https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
c

CyberUnify

12/20/2021, 12:46 PM
I am trying to extend osquery by searching for windows event viewer event IDs ... is that possible?
g

Gavin

12/20/2021, 12:56 PM
Yes however this is an “evented table” https://osquery.io/schema/5.0.1/#windows_events
Copy code
SELECT data FROM windows_eventlog WHERE channel = "Security" and eventid = "4672";
Will show results for example where
Copy code
SELECT data FROM windows_eventlog
Will not it will need to be appropriately constrained. https://github.com/osquery/osquery/blob/master/specs/windows/windows_events.table
👍 1
3 Views
Powered by