Hm, in the fleetdm UI there is a field for macs, “Used by”, which shows an email address that is probably used for iCloud at some point for the host. Does anyone where this data is gathered from?

This data is gathered from Google Chrome profiles

Ah, wow. That’s interesting. Is there an accompanying search that would achieve the same?

Yep, that’s from

google_chrome_profiles

table (docs: https://fleetdm.com/tables/google_chrome_profiles), note that this requires the macadmins osquery extension

I can’t see the table in the fleetdm UI, but the field was filled out. That’s a bit confusing.

that is indeed confusing, does a

select * from google_chrome_profiles;

return any data..

Yup

ah..gotcha, I think that's because

google_chrome_profiles

is an extension table, and not all hosts might have it by default

That makes sort of sense, but we have windows-only tables in the sidebar even though the site I have has zero windows machines. 🙂

right, those are default osquery core tables

Thanks! Is there a way for me to see what tables I actually have? I mean, outside of

show tables

in the database? 🙂

good question, I am not aware of any other than seeing the db, let me try and dig in if there is one

Thanks! I’m setting up this test site to document Fleet and OSquery for others, so most of the users likely won’t have direct DB access. 🙂

this might be a start (https://fleetdm.com/tables) (you can filter by platform up top on that page) -- this shows both the osquery core tables as well as the ones included by fleet

Oh, it shows up there! Of course! It didn’t even occur to me that this would be different from the sidebar. Even if I think we should see them in the sidebar, that’s brilliant, thanks!