https://github.com/osquery/osquery logo
Join Slack
Powered by
# general
  • i
    Hi all, I have a question related to 
    process_events
    and the osqueryd. We have configured:
    Copy code
    "non_https_network_connection": {
      "query":
 "SELECT p.pid, p.path, pr.path AS parent_process, p.cmdline,
se.local_port, se.remote_port, se.local_address, se.remote_address FROM
socket_events AS se INNER JOIN process_events AS p ON p.pid = se.pid
LEFT JOIN process_events AS pr ON pr.pid = p.parent WHERE
.........<rest of query>';",
      "interval": "60",
      "description": "."
    },
    Now this work locally 
    osqueryi
    and presents all the events. The problem is when we run this pack with the deamon only one event is returned every 60s, while you would suspect all the events to be returned of the last 60s. Are we missing something here. Is this an optimisation issue? happy to hear? Best regards.
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by Smjert 
    <https://github.com/osquery/osquery/commit/e085e11838d4f921827cf4754184a05ef2c6f654|e085e118>
    - libs: Update googletest (#8604) osquery/osquery
  • i
    Hi everyone! I'm Irena, the new Apprentice at Fleet. Super excited to connect with you all ☺️
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/7c357da94e7a56ee3805a668672b4191cb702ec1|7c357da9>
    - Fix parsing of Windows shortcut (.lnk) files in file table (#8601) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/54b0739e8adf74c7ab3a127c822cb47838623630|54b0739e>
    - Fix Prefetch table for Windows 11 (#8615) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/45411df1568a75901892fdf0119d817431fc34c1|45411df1>
    - Update Windows runner version in hosted_runners.yml (#8618) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/eb72d1c5d8a2e78d277ce134e5bb7848614bb14e|eb72d1c5>
    - libs: libarchive: 3.6.2 -> 3.7.9 (#8605) osquery/osquery
  • r
    Hello! I am a PM working at Elastic and I am doing some researching in Osquery and see how we can improve our integration. Not sure it this is the right channel but there are some forensics artifacts that would be useful from a DFIR perspective to be queried like: AmCache, Jumplists, LNK files, etc. We saw that there was an attempt to get amcache but got rejected https://github.com/osquery/osquery/pull/7261. Did anyone face this before and found a way or a workaround to query this data? We are willing to support and contribute to the community but we would like to understand what are the limitations, blockers, etc.
    m
    • 2
    • 2
  • r
    Also we would like to understand and leverage the option of building our own extensions. Does osquery perform any checks on those extensions? If so, can someone list which are those checks and requirements? Like for example, to verify if the extensions are safe to use and do not contain any malware?
    c
    s
    • 3
    • 3
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by getvictor 
    <https://github.com/osquery/osquery/commit/85c8389a333843b2d17e6d00f59ead3344ff1906|85c8389a>
    - Fix hardware UUID caching (#8616) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/5959e3d28066ae9db3c0f9a3c56a25f53a3b0b1c|5959e3d2>
    - Add detection for ARM CPUs when running in x86 emulation (#8572) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/84587188bee2cca76110e693a5256692ef5bd722|84587188>
    - Reduce log noise for 
    hash
    table (#8626) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/df36e386e601e614e3aabb17e47fffbcef7a416f|df36e386>
    - Fix SQL example syntax in SQL introduction docs (#8620) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/2e1a79d65842f572732c526eedc7e998a75548b2|2e1a79d6>
    - Added jetbrains_plugins table (#8623) osquery/osquery
  • s
    Sharing for exposure.... osquery on RPi running Linux is sad panda.
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/97f03d106064635ac83f8337ba848c9216f19a90|97f03d10>
    - Add recent_files table on Windows (#8603) osquery/osquery
  • g
    Release - 5.18.0 New release published by zwass ## What's Changed • [Performance Analysis] print stderr if exists by @lichao127 in #8600 • libs: Update googletest by @Smjert in #8604 • Fix parsing of Windows shortcut (.lnk) files in file table by @zwass in #8601 • Fix Prefetch table for Windows 11 by @zwass in #8615 • Update Windows runner version in hosted_runners.yml by @zwass in #8618 • libs: libarchive: 3.6.2 -> 3.7.9 by @LeSuisse in #8605 • Fix hardware UUID caching by @sgress454 in #8616 • Add detection for ARM CPUs when running in x86 emulation by @dantecatalfamo in #8572 • Reduce log noise for 
    hash
    table by @lucasmrod in #8626 • Fix SQL example syntax in SQL introduction docs by @piotrgiedziun in #8620 • Added jetbrains_plugins table by @ksykulev in #8623 • Add recent_files table on Windows by @zwass in #8603 ## New Contributors • @piotrgiedziun made their first contribution in #8620 Full Changelog: 5.17.0...5.18.0 osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/12264c646c2a53fac8cf9fbbbf5b79b49d21ee85|12264c64>
    - Upgrading zlib to 1.3.1 (#8625) osquery/osquery
    l
    • 2
    • 1
  • z
    Hey folks, osquery 5.18.0 is now in prerelease. Binaries are available on the release page. Please test and report any issues you find! Fleet will be pushing to our 
    edge
    channel shortly.
    • 1
    • 1
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by lucasmrod 
    <https://github.com/osquery/osquery/commit/355b2adc45edeaaac37eca9d50b4d05d98e2ee3e|355b2adc>
    - Revert "Update Windows runner version in hosted_runners.yml (#8618)" (#8633) osquery/osquery
  • g
    Release - 5.18.1 New release published by zwass Revert "Update Windows runner version in hosted_runners.yml (#8618)" (#8633) osquery/osquery
  • z
    5.18.1 binaries are now available for testing. This should resolve the Windows ARM issue.
  • n
    amazing 💖
  • n
    hi, i'm Nora and i'm deploying the advanced Fleet license to my lil company 🙂
    z
    • 2
    • 1
  • n
    i'm really enjoying Fleet so far and osquery is dang cool
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by directionless 
    <https://github.com/osquery/osquery/commit/35e28b66c029f053da8f8a6bfa662307f79b5982|35e28b66>
    - Update linux block_device and disk_encryption source data to simple sysfs implementation (#8182) osquery/osquery
    🆒 1
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/600495f52a9ac7080f0df805f70460932e161093|600495f5>
    - Fix ATC for open Firefox databases (#8631) osquery/osquery
  • a
    Hey everyone 👋 The docs specify one should run 
    make docs
    to build the sdk documentation (src)
    The public API and SDK headers are documented via doxygen. To generate web-based documentation, you will need to install doxygen, run 
    make docs
    from the repository root, then open 
    ./build/docs/html/index.html
    .
    But the Makefile was removed a long time ago There’s also an issue about it here: https://github.com/osquery/osquery/issues/7491 What is the right way to compile the SDK docs locally? Thanks!
  • r
    Hello, I would like to open a topic here regarding YARA. The current implementation of the 
    yara
    table in osquery only supports scanning files on disk. However, the underlying YARA library supports scanning of process memory, which is a critical capability for incident response and forensic investigations. Looking at the osquery implementation, 
    path
    is required in the yara query table. 
    path
    is also validated in the osquery code that calls yara. We thought that by modifying osquery to make 
    path
    optional and adding other table columns that would be useful for memory scanning, such as PID, we would be able to close this gap. I am wondering what it would be required from Elastic to get this change accepted by osquery.
    s
    f
    • 3
    • 3
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/b890625c8e8347913a647bae63f715eb66e7ea47|b890625c>
    - Revert "Revert "Update Windows runner version in hosted_runners.yml (#8618)"" (#8636) osquery/osquery