Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi Community,
I have a kolide server and a single osquery host. (both on separate machines).
Osqueryd is run with root on the host.
host has many other users("user1", "user2"} which perform some actions on the machine.

osquery provides a decorator to "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"

but this one only shows root users in the osquery_result
I would like to know whether its possible to create a decorator where each query is listed with the respective user who performed the action.

for eg: if
"user1" executes "nmap <http://google.com|google.com>" and
"user2" executes "nmap <http://facebook.com|facebook.com>"
osquery should produce a result with respective user labelled.
expected result:
{"cmdline:/usr/bin/nmap", "user":user1}
{"cmdline:/usr/bin/nmap", "user":user2}

I know that some tables like "process_events" have uid to show this parameter.
But I am looking for some other generic solution.
Any help is appreciated. Thanks in advance.

image.png

Decorations are not added to the table schema, they are included as metadata in the `decorations` object with the query results. See the attached photo for an example

If you want to tie processes, etc. to their user you will JOIN the processes table to the users table on the uid column