```osquery> select * from osquery_events;
+----...
# windowsm
manu
04/03/2021, 2:56 AM Copy code
osquery> select * from osquery_events;
+-------------------------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| name | publisher | type | subscriptions | events | refreshes | active |
+-------------------------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| SysmonEtwEventPublisher | SysmonEtwEventPublisher | publisher | 23 | 0 | 0 | 1 |
| WindowsEventLogPublisher | WindowsEventLogPublisher | publisher | 2 | 0 | 0 | 1 |
| ntfs_event_publisher | ntfs_event_publisher | publisher | 0 | 0 | 0 | 0 |
| ntfs_journal_events | ntfs_event_publisher | subscriber | 0 | 0 | 0 | 1 |
| powershell_events | WindowsEventLogPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_clipboard_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_dnsquery_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_driver_loaded_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_file_created_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_file_delete_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_filestream_created_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_image_load_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_network_connection_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_pipe_connected_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_pipe_created_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_process_accessed_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_process_create_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_process_tampering_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_process_terminate_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_raw_access_read_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_registry_added_deleted_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_registry_renamed_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_registry_valueset_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_remote_thread_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_service_state_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_wmievent_consumer_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_wmievent_consumer_to_filter_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| sysmon_wmievent_filtering_events | SysmonEtwEventPublisher | subscriber | 1 | 0 | 0 | 1 |
| windows_events | WindowsEventLogPublisher | subscriber | 1 | 0 | 0 | 1 |
+-------------------------------------------+--------------------------+------------+---------------+--------+-----------+--------+🦜 1
🎉 1
🔥 1
🥇 2
a
arod
04/07/2021, 7:35 PMVery cool. I plan on adding sysmon next.
Any tips/tricks on where to start? I'd love to query and use sysmon data.
9 Views