From ab7ebabbb4b269fea7a2750bce2bf3f6abe47689 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 15 Nov 2023 10:22:36 -0500 Subject: [PATCH] Osquery: Update exported fields reference for osquery 5.10.2 (#171147) ## Summary Update exported fields reference for osquery 5.10.2. ## Related PR - Requires https://github.com/elastic/beats/pull/37115 - Requires https://github.com/elastic/integrations/pull/8488 --- .../exported-fields-reference.asciidoc | 184 ++++++++++++++++++ 1 file changed, 184 insertions(+) diff --git a/docs/osquery/exported-fields-reference.asciidoc b/docs/osquery/exported-fields-reference.asciidoc index fc16ec3e0d9d0..b3127f2ad48cf 100644 --- a/docs/osquery/exported-fields-reference.asciidoc +++ b/docs/osquery/exported-fields-reference.asciidoc @@ -96,6 +96,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _wifi_networks.added_at_ - Time this network was added as a unix_time +*additional_properties* - keyword, text.text + +* _windows_search.additional_properties_ - Comma separated list of columns to include in properties JSON + *address* - keyword, text.text * _arp_cache.address_ - IPv4 address target @@ -141,6 +145,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _alf.allow_signed_enabled_ - 1 If allow signed mode is enabled else 0 +*ambient_brightness_enabled* - keyword, text.text + +* _connected_displays.ambient_brightness_enabled_ - The ambient brightness setting associated with the display. This will be 1 if enabled and is 0 if disabled or not supported. + *ami_id* - keyword, text.text * _ec2_instance_metadata.ami_id_ - AMI ID used to launch this EC2 instance @@ -583,6 +591,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq *bundle_version* - keyword, text.text * _apps.bundle_version_ - Info properties CFBundleVersion label +* _safari_extensions.bundle_version_ - The version of the build that identifies an iteration of the bundle *busy_state* - keyword, number.long @@ -777,11 +786,16 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _ntdomains.client_site_name_ - The name of the site where the domain controller is configured. +*cloud_id* - keyword, text.text + +* _ycloud_instance_metadata.cloud_id_ - Cloud identifier for the VM + *cmdline* - keyword, text.text * _bpf_process_events.cmdline_ - Command line arguments * _docker_container_processes.cmdline_ - Complete argv * _es_process_events.cmdline_ - Command line arguments (argv) +* _process_etw_events.cmdline_ - Command Line * _process_events.cmdline_ - Command line arguments (argv) * _processes.cmdline_ - Complete argv @@ -973,6 +987,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _interface_details.connection_status_ - State of the network adapter connection to the network. +*connection_type* - keyword, text.text + +* _connected_displays.connection_type_ - The connection type associated with the display. + *consistency_scan_date* - keyword, number.long * _time_machine_destinations.consistency_scan_date_ - Consistency scan date @@ -1024,6 +1042,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq *copyright* - keyword, text.text * _apps.copyright_ - Info properties NSHumanReadableCopyright label +* _safari_extensions.copyright_ - A human-readable copyright notice for the bundle *core* - keyword, number.long @@ -1088,6 +1107,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _docker_info.cpu_shares_ - 1 if CPU share weighting support is enabled. 0 otherwise +*cpu_sockets* - keyword, number.long + +* _system_info.cpu_sockets_ - Number of processor sockets in the system + *cpu_spec_ctrl_supported* - keyword, number.long * _kva_speculative_info.cpu_spec_ctrl_supported_ - SPEC_CTRL MSR supported by CPU Microcode. @@ -1236,10 +1259,19 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _platform_info.date_ - Self-reported platform code update date * _windows_update_history.date_ - Date and the time an update was applied +*date_created* - keyword, number.long + +* _windows_search.date_created_ - The unix timestamp of when the item was created. + +*date_modified* - keyword, number.long + +* _windows_search.date_modified_ - The unix timestamp of when the item was last modified + *datetime* - keyword, text.text * _crashes.datetime_ - Date/Time at which the crash occurred * _powershell_events.datetime_ - System time at which the Powershell script event occurred +* _process_etw_events.datetime_ - Event timestamp in DATETIME format * _syslog_events.datetime_ - Time known to syslog * _time.datetime_ - Current date and time (ISO format) in UTC * _windows_crashes.datetime_ - Timestamp (log format) of the crash @@ -1306,6 +1338,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _drivers.description_ - Driver description * _firefox_addons.description_ - Addon-supplied description string * _interface_details.description_ - Short description of the object a one-line string. +* _kernel_keys.description_ - The key description. * _keychain_acls.description_ - The description included with the ACL entry * _keychain_items.description_ - Optional item description * _logical_drives.description_ - The canonical description of the drive, e.g. 