Hi all. Have a question: I noticed that some GUI apps are not present in

process_events

table. Like i.e. I cannot see Microsoft Word/Excel or Pages being launched, I do however see some “helper” processes events from things like Slack, Chrome, everything ran from command line etc. I don’t use any filters and just used

select * from process_events;

. However, if I’m crosschecking execve events via Crescendo (https://github.com/SuprHackerSteve/Crescendo), which uses Endpoint Security Framework, I see GUI apps launches in the logs, i.e.

`Event Type: process::exec`
`Process: /Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word`
`Pid: 7897 (Parent) -> 1`
`User: xxxxxxxxx`
`Timestamp: 1590670734433`
`Platform Binary: false`
`Signing ID: com.microsoft.Word`
`Props:`
`{`
    `action = "ES_AUTH_RESULT_ALLOW";`
    `argc = 1;`
    `argv = "/Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word ";`
    `isplatformbin = false;`
    `ppid = 1;`
    `signingid = "com.microsoft.Word";`
    `size = 39892064;`
    `teamid = UBF8T346G9;`
`}`

I’m on osquery 4.3.0 and MacOS 10.15.4 if that helps.

Hey @bashoneliner can you double check? I am having a hard time reproducing it:

osquery> select pid, path, cmdline from process_events where path LIKE '/Applications/%';
    pid = 56813
   path = /Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word
cmdline = /Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word

    pid = 56814
   path = /Applications/Microsoft <http://Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2|Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2>
cmdline = /Applications/Microsoft <http://Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2|Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2>

    pid = 56821
   path = /Applications/Pages.app/Contents/MacOS/Pages
cmdline = /Applications/Pages.app/Contents/MacOS/Pages
osquery>

The only difference is that I am on 10.5.3

Yeah, I just checked once again, after a reboot

sudo osqueryi  --disable_audit=false --events_expiry=1 --events_max=50000  --disable_events=false

Using a virtual database. Need help, type '.help'

osquery> select pid, path, cmdline from process_events where path LIKE '/Applications/%';

osquery>