Block size of filesystem
atime BIGINT_TYPE Last access time
mtime BIGINT_TYPE Last modification time
ctime BIGINT_TYPE Last status change time
btime BIGINT_TYPE (B)irth or (cr)eate time
hard_links INTEGER_TYPE Number of hard links
type TEXT_TYPE File status
select * from file where path = '/etc/passwd'
select * from file where directory = '/etc/'
select * from file where path LIKE '/etc/%'

hash

Filesystem hash data.
ColumnTypeDescription
path TEXT_TYPE Must provide a path or directory
directory TEXT_TYPE Must provide a path or directory
md5 TEXT_TYPE MD5 hash of provided filesystem data
sha1 TEXT_TYPE SHA1 hash of provided filesystem data
sha256 TEXT_TYPE SHA256 hash of provided filesystem data
select * from hash where path = '/etc/passwd'
select * from hash where directory = '/etc/'

osquery_events

Information about the event publishers and subscribers.
ColumnTypeDescription
name TEXT_TYPE Event publisher or subscriber name
publisher TEXT_TYPE Name of the associated publisher
type TEXT_TYPE Either publisher or subscriber
subscriptions INTEGER_TYPE Number of subscriptions the publisher received or subscriber used
events INTEGER_TYPE Number of events emitted or received since osquery started
refreshes INTEGER_TYPE Publisher only: number of runloop restarts
active INTEGER_TYPE 1 if the publisher or subscriber is active else 0

osquery_extensions

List of active osquery extensions.
ColumnTypeDescription
uuid BIGINT_TYPE The transient ID assigned for communication
name TEXT_TYPE Extension's name
version TEXT_TYPE Extenion's version
sdk_version TEXT_TYPE osquery SDK version used to build the extension
path TEXT_TYPE Path of the extenion's domain socket or library path
type TEXT_TYPE SDK extension type: extension or module

osquery_flags

Configurable flags that modify osquery's behavior.
ColumnTypeDescription
name TEXT_TYPE Flag name
type TEXT_TYPE Flag type
description TEXT_TYPE Flag description
default_value TEXT_TYPE Flag default value
value TEXT_TYPE Flag value
shell_only INTEGER_TYPE Is the flag shell only?

osquery_info

Top level information about the running version of osquery.
ColumnTypeDescription
pid INTEGER_TYPE Process (or thread/handle) ID
version TEXT_TYPE osquery toolkit version
config_hash TEXT_TYPE Hash of the working configuration state
config_valid INTEGER_TYPE 1 if the config was loaded and considered valid, else 0
extensions TEXT_TYPE osquery extensions status
build_platform TEXT_TYPE osquery toolkit build platform
build_distro TEXT_TYPE osquery toolkit platform distribution name (os version)
start_time INTEGER_TYPE UNIX time in seconds when the process started
watcher INTEGER_TYPE Process (or thread/handle) ID of optional watcher process

osquery_packs

Information about the current query packs that are loaded in osquery.
ColumnTypeDescription
name TEXT_TYPE The given name for this query pack
platform TEXT_TYPE Platforms this query is supported on
version TEXT_TYPE Minimum osquery version that this query will run on
shard INTEGER_TYPE Shard restriction limit, 1-100, 0 meaning no restriction
discovery_cache_hits INTEGER_TYPE The number of times that the discovery query used cached values since the last time the config was reloaded
discovery_executions INTEGER_TYPE The number of times that the discovery queries have been executed since the last time the config was reloaded
active INTEGER_TYPE Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.

osquery_registry

List the osquery registry plugins.
ColumnTypeDescription
registry TEXT_TYPE Name of the osquery registry
name TEXT_TYPE Name of the plugin item
owner_uuid INTEGER_TYPE Extension route UUID (0 for core)
internal INTEGER_TYPE 1 If the plugin is internal else 0
active INTEGER_TYPE 1 If this plugin is active else 0

osquery_schedule

Information about the current queries that are scheduled in osquery.
ColumnTypeDescription
name TEXT_TYPE The given name for this query
query TEXT_TYPE The exact query to run
interval INTEGER_TYPE The interval in seconds to run this query, not an exact interval
executions BIGINT_TYPE Number of times the query was executed
last_executed BIGINT_TYPE UNIX time stamp in seconds of the last completed execution
output_size BIGINT_TYPE Total number of bytes generated by the query
wall_time BIGINT_TYPE Total wall time spent executing
user_time BIGINT_TYPE Total user time spent executing
system_time BIGINT_TYPE Total system time spent executing
average_memory BIGINT_TYPE Average private memory left after executing

time

Track current date and time in the system.
ColumnTypeDescription
weekday TEXT_TYPE Current weekday in the system
year INTEGER_TYPE Current year in the system
month INTEGER_TYPE Current month in the system
day INTEGER_TYPE Current day in the system
hour INTEGER_TYPE Current hour in the system
minutes INTEGER_TYPE Current minutes in the system
seconds INTEGER_TYPE Current seconds in the system
timezone TEXT_TYPE Current timezone in the system
local_time INTEGER_TYPE Current local UNIX time in the system
local_timezone TEXT_TYPE Current local timezone in the system
unix_time INTEGER_TYPE Current UNIX time in the system, converted to UTC if --utc enabled
timestamp TEXT_TYPE Current timestamp (log format) in the system
datetime TEXT_TYPE Current date and time (ISO format) in the system
iso_8601 TEXT_TYPE Current time (ISO format) in the system