Eoin Miller

10/24/2019, 2:28 AM
Was playing around a bit with using packs and json output. It seems a bit hard to track the outputs to the query that created it. Is there a way to have the output include the name of the query that ran and also the query logic by chance? It also looks like it alphabetizes the queries in a pack before executing
osqueryi --config_path /var/osquery/osquery.conf --pack incident-response --json
Eighth query in the incident-response pack:
"alf": {
      "query" : "select * from alf;",
      "description" : "Retrieves the configuration values for the Application Layer Firewall for OSX.",
      "value" : "Verify firewall settings are as restrictive as you need. Identify unwanted firewall holes made by malware or humans"
First output:
[ {"allow_signed_enabled":"1","firewall_unload":"0","global_state":"0","logging_enabled":"1","logging_option":"0","stealth_enabled":"0","version":"1.6"}


10/26/2019, 4:57 AM
I know the TLS logger plugin provides the name of the pack & query in the result