shadejinx08/01/2018, 4:23 PM
yuvalapidot08/16/2018, 7:35 AM
This will select the latest boot time from the Apple System Log data structure. Any thoughts on this query? will it always work?
SELECT MAX(asl.time) boot_time FROM asl WHERE asl.sender = 'bootlog';
fritz01/22/2019, 5:17 PM
SELECT * from system_info WHERE NOT EXISTS (SELECT * FROM processes WHERE name LIKE "%auditd%");
R0n01/23/2019, 7:11 PM
does not return any results
SELECT * FROM file WHERE filename LIKE "%example%"
fritz01/24/2019, 7:21 PM
8p8c02/25/2019, 10:53 PM
R0n01/10/2020, 8:00 PM
Chris Benninger05/13/2020, 3:29 PM
Zach Zeid05/14/2020, 4:55 PM
but I'm getting this error
"WITH forbidden_commands(cmd) AS (SELECT * FROM (values (\"rsync\"), (\"ngrok\"), (\"curl\"), (\"scp\"), (\"nc\")) ) SELECT username, uid, command FROM shell_history JOIN forbidden_commands on shell_history.command LIKE (\"%\" || forbidden_commands.cmd || \"%\") JOIN users USING(uid);
It looks like it is joining against the users table,?
W0514 12:24:23.284471 17017 virtual_table.cpp:959] The shell_history table returns data based on the current user by default, consider JOINing against the users table
Zach Zeid05/15/2020, 5:32 PM
on a schedule, does that read the whole
select * from shell_history
every time, or does it diff it in some way?
fritz05/28/2020, 1:25 PM
Zach Zeid05/29/2020, 6:56 PM
Zach Zeid06/02/2020, 2:54 PM
looking at getting process name for anything in
osquery> select distinct lp.pid, p.name, lp.port, lp.protocol, lp.family from listening_ports lp cross join processes p where lp.family <> '' and lp.port > 0 and lp.port not in ("80", "443");
that's not 80 or 443?
lvferdi07/24/2020, 11:35 AM
Julian Scala10/15/2020, 8:29 PM
fritz11/02/2020, 3:16 PM
WS02/23/2021, 7:33 PM
fritz04/12/2021, 3:35 PM
SELECT * FROM registry WHERE path LIKE 'HKEY_USERS\%\Software\Microsoft\Office\%'
Divya06/15/2021, 8:10 AM
Wes11/10/2021, 7:34 PM
data structures that represent the tables independently of sqlite. In particular, I'm looking into how
works. Any pointers would be much appreciated! Is there a primer on how tables work under the hood?
Divya01/04/2022, 1:29 PM
Jon Semon03/09/2022, 1:30 AM
Chris Delaney04/12/2022, 7:50 PM
Andreas Piening05/30/2022, 2:29 PM
statement in some queries where I need to calculate the percentage. For example
I expect the percentage to have
SELECT path, type, ROUND((blocks_available * blocks_size * 10e-10), 2) AS free_gb, ROUND ((blocks_available * 1.0 / blocks * 1.0) * 100, 2) AS free_perc FROM mounts WHERE path = '/';
after the decimal point, but instead I get values like
. Can anyone tell why this is or how I can fix this? These long numbers are hard to read for percentage values.
TimBo06/09/2022, 8:46 PM
sorry for the newb question
select hostname from system_info; select address from interface_addresses; select version from kernel_info;
Ronald Cardoso11/07/2023, 3:25 PM