osquery-defense-kit/incident_response/sandboxes_macos.sql

-- Lists the application bundle that owns a sandbox label.
--
-- tags: postmortem
-- platform: darwin
SELECT
  *
FROM
  sandboxes;