<@U017GV5C6AE> you can use the `extended_attribute...
# macosf
fritz
08/23/2020, 3:38 PM@MaxosxOsquery you can use the
extended_attributeswhere_fromsm
MaxosxOsquery
08/23/2020, 8:16 PMThanks let me check
MaxosxOsquery
08/23/2020, 8:39 PMAnyway to get the user_agent details like chrome, mailapp, or curl etc..?
m
Mike Myers
08/25/2020, 5:46 PM Copy code
osquery> select * from extended_attributes WHERE path="/Users/mmyers/Downloads/developerID_application.cer" AND key="quarantine_agent";
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
| path | directory | key | value | base64 |
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
| /Users/mmyers/Downloads/developerID_application.cer | /Users/mmyers/Downloads | quarantine_agent | Safari | 0 |
+-----------------------------------------------------+-------------------------+------------------+--------+--------+👍 1
m
Magneto
08/25/2020, 5:49 PMyou can also query the gatekeeper table, no?
f
fritz
08/25/2020, 6:29 PM@Magneto Only if you have added an ATC config block for lsquarantineeventsv2 database
m
Magneto
08/25/2020, 6:29 PMahhhh, that's right