Title
#kolide
manikant singh

manikant singh

10/02/2020, 12:45 PM
Hi Community, I have a kolide server and a single osquery host. (both on separate machines). Osqueryd is run with root on the host. host has many other users("user1", "user2"} which perform some actions on the machine. osquery provides a decorator to "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;" but this one only shows root users in the osquery_result I would like to know whether its possible to create a decorator where each query is listed with the respective user who performed the action. for eg: if "user1" executes "nmap google.com" and "user2" executes "nmap facebook.com" osquery should produce a result with respective user labelled. expected result: {"cmdline😕usr/bin/nmap", "user":user1} {"cmdline😕usr/bin/nmap", "user":user2} I know that some tables like "process_events" have uid to show this parameter. But I am looking for some other generic solution. Any help is appreciated. Thanks in advance.
sundsta

sundsta

10/02/2020, 3:51 PM
Decorations are not added to the table schema, they are included as metadata in the
decorations
object with the query results. See the attached photo for an example
3:52 PM
If you want to tie processes, etc. to their user you will JOIN the processes table to the users table on the uid column
manikant singh

manikant singh

10/02/2020, 5:21 PM
ok, thanks