osquery-defense-kit

Thomas Stromberg c6eec0ee17 Query tuning after Geacon testing	2023-05-17 10:54:16 -04:00
..
README.md	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
account_policy_data-macos.sql	make reformat	2023-05-08 13:20:47 -04:00
alf.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
alf_exceptions_macos.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
alf_explicit_auths_macos.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
alf_services.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
app_schemes.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
apps.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
authorization_mechanisms-macos.sql	make reformat	2023-05-08 13:20:47 -04:00
authorizations-macos.sql	make reformat	2023-05-08 13:20:47 -04:00
authorized_keys.sql	make reformat	2023-05-08 13:20:47 -04:00
block_devices.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
certificates.sql	make reformat	2023-05-08 13:20:47 -04:00
chrome_extension_content_scripts.sql	make reformat	2023-05-08 13:20:47 -04:00
chrome_extensions.sql	make reformat	2023-05-08 13:20:47 -04:00
crashes-macos.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
crontab.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
deb_packages.sql	make reformat	2023-05-08 13:20:47 -04:00
disk_encryption.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
disk_events_macos.sql	incident_response: bugfixes across queries	2023-02-23 21:24:52 -05:00
dns_resolvers.sql	Missing a ;	2022-10-20 14:16:17 -04:00
docker_container_mounts.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
docker_container_ports.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
docker_container_processes.sql	make reformat	2023-05-08 13:20:47 -04:00
docker_containers.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
docker_image_history.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
docker_images.sql	make reformat	2023-05-08 13:20:47 -04:00
es_process_events.sql	make reformat	2023-05-08 13:20:47 -04:00
etc_hosts.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
event_taps_macos.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
file_events.sql	Collect recent file events	2023-05-12 16:35:00 -04:00
files-dev.sql	incident_response: bugfixes across queries	2023-02-23 21:24:52 -05:00
files-downloads.sql	Query tuning after Geacon testing	2023-05-17 10:54:16 -04:00
files-etc.sql	make reformat	2023-05-08 13:20:47 -04:00
files-recently-written.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
firefox_addons.sql	make reformat	2023-05-08 13:20:47 -04:00
gatekeeper_approved_apps_macos.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
groups.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
hardware_events.sql	make reformat	2023-05-08 13:20:47 -04:00
homebrew-packages-macos.sql	make reformat	2023-05-08 13:20:47 -04:00
interface_addresses.sql	make reformat	2023-05-08 13:20:47 -04:00
interface_details.sql	make reformat	2023-05-08 13:20:47 -04:00
interface_ipv6.sql	make reformat	2023-05-08 13:20:47 -04:00
iokit-registry-macos.sql	make reformat	2023-05-08 13:20:47 -04:00
ip_forwarding.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
iptables.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
kernel_info.sql	make reformat	2023-05-08 13:20:47 -04:00
kernel_modules_linux.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
kernel_panics-macos.sql	make reformat	2023-05-08 13:20:47 -04:00
kextstat_macos.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
known_hosts.sql	make reformat	2023-05-08 13:20:47 -04:00
last.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
launchd_macos.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
launchd_overrides_macos.sql	make reformat	2023-05-08 13:20:47 -04:00
listening_ports.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
logged_in_users.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
loginwindow1.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
loginwindow2.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
loginwindow3.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
loginwindow4.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
memory_map.sql	clarify macOS coverage	2023-05-12 11:08:59 -04:00
mounts.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
npm_packages.sql	make reformat	2023-05-08 13:20:47 -04:00
nvram-macos.sql	make reformat	2023-05-08 13:20:47 -04:00
open_files.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
open_sockets.sql	Add missing files	2022-10-19 16:56:43 -04:00
os_version.sql	make reformat	2023-05-08 13:20:47 -04:00
package_install_history_macos.sql	make reformat	2023-05-08 13:20:47 -04:00
package_receipts_macos.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
platform_info.sql	make reformat	2023-05-08 13:20:47 -04:00
preferences_macos.sql	make reformat	2023-05-08 13:20:47 -04:00
process_env.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
process_events.sql	Collect more file data	2023-05-12 16:17:10 -04:00
process_memory_map.sql	make reformat	2023-05-08 13:20:47 -04:00
process_open_files.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
process_open_pipes.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
process_open_sockets.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
processes.sql	fpr: tilt, electron, cilium, write/read improvements	2023-03-24 10:42:06 -04:00
recent_items_macos.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
rpm_packages.sql	make reformat	2023-05-08 13:20:47 -04:00
running_apps_macos.sql	make reformat	2023-05-08 13:20:47 -04:00
safari_extensions_macos.sql	make reformat	2023-05-08 13:20:47 -04:00
sandboxes_macos.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
seccomp_events.sql	incident_response: bugfixes across queries	2023-02-23 21:24:52 -05:00
selinux_events.sql	make reformat	2023-05-08 13:20:47 -04:00
shadow.sql	make reformat	2023-05-08 13:20:47 -04:00
shared_memory.sql	Make process times broadly available, minor opts	2023-05-16 17:18:39 -04:00
shell_history.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
sip_config.sql	make reformat	2023-05-08 13:20:47 -04:00
socket_events.sql	Fix bug	2023-05-12 16:26:44 -04:00
ssh_configs.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
startup_items.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
suid_bin.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00
syslog_events.sql	make reformat	2023-05-08 13:20:47 -04:00
system_controls.sql	make reformat	2023-05-08 13:20:47 -04:00
systemd_units.sql	reformat SQL queries	2022-10-20 09:11:29 -04:00
unified_log_macos.sql	make reformat	2023-05-08 13:20:47 -04:00
usb_devices.sql	make reformat	2023-05-08 13:20:47 -04:00
user_events.sql	make reformat	2023-05-08 13:20:47 -04:00
user_ssh_keys.sql	Add many new incident response queries	2023-02-23 09:35:38 -05:00
users.sql	reformat SQL queries	2022-10-20 09:11:29 -04:00
xprotect_reports.sql	Finish out the incident_response refactor	2022-10-19 16:19:53 -04:00

