osquery-defense-kit/incident_response/process-files.sql

-- Returns information about running processes(non-hidden only)
--
-- tags: postmortem
-- platform: linux
SELECT GROUP_CONCAT(processes.pid) AS processes,
GROUP_CONCAT(processes.name) AS names,
file.*, hash.sha256,
magic.data
FROM processes
LEFT JOIN file ON processes.path = file.path
LEFT JOIN hash ON processes.path = hash.path
LEFT JOIN magic ON processes.path = magic.path
GROUP BY processes.path
Rename files-from-proc to process-files. 2023-02-23 22:11:35 +00:00			`-- Returns information about running processes(non-hidden only)`
Add many new incident response queries 2023-02-23 14:35:38 +00:00			`--`
			`-- tags: postmortem`
			`-- platform: linux`
			`SELECT GROUP_CONCAT(processes.pid) AS processes,`
			`GROUP_CONCAT(processes.name) AS names,`
			`file.*, hash.sha256,`
Rename files-from-proc to process-files. 2023-02-23 22:11:35 +00:00			`magic.data`
Add many new incident response queries 2023-02-23 14:35:38 +00:00			`FROM processes`
			`LEFT JOIN file ON processes.path = file.path`
			`LEFT JOIN hash ON processes.path = hash.path`
			`LEFT JOIN magic ON processes.path = magic.path`
			`GROUP BY processes.path`