osquery-defense-kit/incident_response/process_memory_map.sql

-- Retrieves the memory map per process
-- platform: posix
-- tags: postmortem
SELECT
  pid,
  permissions,
offset
,
  inode,
  path,
  pseudo
FROM
  process_memory_map
WHERE
  path != ""
GROUP BY
  pid,
  permissions,
offset
,
  inode,
  path,
  pseudo;
Finish out the incident_response refactor 2022-10-19 20:19:53 +00:00			`-- Retrieves the memory map per process`
			`-- platform: posix`
			`-- tags: postmortem`
make reformat 2023-05-08 17:20:47 +00:00			`SELECT`
			`pid,`
Decrease number of rows returned by process_memory_map 2023-02-02 22:47:16 +00:00			`permissions,`
make reformat 2023-05-08 17:20:47 +00:00			`offset`
			`,`
Decrease number of rows returned by process_memory_map 2023-02-02 22:47:16 +00:00			`inode,`
			`path,`
			`pseudo`
make reformat 2023-05-08 17:20:47 +00:00			`FROM`
			`process_memory_map`
			`WHERE`
			`path != ""`
			`GROUP BY`
			`pid,`
Decrease number of rows returned by process_memory_map 2023-02-02 22:47:16 +00:00			`permissions,`
make reformat 2023-05-08 17:20:47 +00:00			`offset`
			`,`
Decrease number of rows returned by process_memory_map 2023-02-02 22:47:16 +00:00			`inode,`
			`path,`
make reformat 2023-05-08 17:20:47 +00:00			`pseudo;`