README.md

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

account_policy_data-macos.sql

make reformat

2023-05-08 13:20:47 -04:00

alf.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

alf_exceptions_macos.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

alf_explicit_auths_macos.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

alf_services.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

app_schemes.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

apps.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

authorization_mechanisms-macos.sql

make reformat

2023-05-08 13:20:47 -04:00

authorizations-macos.sql

make reformat

2023-05-08 13:20:47 -04:00

authorized_keys.sql

make reformat

2023-05-08 13:20:47 -04:00

block_devices.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

certificates.sql

make reformat

2023-05-08 13:20:47 -04:00

chrome_extension_content_scripts.sql

make reformat

2023-05-08 13:20:47 -04:00

chrome_extensions.sql

make reformat

2023-05-08 13:20:47 -04:00

crashes-macos.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

crontab.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

deb_packages.sql

make reformat

2023-05-08 13:20:47 -04:00

disk_encryption.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

disk_events_macos.sql

incident_response: bugfixes across queries

2023-02-23 21:24:52 -05:00

dns_resolvers.sql

Missing a ;

2022-10-20 14:16:17 -04:00

docker_container_mounts.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

docker_container_ports.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

docker_container_processes.sql

make reformat

2023-05-08 13:20:47 -04:00

docker_containers.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

docker_image_history.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

docker_images.sql

make reformat

2023-05-08 13:20:47 -04:00

es_process_events.sql

make reformat

2023-05-08 13:20:47 -04:00

etc_hosts.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

event_taps_macos.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

file_events.sql

Collect recent file events

2023-05-12 16:35:00 -04:00

files-dev.sql

incident_response: bugfixes across queries

2023-02-23 21:24:52 -05:00

files-downloads.sql

Query tuning after Geacon testing

2023-05-17 10:54:16 -04:00

files-etc.sql

make reformat

2023-05-08 13:20:47 -04:00

files-recently-written.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

firefox_addons.sql

make reformat

2023-05-08 13:20:47 -04:00

gatekeeper_approved_apps_macos.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

