24 lines
577 B
SQL
24 lines
577 B
SQL
-- Recently executed programs
|
|
--
|
|
-- interval: 600
|
|
-- platform: posix
|
|
SELECT
|
|
pe.*,
|
|
-- pe.cwd is often blank
|
|
p.cwd AS delayed_proc_cwd,
|
|
pp.cwd AS delayed_parent_cwd,
|
|
pp.path AS parent_path,
|
|
pp.name AS delayed_parent_name
|
|
FROM
|
|
process_events pe
|
|
LEFT JOIN processes p ON pe.pid = p.pid
|
|
LEFT JOIN processes pp ON pe.parent = pp.pid
|
|
WHERE
|
|
pe.time > (strftime('%s', 'now') -600)
|
|
-- Filter out commands generated by osquery/kolide
|
|
AND pe.cmdline NOT LIKE '/bin/ps -x -o%'
|
|
AND parent_path NOT LIKE '/usr/local/kolide-k2/%/launcher'
|
|
GROUP BY
|
|
pe.pid,
|
|
pe.eid
|