https://github.com/osquery/osquery logo
Powered by
Title
s

Setu Bhatt

03/02/2023, 9:30 PM
Hello - Anyone know how can I retrieve history of the queries ran by a user via API. I can retrieve saved queries just fine from 
/api/v1/fleet/queries
but when someone just runs a query and doesn't saves it.
k

Kathy Satterlee

03/02/2023, 9:32 PM
Hi @Setu Bhatt! Recent versions of Fleet include this information in the activity feed.
I'll update the exampke response in the docs.
This is what that looks like now: 
{
            "created_at": "2023-03-02T20:29:18Z",
            "id": 6391,
            "actor_full_name": "r",
            "actor_id": 135,
            "actor_gravatar": "",
            "actor_email": "",
            "type": "live_query",
            "details": {
                "query_sql": "SELECT * FROM managed_policies;",
                "query_name": "Get macOS settings ",
                "targets_count": 35
            }
        },
s

Setu Bhatt

03/02/2023, 9:38 PM
Thanks @Kathy Satterlee So I guess 
"type": "live_query"
will show a list of all the queries ran(without saving the query) by any user who has access to fleet
k

Kathy Satterlee

03/02/2023, 9:39 PM
Every live query will generate one of the entries above.
s

Setu Bhatt

03/02/2023, 9:41 PM
Ok got it. So if I run api call today then I should be able to see a list of all queries executed by users from yesterday
I am trying to see how a security analyst can track activity of users running queries in fleet if the query is not saved
k

Kathy Satterlee

03/02/2023, 9:42 PM
That would be the way to do it 🙂
With Fleet Premium, you also have the option to set up a logging destination for audit logs: https://fleetdm.com/docs/using-fleet/audit-activities
s

Setu Bhatt

03/02/2023, 9:44 PM
Sweet. We are currently running version 3.13.0 of fleet. Do you have recommendations on which version we should upgrade to?
k

Kathy Satterlee

03/02/2023, 9:44 PM
I'm always going to recommend the most recent version, which is 4.28.0
s

Setu Bhatt

03/02/2023, 9:46 PM
Good to know.
Thanks for the information
Hi @Kathy Satterlee We are currently running Fleet 3.13.0 and I tried to query 
"/api/v1/fleet/activities"
and I am seeing "404 page not found" in return. Is it expected as we are on older version of Fleet and "`"/api/v1/fleet/activities"`" was not supported on 3.13.0?
k

Kathy Satterlee

03/06/2023, 8:04 PM
Yes, the activity feed was introduced in Fleet v 4.1.0
s

Setu Bhatt

03/06/2023, 8:05 PM
That makes sense @Kathy Satterlee Thanks for the verification.
cc @Antony Rivera
k

Kathy Satterlee

03/06/2023, 8:09 PM
No problem. If you would like to get Fleet up-to-date, the release articles have a lot of great information about new and improved features. You're also welcome to ask if you have any questions :)
s

Setu Bhatt

03/06/2023, 8:11 PM
That sounds good. Will do that 🙂
#fleetJoin Slack
Powered by