defensivedepth11/29/2022, 6:42 PM
@Marcos Oviedo et al.
exclude processes that look like svchost.exe -k
Samuel Roach12/07/2022, 11:45 AM
Jack01/03/2023, 6:49 AM
Jack01/03/2023, 6:49 AM
Priya Jagyasi01/13/2023, 10:26 AM
Priya Jagyasi01/17/2023, 10:51 AM
I then used --disable_events=0 as said in this doc https://osquery.readthedocs.io/en/stable/deployment/debugging/ but got the same error. Any thoughts?
Table windows_events is event-based but events are disabled
Priya Jagyasi01/20/2023, 8:55 AM
Jenny02/01/2023, 10:50 PM
Jenny02/02/2023, 7:05 PM
Arsenio02/08/2023, 5:16 PM
Sandeep Shamboo02/21/2023, 9:31 AM
Bhargav koduru02/22/2023, 10:47 AM
Arsenio03/07/2023, 3:32 PM
But i am looking to just pull everything from the Security channel but from my understanding you can wildcard a integer. So something like
SELECT * FROM windows_eventlog WHERE eventid=4720 AND channel='Security'
SELECT * FROM windows_eventlog WHERE eventid=% AND channel='Security'
Kunal03/20/2023, 4:50 AM
Is this a bug ? Thanks Kunal
C:\Program Files\osquery>osqueryi --disable-events=false --enable_process_etw_events=true W0320 10:04:49.862340 9200 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup Using a [1mvirtual database[0m. Need help, type '.help' osquery> select * from shared_resources; E0320 10:04:57.237459 9200 shared_resources.cpp:54] The following WMI query could not be constructed: SELECT * FROM Win32_Share. enum osquery::WmiError (WmiRequest creation failed in ExecQuery)
Ignacio03/29/2023, 9:02 AM
Get-Content <target_file> -Stream Zone.Identifier
Kunal04/10/2023, 7:58 AM
Mert04/16/2023, 8:00 PM
Bibek Chaudhary05/19/2023, 11:15 AM
Is there a way to modify the paths for "Pidfile" and "Osquery.db" during the installation process?
path_to_custom_osquery\osqueryd\osqueryd.exe --flagfile=path_to_custom_osquery\osquery.flags --config_path=path_to_custom_osquery\osquery.conf --logger_path=path_to_custom_osquery\log --pidfile=path_to_custom_osquery\osqueryd.pidfile --database_path=path_to_custom_osquery\osquery.db
Anuj Kharbanda05/19/2023, 1:29 PM
table: When an application is crashed during the login session of user A and I access table from the same user A, I can read this data. But when I try to access the data from this user:
(This is the local system account that has unrestricted access to all local system resources.), I am not able to fetch data from this table. I am able to fetch data from all other tables using this account/user. Is there a way, I can access the data in this table using this account/user only ? • Regarding
table: When an application is not running from a long time, the data for that application/process is not available in this table. If we close the application now, the data is available after few hours but not after a long time. The use-case is to fetch the last access time of an application (even if it was last used few days back). Or is there some other way to fetch this metric using osquery ? It would be helpful I can get some insights on the above queries. Thanks.
Mert06/04/2023, 10:54 PM
select * from running_apps where is_active = 1
Guido Caffa06/16/2023, 5:49 PM
Collin06/17/2023, 2:30 PM
Guido Caffa06/21/2023, 11:57 AM
Maksim07/05/2023, 9:40 AM
CyberUnify07/21/2023, 11:08 AM
Habtamu Girum08/24/2023, 8:10 PM
Failed to get a handle to the following volume: \\\\.\\/:. Terminating...