Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi. I'm testing osquery on a Mac, and I wanted trigger an event on new ssh connections or logins. I've been looking at process_open_sockets and trying to filter by port 22, but I don't see it. Any idea on which table I should be looking at?

I see logged_in_users but it doesn't exactly show ssh_connections

```SELECT DISTINCT processes.uid, process_open_sockets.pid, 
                       process_open_sockets.remote_address,
	               process_open_sockets.local_port, 
                       process_open_sockets.remote_port
		    FROM process_open_sockets INNER JOIN processes 
                    WHERE processes.pid=process_open_sockets.pid
		       AND processes.uid=0 
                       AND process_open_sockets.remote_address &lt;&gt; "" 
                       AND process_open_sockets.remote_address &lt;&gt; "0.0.0.0" 
                       AND process_open_sockets.remote_address &lt;&gt; "10.0.2.2" 
                       AND process_open_sockets.remote_address &lt;&gt; "::";```
