I have a question for the group about OSQuery timestamps, in particular Im trying to understand the timestamps for respective command line entries in the shell_history table Sometimes I get data back that has an empty string for the

time

value. If 0 is the default why would this show as empty?

""

This is causing problems for us because we are receiving alerts on command line events that realistically occurred more than 1 year ago and have already been worked and triaged, but we can't make that determination just by looking at the shell_history table. We have thought about using file integrity monitoring on shell_history files in order to get access to the file_events table data and combine the two tables to give an idea about the last time the shell_history file actually modified, but this seems like overkill and I was hoping someone might have a more elegant solution.

probably a bug, this line could be the cause: https://github.com/facebook/osquery/blob/master/osquery/tables/system/posix/shell_history.cpp#L64

thanks

Yeah that line should probably be something like

r["time"] = timestamp.empty() ? INTEGER(0) : INTEGER(timestamp);