https://github.com/osquery/osquery logo
Join Slack
Powered by
I am trying to extend osquery by searching for win...
# fleet
c
I am trying to extend osquery by searching for windows event viewer event IDs ... is that possible?
g
Yes however this is an “evented table” https://osquery.io/schema/5.0.1/#windows_events
Copy code
SELECT data FROM windows_eventlog WHERE channel = "Security" and eventid = "4672";
Will show results for example where
Copy code
SELECT data FROM windows_eventlog
Will not it will need to be appropriately constrained. https://github.com/osquery/osquery/blob/master/specs/windows/windows_events.table
👍 1
3 Views
Open in Slack
PreviousNext
Powered by