osquery | Schema

account_policy_data

Additional OS X user account data from the AccountPolicy section of OpenDirectory.

acpi_tables

Firmware ACPI functional table common metadata and content.

ad_config

OS X Active Directory configuration.

OS X application layer firewall (ALF) service details.

alf_exceptions

OS X application layer firewall (ALF) service exceptions.

alf_explicit_auths

ALF services explicitly allowed to perform networking.

app_schemes

OS X application schemes and handlers (e.g., http, file, mailto).

apparmor_events(EVENTED TABLE)

Track AppArmor events.

apparmor_profiles

Track active AppArmor profiles.

appcompat_shims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.

OS X applications installed in known search paths (e.g., /Applications).

apt_sources

Current list of APT repositories or software channels.

arp_cache

Address resolution cache, both static and dynamic (from ARP, NDP).

Queries the Apple System Log data structure for system events.

atom_packages

Lists all atom packages in a directory or globally installed in a system.

augeas

Configuration files parsed by augeas.

authenticode

File (executable, bundle, installer, disk) code signing status.

authorization_mechanisms

OS X Authorization mechanisms database.

authorizations

OS X Authorization rights database.

authorized_keys

A line-delimited authorized_keys table.

autoexec

Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.

azure_instance_metadata

Azure instance metadata.

azure_instance_tags

Azure instance tags.

background_activities_moderator

Background Activities Moderator (BAM) tracks application execution.

battery

Provides information about the internal battery of a Macbook.

bitlocker_info

Retrieve bitlocker status of the machine.

block_devices

Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.

bpf_process_events(EVENTED TABLE)

Track time/action process executions.

bpf_socket_events(EVENTED TABLE)

Track network socket opens and closes.

browser_plugins

All C/NPAPI browser plugin details for all users.

carbon_black_info

Returns info about a Carbon Black sensor install.

carves

List the set of completed and in-progress carves. If carve=1 then the query is treated as a new carve request.

certificates

Certificate Authorities installed in Keychains/ca-bundles.

chassis_info

Display information pertaining to the chassis and its security status.

chocolatey_packages

Chocolatey packages installed in a system.

chrome_extension_content_scripts

Chrome browser extension content scripts.

chrome_extensions

Chrome-based browser extensions.

connectivity

Provides the overall system's network state.

cpu_info

Retrieve cpu hardware info of the machine.

cpu_time

Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.

cpuid

Useful CPU features from the cpuid ASM call.

crashes

Application, System, and Mobile App crash logs.

crontab

Line parsed values from system and user cron/tab.

cups_destinations

Returns all configured printers.

cups_jobs

Returns all completed print jobs from cups.

Perform an http request and return stats about it.

curl_certificate

Inspect TLS certificates by connecting to input hostnames.

deb_packages

The installed DEB package database.

default_environment

Default environment variables and values.

device_file

Similar to the file table, but use TSK and allow block address access.

device_firmware

A best-effort list of discovered firmware versions.

device_hash

Similar to the hash table, but use TSK and allow block address access.

device_partitions

Use TSK to enumerate details about partitions on a disk device.

disk_encryption

Disk encryption status and information.

disk_events(EVENTED TABLE)

Track DMG disk image events (appearance/disappearance) when opened.

disk_info

Retrieve basic information about the physical disks of a system.

dns_cache

Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.

dns_resolvers

Resolvers used by this host.

docker_container_fs_changes

Changes to files or directories on container's filesystem.

docker_container_labels

Docker container labels.

docker_container_mounts

Docker container mounts.

docker_container_networks

Docker container networks.

docker_container_ports

Docker container ports.

docker_container_processes

Docker container processes.

docker_container_stats

Docker container statistics. Queries on this table take at least one second.

docker_containers

Docker containers information.

docker_image_history

Docker image history information.

docker_image_labels

Docker image labels.

docker_image_layers

Docker image layers information.

docker_images

Docker images information.

docker_info

Docker system information.

docker_network_labels

Docker network labels.

docker_networks

Docker networks information.

docker_version

Docker version information.

docker_volume_labels

Docker volume labels.

docker_volumes

Docker volumes information.

drivers

Details for in-use Windows device drivers. This does not display installed but unused drivers.

ec2_instance_metadata

EC2 instance metadata.

ec2_instance_tags

EC2 instance tag key value pairs.

elf_dynamic

ELF dynamic section information.

elf_info

ELF file information.

elf_sections

ELF section information.

elf_segments

ELF segment information.

elf_symbols

ELF symbol list.

es_process_events(EVENTED TABLE)

Process execution events from EndpointSecurity.

etc_hosts

Line-parsed /etc/hosts.

etc_protocols

Line-parsed /etc/protocols.

etc_services

Line-parsed /etc/services.

event_taps

Returns information about installed event taps.

example(EVENTED TABLE)

This is an example table spec.

extended_attributes

Returns the extended attributes for files (similar to Windows ADS).

fan_speed_sensors

Fan speeds.

fbsd_kmods

Loaded FreeBSD kernel modules.