groups.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

hardware_events.sql

make reformat

2023-05-08 13:20:47 -04:00

homebrew-packages-macos.sql

make reformat

2023-05-08 13:20:47 -04:00

interface_addresses.sql

make reformat

2023-05-08 13:20:47 -04:00

interface_details.sql

make reformat

2023-05-08 13:20:47 -04:00

interface_ipv6.sql

make reformat

2023-05-08 13:20:47 -04:00

iokit-registry-macos.sql

make reformat

2023-05-08 13:20:47 -04:00

ip_forwarding.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

iptables.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

kernel_info.sql

make reformat

2023-05-08 13:20:47 -04:00

kernel_modules_linux.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

kernel_panics-macos.sql

make reformat

2023-05-08 13:20:47 -04:00

kextstat_macos.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

known_hosts.sql

make reformat

2023-05-08 13:20:47 -04:00

last.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

launchd_macos.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

launchd_overrides_macos.sql

make reformat

2023-05-08 13:20:47 -04:00

listening_ports.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

logged_in_users.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

loginwindow1.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

loginwindow2.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

loginwindow3.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

loginwindow4.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

memory_map.sql

clarify macOS coverage

2023-05-12 11:08:59 -04:00

mounts.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

npm_packages.sql

make reformat

2023-05-08 13:20:47 -04:00

nvram-macos.sql

make reformat

2023-05-08 13:20:47 -04:00

open_files.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

open_sockets.sql

Add missing files

2022-10-19 16:56:43 -04:00

os_version.sql

make reformat

2023-05-08 13:20:47 -04:00

package_install_history_macos.sql

make reformat

2023-05-08 13:20:47 -04:00

package_receipts_macos.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

platform_info.sql

make reformat

2023-05-08 13:20:47 -04:00

preferences_macos.sql

make reformat

2023-05-08 13:20:47 -04:00

process_env.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

process_events.sql

Collect more file data

2023-05-12 16:17:10 -04:00

process_memory_map.sql

make reformat

2023-05-08 13:20:47 -04:00

process_open_files.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

process_open_pipes.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

process_open_sockets.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

processes.sql

fpr: tilt, electron, cilium, write/read improvements

2023-03-24 10:42:06 -04:00

recent_items_macos.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

rpm_packages.sql

make reformat

2023-05-08 13:20:47 -04:00

running_apps_macos.sql

make reformat

2023-05-08 13:20:47 -04:00

safari_extensions_macos.sql

make reformat

2023-05-08 13:20:47 -04:00

sandboxes_macos.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

seccomp_events.sql

incident_response: bugfixes across queries

2023-02-23 21:24:52 -05:00

selinux_events.sql

make reformat

2023-05-08 13:20:47 -04:00

shadow.sql

make reformat

2023-05-08 13:20:47 -04:00

shared_memory.sql

Make process times broadly available, minor opts

2023-05-16 17:18:39 -04:00

shell_history.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

sip_config.sql

make reformat

2023-05-08 13:20:47 -04:00

socket_events.sql

Fix bug

2023-05-12 16:26:44 -04:00

ssh_configs.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

startup_items.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

suid_bin.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00

syslog_events.sql

make reformat

2023-05-08 13:20:47 -04:00

system_controls.sql

make reformat

2023-05-08 13:20:47 -04:00

systemd_units.sql

reformat SQL queries

2022-10-20 09:11:29 -04:00

unified_log_macos.sql

make reformat

2023-05-08 13:20:47 -04:00

usb_devices.sql

make reformat

2023-05-08 13:20:47 -04:00

user_events.sql

make reformat

2023-05-08 13:20:47 -04:00

user_ssh_keys.sql

Add many new incident response queries

2023-02-23 09:35:38 -05:00

users.sql

reformat SQL queries

2022-10-20 09:11:29 -04:00

xprotect_reports.sql

Finish out the incident_response refactor

2022-10-19 16:19:53 -04:00