Question here! Does anyone knows exactly what the

protection_status

column on

bitlocker_info

represents? I am trying to figure a query that gets either if Bitlocker is enabled or not. I was using that column to be

1

as Bitlocker is enabled but now I am seeing results with

0

but Bitlocker is in fact enabled.

Has that always been the experience?

lol, ok, ok

Hi #windows I am trying to run a query that can check the status of all columns in the windows_security_center_services table. I build the following query, but I am wondering if there is a more optimal way to do it, since the status I am trying to check is the same, so I can avoid repetition. The status for all services should be "Good".

*SELECT* firewall, autoupdate, antivirus, antispyware, internet_settings, windows_security_center_service, user_account_control *FROM* windows_security_center *WHERE* firewall *LIKE 'Good' AND* autoupdate *LIKE 'Good' AND* antivirus *LIKE 'Good' AND* antispyware *LIKE 'Good' AND* internet_settings *LIKE 'Good' AND* windows_security_center_service *LIKE 'Good' AND* user_account_control *LIKE 'Good';*

Hello is it possible to get from OsQuery events asynchonously without periodic querying? For example process creation, file modifications etc? My idea is trigger specifix queries based on this async events, if OsQuery can provide them. Thank You.

Hello everyone, I'm running command for remote configuration with my server using this argument (following this document https://osquery.readthedocs.io/en/stable/deployment/remote/)

--host_identifier=uuid

So, this will be resulted as uuid from

select uuid from system_info

. But now, I would like to send my own id, ex:

--host_identifier=abcdefgh

This will make the osquery use

host_name

to fill in

host_identifier

field. In summary, could I send my own id for this

host_identifier

field? and how could I do that? Thank you very much!

Wanted to utilize osquery on all devices and send over all logs to cloud solutions such as AWS as part of aggregation and querying?what is the best/quickest and repeatable way to do this?

When i run

osqueryd.exe

as a process I am able to enroll my windows host. But when i configure a

service

. Same host doesn't come online in my Kolide web console. I have also enabled

Windows Event Log support

as described here. Event logs also doesn't show any entries. Where to look for further troubleshooting? PS: I'm using

manage-osqueryd.ps1

for configuring the my service.

@fritz - https://github.com/osquery/osquery/issues/6719

Ah... I see, looks like this was supposed to have been addressed by @alessandrogario in the recent ebpf work (https://github.com/osquery/osquery/blob/master/libraries/cmake/source/thrift/CMakeLists.txt#L96)

I apologize if this is somewhat off topic, but I was curious if anyone could share any good ideas on what products or solutions they may use for command execution? We manage a fleet of disparate operating systems (primarily Windows) and I have been hoping to make a case internally to move away from our current "all in one" solution to shift to a combination of osquery/fleet with some type of command execution (similar to salt). Ideally I'd like to integrate the two so if an event like disk space condition or service failure fires from an osquery pack fires, an action can be taken against the machine.

My problem is that the systems will need to be internet facing and security is the largest concern. I read it is not recommended to expose salt masters to the internet so I was hoping for some insight.

Hello All, are we able to download files from client system,or interact with UsrJournal or MFT utilizing OSQuery?

Hello All,was able to deploy a fleet server on AWS, wanted to enroll in local Windows clients ,1 or 2 at the beginning and 1000's of the later on how should I proceed?

Specifically: Could not create file: \\Program Files\\osquery\\log\\osqueryd.results.log"

If they’re in the registry, osquery will return them. If it’s not, that would be a bug that should be fixed.

theoretically "image" would allow for this, what with the "Path to driver image file" description of the column, but it's entirely empty on Win10-2004

To add some more details:

W1123 14:02:02.860316  1260 tls.cpp:101] Cannot read TLS server certificate(s): 'C:\Program files\osquery\certs\<cert_pem>'
W1123 14:02:02.875946  1260 tls_enroll.cpp:77] Failed enrollment request to https://<tls_host_fqdn>/osquery/enroll (Request error: certificate verify failed) retrying...

I installed osquery as a service

choco install osquery --params=/InstallService

.

About to dig into some testing with yara on windows. Does anyone know if the sigfile accepts more than one file? Can I use

sigfile LIKE 'c:\path\to\yara\%.yar

?

anyone seen anything like this?

PS C:\Windows\System32\WindowsPowerShell\v1.0> osqueryi
osqueryi : Error: incomplete SQL: 

I don't know why osquery seems to think i'm passing in some garbage arguments or something.

Hello everyone 🙂 I am trying to obtain the hash of a file that resides on a shared drive, but for some reason when I run my query it does not return any results. Are there any limitations with using the hash table against files on a shared drive? I am able to list all of the files in the directory and I know the query is good. Oddly when I attempt to hash all of the files in the directory it only successfully hashes one of the files (out of 5), but not the one I need. Any insight?

This seems to suggest you would be right:

if(NOT SKIP_TSK AND NOT WINDOWS)
    list(APPEND TABLE_CATEGORIES "sleuthkit")
  endif()

Sadly, I am but a simple farmer, with no C++ competency, so I cannot speculate as to why the behavior is occurring and whether or not it qualifies as unintended. That being said, I think there is probably no harm in filing an Issue in GitHub.

Hey guys, has anyone used the 'ntfs_acl_permissions' table? Can't seem to figure out how it should be used, 

select * from ntfs_acl_permissions where path LIKE

  with any path or file doesn't seem to give any results.

Is anyone using OSquery to find

missing windows patches

? How are you going about it since

patches

table only return installed patches

May I ask to point me to the engineer working on https://github.com/osquery/osquery/pull/6875/files/5bff4e1a7e9e1e4404f8c496d14c173a972abba6?

hi, i see atom_packages table supported in 4.5.0 for windows as per https://osquery.io/schema/4.5.0#atom_packages but, on 4.5.0 osquery shell, i get error

Error: no such table: atom_packages

please confirm if i am missing something. thanks.

Hi all, the default MSI provided overwrites the .flags file during upgrade. Is there any way to avoid it from wiping it? Its an empty file anyway so it would be great if it would keep whatever is there or generate a new blank one if doesn't exist

When running the query

select user_account_control as value from windows_security_center;

via osqueryi it returns

Good

, but when run from a tls config it consistently returns

Poor

I've checked these within a few minutes of the query running, anyone seen this?

Any idea why I have powershell script logging enabled but I'm not getting anything on

select * from powershell_events;