osquery-defense-kit/incident_response/processes.sql

-- Currently running programs, only the columns that are not constantly changing
--
-- tags: postmortem often
-- platform: posix
SELECT
  pid,
  name,
  path,
  cmdline,
  state,
  cwd,
  root,
  uid,
  gid,
  euid,
  egid,
  suid,
  sgid,
  on_disk,
  start_time,
  parent,
  pgroup,
  threads,
  nice,
  cgroup_path
FROM
  processes
incident response: remove ever-changing columns from process table 2023-02-23 22:12:45 +00:00			`-- Currently running programs, only the columns that are not constantly changing`
Minor adjustments 2022-10-17 21:11:15 +00:00			`--`
fpr: tilt, electron, cilium, write/read improvements 2023-03-24 14:42:06 +00:00			`-- tags: postmortem often`
Minor adjustments 2022-10-17 21:11:15 +00:00			`-- platform: posix`
incident_response: bugfixes across queries 2023-02-24 02:24:52 +00:00			`SELECT`
			`pid,`
incident response: remove ever-changing columns from process table 2023-02-23 22:12:45 +00:00			`name,`
			`path,`
			`cmdline,`
			`state,`
			`cwd,`
			`root,`
			`uid,`
			`gid,`
			`euid,`
			`egid,`
incident_response: bugfixes across queries 2023-02-24 02:24:52 +00:00			`suid,`
incident response: remove ever-changing columns from process table 2023-02-23 22:12:45 +00:00			`sgid,`
			`on_disk,`
			`start_time,`
			`parent,`
			`pgroup,`
			`threads,`
			`nice,`
			`cgroup_path`
incident_response: bugfixes across queries 2023-02-24 02:24:52 +00:00			`FROM`
			`processes`