Interactive filesystem attributes and metadata.

file_events(EVENTED TABLE)

Track time/action changes to files specified in configuration data.

firefox_addons

Firefox browser extensions, webapps, and addons.

gatekeeper

OS X Gatekeeper Details.

gatekeeper_approved_apps

Gatekeeper apps a user has allowed to run.

groups

Local system groups.

hardware_events(EVENTED TABLE)

Hardware (PCI/USB/HID) events from UDEV or IOKit.

Filesystem hash data.

homebrew_packages

The installed homebrew package database.

hvci_status

Retrieve HVCI info of the machine.

ibridge_info

Information about the Apple iBridge hardware controller.

ie_extensions

Internet Explorer browser extensions.

intel_me_info

Intel ME/CSE Info.

interface_addresses

Network interfaces and relevant metadata.

interface_details

Detailed information and stats of network interfaces.

interface_ipv6

IPv6 configuration and stats of network interfaces.

iokit_devicetree

The IOKit registry matching the DeviceTree plane.

iokit_registry

The full IOKit registry without selecting a plane.

iptables

Linux IP packet filtering and NAT tool.

kernel_extensions

OS X's kernel extensions, both loaded and within the load search path.

kernel_info

Basic active kernel information.

kernel_modules

Linux kernel modules both loaded and within the load search path.

kernel_panics

System kernel panic logs.

keychain_acls

Applications that have ACL entries in the keychain.

keychain_items

Generic details about keychain items.

known_hosts

A line-delimited known_hosts table.

kva_speculative_info

Display kernel virtual address and speculative execution information for the system.

System logins and logouts.

launchd

LaunchAgents and LaunchDaemons from default search paths.

launchd_overrides

Override keys, per user, for LaunchDaemons and Agents.

listening_ports

Processes with listening (bound) network sockets/ports.

lldp_neighbors

LLDP neighbors of interfaces.

load_average

Displays information about the system wide load averages.

location_services

Reports the status of the Location Services feature of the OS.

logged_in_users

Users with an active shell on the system.

logical_drives

Details for logical drives on the system. A logical drive generally represents a single partition.

logon_sessions

Windows Logon Session.

lxd_certificates

LXD certificates information.

lxd_cluster

LXD cluster information.

lxd_cluster_members

LXD cluster members information.

lxd_images

LXD images information.

lxd_instance_config

LXD instance configuration information.

lxd_instance_devices

LXD instance devices information.

lxd_instances

LXD instances information.

lxd_networks

LXD network information.

lxd_storage_pools

LXD storage pool information.

magic

Magic number recognition library table.

managed_policies

The managed configuration policies from AD, MDM, MCX, etc.

md_devices

Software RAID array settings.

md_drives

Drive devices used for Software RAID.

md_personalities

Software RAID setting supported by the kernel.

mdfind

Run searches against the spotlight database.

Query file metadata in the Spotlight database.

memory_array_mapped_addresses

Data associated for address mapping of physical memory arrays.

memory_arrays

Data associated with collection of memory devices that operate to form a memory address.

memory_device_mapped_addresses

Data associated for address mapping of physical memory devices.

memory_devices

Physical memory device (type 17) information retrieved from SMBIOS.

memory_error_info

Data associated with errors of a physical memory array.

memory_info

Main memory information in bytes.

memory_map

OS memory region map.

mounts

System mounted devices and filesystems (not process specific).

Various pieces of data stored in the model specific register per processor. NOTE: the msr kernel module must be enabled, and osquery must be run as root.

nfs_shares

NFS shares exported by the host.

npm_packages

Lists all npm packages in a directory or globally installed in a system.

ntdomains

Display basic NT domain information of a Windows machine.

ntfs_acl_permissions

Retrieve NTFS ACL permission information for files and directories.

ntfs_journal_events(EVENTED TABLE)

Track time/action changes to files specified in configuration data.

nvram

Apple NVRAM variable listing.

oem_strings

OEM defined strings retrieved from SMBIOS.

office_mru

View recently opened Office documents.

os_version

A single row containing the operating system name and version.

osquery_events

Information about the event publishers and subscribers.

osquery_extensions

List of active osquery extensions.

osquery_flags

Configurable flags that modify osquery's behavior.

osquery_info

Top level information about the running version of osquery.

osquery_packs

Information about the current query packs that are loaded in osquery.

osquery_registry

List the osquery registry plugins.

osquery_schedule

Information about the current queries that are scheduled in osquery.

package_bom

OS X package bill of materials (BOM) file list.

package_install_history

OS X package install history.

package_receipts

OS X package receipt details.

patches

Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).

pci_devices

PCI devices active on the host system.

physical_disk_performance

Provides provides raw data from performance counters that monitor hard or fixed disk drives on the system.

pipes

Named and Anonymous pipes.

pkg_packages

pkgng packages that are currently installed on the host system.

platform_info

Information about EFI/UEFI/ROM and platform/boot.

plist

Read and parse a plist file.

portage_keywords

A summary about portage configurations like keywords, mask and unmask.

portage_packages

List of currently installed packages.

portage_use

List of enabled portage USE values for specific package.

power_sensors

Machine power (currents, voltages, wattages, etc) sensors.

