Title
#macos
f

fritz

08/23/2020, 3:38 PM
@MaxosxOsquery you can use the
extended_attributes
table to look for
where_froms
data
m

MaxosxOsquery

08/23/2020, 8:16 PM
Thanks let me check
8:39 PM
Anyway to get the user_agent details like chrome, mailapp, or curl etc..?
Mike Myers

Mike Myers

08/25/2020, 5:46 PM
osquery> select * from extended_attributes WHERE path="/Users/mmyers/Downloads/developerID_application.cer" AND key="quarantine_agent";
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
| path                                                | directory               | key              | value  | base64 |
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
| /Users/mmyers/Downloads/developerID_application.cer | /Users/mmyers/Downloads | quarantine_agent | Safari | 0      |
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
Magneto

Magneto

08/25/2020, 5:49 PM
you can also query the gatekeeper table, no?
f

fritz

08/25/2020, 6:29 PM
@Magneto Only if you have added an ATC config block for lsquarantineeventsv2 database
Magneto

Magneto

08/25/2020, 6:29 PM
ahhhh, that's right