Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
MoodyMudit
07/14/2021, 7:33 AMHi, is there a way to get process events in windows using osqueryd? I know that we can use process_events table for Linux, but is there something similar for windows too?
s
seph
07/14/2021, 10:52 AMThere's an event in the event log. You can enable that and look for it.
m
MoodyMudit
07/15/2021, 6:11 PMIs there a particular table for that in osquery?
s
seph
07/15/2021, 6:11 PMThe windows_events table
t
theopolis
07/16/2021, 1:05 PMWe do not have a great walk through about how to do this. Here are the flags that you set to enable this data on windows; https://osquery.readthedocs.io/en/stable/installation/cli-flags/#windows-only-events-control-flags
It would be great to have a blog article where someone walks through the end to end of enabling the right windows event channels for process auditing and shows how to tweak and optimize this data.
m
MoodyMudit
07/26/2021, 2:53 PMIt would be great if there was such a walkthrough. Currently, I just wanted to collect process_events, but looks like this table collects all types of logs.