powershell_events(EVENTED TABLE)

Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.

preferences

OS X defaults and managed preferences.

prefetch

Prefetch files show metadata related to file execution.

process_envs

A key/value table of environment variables for each process.

process_events(EVENTED TABLE)

Track time/action process executions.

process_file_events(EVENTED TABLE)

A File Integrity Monitor implementation using the audit service.

process_memory_map

Process memory mapped files and pseudo device/regions.

process_namespaces

Linux namespaces for processes running on the host system.

process_open_files

File descriptors for each process.

process_open_pipes

Pipes and partner processes for each process.

process_open_sockets

Processes which have open network sockets on the system.

processes

All running processes on the host system.

programs

Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.

prometheus_metrics

Retrieve metrics from a Prometheus server.

python_packages

Python packages installed in a system.

quicklook_cache

Files and thumbnails within OS X's Quicklook Cache.

registry

All of the Windows registry hives.

routes

The active route table for the host system.

rpm_package_files

RPM packages that are currently installed on the host system.

rpm_packages

RPM packages that are currently installed on the host system.

running_apps

macOS applications currently running on the host system.

safari_extensions

Safari browser extension details for all users.

sandboxes

OS X application sandboxes container details.

scheduled_tasks

Lists all of the tasks in the Windows task scheduler.

screenlock

macOS screenlock status for the current logged in user context.

seccomp_events(EVENTED TABLE)

A virtual table that tracks seccomp events.

secureboot new

Secure Boot UEFI Settings.

selinux_events(EVENTED TABLE)

Track SELinux events.

selinux_settings

Track active SELinux settings.

services

Lists all installed Windows services and their relevant data.

shadow

Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.

shared_folders

Folders available to others via SMB or AFP.

shared_memory

OS shared memory regions.

shared_resources

Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.

sharing_preferences

OS X Sharing preferences.

shell_history

A line-delimited (command) table of per-user .*_history data.

shellbags

Shows directories accessed via Windows Explorer.

shimcache

Application Compatibility Cache, contains artifacts of execution.

shortcut_files

View data about Windows Shortcut files.

signature

File (executable, bundle, installer, disk) code signing status.

sip_config

Apple's System Integrity Protection (rootless) status.

smart_drive_info

Drive information read by SMART controller utilizing autodetect.

smbios_tables

BIOS (DMI) structure common details and content.

smc_keys

Apple's system management controller keys.

socket_events(EVENTED TABLE)

Track network socket opens and closes.

ssh_configs

A table of parsed ssh_configs.

startup_items

Applications and binaries set as user/login startup items.

sudoers

Rules for running commands as other users via sudo.

suid_bin

suid binaries in common locations.

syslog_events(EVENTED TABLE)

system_controls

sysctl names, values, and settings information.

system_extensions

macOS (>= 10.15) system extension table.

system_info

System information for identification.

systemd_units

Track systemd units.

temperature_sensors

Machine's temperature sensors.

Track current date and time in the system.

time_machine_backups

Backups to drives using TimeMachine.

time_machine_destinations

Locations backed up to using Time Machine.

tpm_info new

A table that lists the TPM related information.

ulimit_info

System resource usage limits.

uptime

Track time passed since last boot. Some systems track this as calendar time, some as runtime.

usb_devices

USB devices that are actively plugged into the host system.

user_events(EVENTED TABLE)

Track user events from the audit framework.

user_groups

Local system user group relationships.

user_interaction_events(EVENTED TABLE)

Track user interaction events from macOS' event tapping framework.

user_ssh_keys

Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.

userassist

UserAssist Registry Key tracks when a user executes an application from Windows Explorer.

users

Local user accounts (including domain accounts that have logged on locally (Windows)).

video_info

Retrieve video card information of the machine.

virtual_memory_info

Darwin Virtual Memory statistics.

wifi_networks

OS X known/remembered Wi-Fi networks list.

wifi_status

OS X current WiFi status.

wifi_survey

Scan for nearby WiFi networks.

winbaseobj

Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.

windows_crashes

Extracted information from Windows crash logs (Minidumps).

windows_eventlog

Table for querying all recorded Windows event logs.

windows_events(EVENTED TABLE)

Windows Event logs.

windows_optional_features

Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.

windows_security_center

The health status of Window Security features. Health values can be "Good", "Poor". "Snoozed", "Not Monitored", and "Error".

windows_security_products

Enumeration of registered Windows security products.

wmi_bios_info

Lists important information from the system bios.

wmi_cli_event_consumers

WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.

wmi_event_filters

Lists WMI event filters.

wmi_filter_consumer_binding

Lists the relationship between event consumers and filters.

wmi_script_event_consumers

WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.

xprotect_entries

Database of the machine's XProtect signatures.

xprotect_meta

Database of the machine's XProtect browser-related signatures.

xprotect_reports

Database of XProtect matches (if user generated/sent an XProtect report).

Track YARA matches for files or PIDs.

yara_events(EVENTED TABLE)

Track YARA matches for files specified in configuration data.

ycloud_instance_metadata

Yandex.Cloud instance metadata.

yum_sources

Current list of Yum repositories or software channels.