'Logical Fixed Disk', 'CD-ROM Disk'. @@ -1481,11 +1514,19 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _docker_container_stats.disk_write_ - Total disk write bytes +*display_id* - keyword, text.text + +* _connected_displays.display_id_ - The display ID. + *display_name* - keyword, text.text * _apps.display_name_ - Info properties CFBundleDisplayName label * _services.display_name_ - Service Display name +*display_type* - keyword, text.text + +* _connected_displays.display_type_ - The type of display. + *dns_domain* - keyword, text.text * _interface_details.dns_domain_ - Organization name followed by a period and an extension that indicates the type of organization, such as 'microsoft.com'. @@ -1607,6 +1648,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _file_events.eid_ - Event ID * _hardware_events.eid_ - Event ID * _ntfs_journal_events.eid_ - Event ID +* _process_etw_events.eid_ - Event ID * _process_events.eid_ - Event ID * _process_file_events.eid_ - Event ID * _selinux_events.eid_ - Event ID @@ -1837,6 +1879,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _bpf_process_events.exit_code_ - Exit code of the system call * _bpf_socket_events.exit_code_ - Exit code of the system call * _es_process_events.exit_code_ - Exit code of a process in case of an exit event +* _process_etw_events.exit_code_ - Exit Code - Present only on ProcessStop events *expand* - keyword, number.long @@ -1854,6 +1897,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _curl_certificate.extended_key_usage_ - Extended usage of key in certificate +*extension_type* - keyword, text.text + +* _safari_extensions.extension_type_ - Extension Type: WebOrAppExtension or LegacyExtension + *extensions* - keyword, text.text * _osquery_info.extensions_ - osquery extensions status @@ -1865,6 +1912,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq *extra* - keyword, text.text * _asl.extra_ - Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h. +* _os_version.extra_ - Optional extra release specification * _platform_info.extra_ - Platform-specific additional information *facility* - keyword, text.text @@ -2018,8 +2066,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _device_partitions.flags_ - * _dns_cache.flags_ - DNS record flags * _interface_details.flags_ - Flags (netdevice) for the device +* _kernel_keys.flags_ - A set of flags describing the state of the key. * _mounts.flags_ - Mounted device flags * _pipes.flags_ - The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes +* _process_etw_events.flags_ - Process Flags * _routes.flags_ - Flags to describe route *folder_id* - keyword, text.text @@ -2107,6 +2157,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _file.gid_ - Owning group ID * _file_events.gid_ - Owning group ID * _groups.gid_ - Unsigned int64 group ID +* _kernel_keys.gid_ - The group ID of the key. * _package_bom.gid_ - Expected group of file or directory * _process_events.gid_ - Group ID at process start * _process_file_events.gid_ - The gid of the process performing the action @@ -2240,6 +2291,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _sudoers.header_ - Symbol for given rule +*header_pid* - keyword, number.long + +* _process_etw_events.header_pid_ - Process ID of the process reporting the event + *header_size* - keyword, number.long * _smbios_tables.header_size_ - Header size in bytes @@ -3081,6 +3136,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _magic.magic_db_files_ - Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc +*main* - keyword, number.long + +* _connected_displays.main_ - If the display is the main display. + *maintainer* - keyword, text.text * _apt_sources.maintainer_ - Repository maintainer @@ -3098,6 +3157,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _lxd_networks.managed_ - 1 if network created by LXD, 0 otherwise +*mandatory_label* - keyword, text.text + +* _process_etw_events.mandatory_label_ - Primary token mandatory label sid - Present only on ProcessStart events + *manifest_hash* - keyword, text.text * _chrome_extensions.manifest_hash_ - The SHA256 hash of the manifest.json file @@ -3114,6 +3177,14 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _battery.manufacture_date_ - The date the battery was manufactured UNIX Epoch +*manufactured_week* - keyword, number.long + +* _connected_displays.manufactured_week_ - The manufacture week of the display. This field is 0 if not supported + +*manufactured_year* - keyword, number.long + +* _connected_displays.manufactured_year_ - The manufacture year of the display. This field is 0 if not supported + *manufacturer* - keyword, text.text * _battery.manufacturer_ - The battery manufacturer's name @@ -3170,6 +3241,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _pipes.max_instances_ - The maximum number of instances creatable for this pipe +*max_results* - keyword, number.long + +* _windows_search.max_results_ - Maximum number of results returned by windows api, set to -1 for unlimited + *max_rows* - keyword, number.long * _unified_log.max_rows_ - the max number of rows returned (defaults to 100) @@ -3258,6 +3333,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _memory_info.memory_available_ - The amount of physical RAM, in bytes, available for starting new applications, without swapping +*memory_cached* - keyword, number.long + +* _docker_container_stats.memory_cached_ - Memory cached + *memory_device_handle* - keyword, text.text * _memory_device_mapped_addresses.memory_device_handle_ - Handle of the memory device structure associated with this structure @@ -3400,6 +3479,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _battery.minutes_until_empty_ - The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated +*mirror* - keyword, number.long + +* _connected_displays.mirror_ - If the display is mirrored or not. This field is 1 if mirrored and 0 if not mirrored. + *mirrorlist* - keyword, text.text * _yum_sources.mirrorlist_ - Mirrorlist URL @@ -3515,6 +3598,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _browser_plugins.name_ - Plugin display name * _chocolatey_packages.name_ - Package display name * _chrome_extensions.name_ - Extension display name +* _connected_displays.name_ - The name of the display. * _cups_destinations.name_ - Name of the printer * _deb_packages.name_ - Package name * _disk_encryption.name_ - Disk name @@ -3580,6 +3664,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _temperature_sensors.name_ - Name of temperature source * _windows_firewall_rules.name_ - Friendly name of the rule * _windows_optional_features.name_ - Name of the feature +* _windows_search.name_ - The name of the item * _windows_security_products.name_ - Name of product * _wmi_bios_info.name_ - Name of the Bios setting * _wmi_cli_event_consumers.name_ - Unique name of a consumer. @@ -3702,6 +3787,14 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _cpu_info.number_of_cores_ - The number of cores of the CPU. +*number_of_efficiency_cores* - keyword, number.long + +* _cpu_info.number_of_efficiency_cores_ - The number of efficiency cores of the CPU. Only available on Apple Silicon + +*number_of_performance_cores* - keyword, number.long + +* _cpu_info.number_of_performance_cores_ - The number of performance cores of the CPU. Only available on Apple Silicon + *object_name* - keyword, text.text * _winbaseobj.object_name_ - Object Name @@ -3751,6 +3844,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _processes.on_disk_ - The process path exists yes=1, no=0, unknown=-1 +*online* - keyword, number.long + +* _connected_displays.online_ - The online status of the display. This field is 1 if the display is online and 0 if it is offline. + *online_cpus* - keyword, number.long * _docker_container_stats.online_cpus_ - Online CPUs @@ -3880,6 +3977,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _tpm_info.owned_ - TPM is owned +*owner* - keyword, text.text + +* _windows_search.owner_ - The owner of the item + *owner_gid* - keyword, number.long * _process_events.owner_gid_ - File owner group ID @@ -3948,6 +4049,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _process_events.parent_ - Process parent's PID, or -1 if cannot be determined. * _processes.parent_ - Process parent's PID +*parent_process_sequence_number* - keyword, number.long + +* _process_etw_events.parent_process_sequence_number_ - Parent Process Sequence Number - Present only on ProcessStart events + *parent_ref_number* - keyword, text.text * _ntfs_journal_events.parent_ref_number_ - The ordinal that associates a journal record with a filename's parent directory @@ -4071,6 +4176,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _package_receipts.path_ - Path of receipt plist * _plist.path_ - (required) read preferences from a plist * _prefetch.path_ - Prefetch file path. +* _process_etw_events.path_ - Path of executed binary * _process_events.path_ - Path of executed file * _process_file_events.path_ - The path associated with the event * _process_memory_map.path_ - Path to mapped file or mapped type @@ -4098,6 +4204,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _user_ssh_keys.path_ - Path to key file * _userassist.path_ - Application file path. * _windows_crashes.path_ - Path of the executable file for the crashed process +* _windows_search.path_ - The full path of the item. * _yara.path_ - The path scanned *pci_class* - keyword, text.text @@ -4172,6 +4279,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq *permissions* - keyword, text.text * _chrome_extensions.permissions_ - The permissions required by the extension +* _kernel_keys.permissions_ - The key permissions, expressed as four hexadecimalbytes containing, from left to right, thepossessor, user, group, and other permissions. * _process_memory_map.permissions_ - r=read, w=write, x=execute, p=private (cow) * _shared_memory.permissions_ - Memory segment permissions * _suid_bin.permissions_ - Binary permissions @@ -4227,6 +4335,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _osquery_info.pid_ - Process (or thread/handle) ID * _pipes.pid_ - Process ID of the process to which the pipe belongs * _process_envs.pid_ - Process (or thread) ID +* _process_etw_events.pid_ - Process ID * _process_events.pid_ - Process (or thread) ID * _process_file_events.pid_ - Process ID * _process_memory_map.pid_ - Process (or thread) ID @@ -4268,12 +4377,21 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _suid_bin.pid_with_namespace_ - Pids that contain a namespace * _user_ssh_keys.pid_with_namespace_ - Pids that contain a namespace * _users.pid_with_namespace_ - Pids that contain a namespace +* _yara.pid_with_namespace_ - Pids that contain a namespace * _yum_sources.pid_with_namespace_ - Pids that contain a namespace *pids* - keyword, number.long * _docker_container_stats.pids_ - Number of processes +*pixels* - keyword, text.text + +* _connected_displays.pixels_ - The number of pixels of the display. + +*pk_hash* - keyword, text.text + +* _keychain_items.pk_hash_ - Hash of associated public key (SHA1 of subjectPublicKey, see RFC 8520 4.2.1.2) + *placement_group_id* - keyword, text.text * _azure_instance_metadata.placement_group_id_ - Placement group for the VM scale set @@ -4359,6 +4477,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq *ppid* - keyword, number.long +* _process_etw_events.ppid_ - Parent Process ID * _process_file_events.ppid_ - Parent process ID *pre_cpu_kernelmode_usage* - keyword, number.long @@ -4381,6 +4500,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _docker_container_stats.pre_system_cpu_usage_ - Last read CPU system usage +*predicate* - keyword, text.text + +* _unified_log.predicate_ - predicate to search (see `log help predicates`), note that this is merged into the predicate created from the column constraints + *prefix* - keyword, text.text * _homebrew_packages.prefix_ - Homebrew install prefix @@ -4420,6 +4543,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _event_taps.process_being_tapped_ - The process ID of the target application +*process_sequence_number* - keyword, number.long + +* _process_etw_events.process_sequence_number_ - Process Sequence Number - Present only on ProcessStart events + *process_type* - keyword, text.text * _launchd.process_type_ - Key describes the intended purpose of the job @@ -4444,6 +4571,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _cpu_info.processor_type_ - The processor type, such as Central, Math, or Video. +*product_id* - keyword, text.text + +* _connected_displays.product_id_ - The product ID of the display. + *product_name* - keyword, text.text * _tpm_info.product_name_ - Product name of the TPM @@ -4487,6 +4618,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _docker_container_mounts.propagation_ - Mount propagation +*properties* - keyword, text.text + +* _windows_search.properties_ - Additional property values JSON + *protected* - keyword, number.long * _app_schemes.protected_ - 1 if this handler is protected (reserved) by macOS, else 0 @@ -4554,6 +4689,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _mdfind.query_ - The query that was run to find the file * _osquery_schedule.query_ - The exact query to run +* _windows_search.query_ - Windows search query * _wmi_event_filters.query_ - Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification. *query_language* - keyword, text.text @@ -4761,6 +4897,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _docker_container_processes.resident_size_ - Bytes of private memory used by process * _processes.resident_size_ - Bytes of private memory used by process +*resolution* - keyword, text.text + +* _connected_displays.resolution_ - The resolution of the display. + *resource_group_name* - keyword, text.text * _azure_instance_metadata.resource_group_name_ - Resource group for the VM @@ -4829,6 +4969,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _time_machine_destinations.root_volume_uuid_ - Root UUID of backup volume +*rotation* - keyword, text.text + +* _connected_displays.rotation_ - The orientation of the display. + *round_trip_time* - keyword, number.long * _curl.round_trip_time_ - Time taken to complete the request @@ -4933,6 +5077,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _secureboot.secure_boot_ - Whether secure boot is enabled +*secure_mode* - keyword, number.long + +* _secureboot.secure_mode_ - Secure mode for Intel-based macOS: 0 disabled, 1 full security, 2 medium security + *secure_process* - keyword, number.long * _processes.secure_process_ - Process is secure (IUM) yes=1, no=0 @@ -4992,7 +5140,9 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _authenticode.serial_number_ - The certificate serial number * _battery.serial_number_ - The battery's unique serial number +* _connected_displays.serial_number_ - The serial number of the display. (may not be unique) * _curl_certificate.serial_number_ - Certificate serial number +* _kernel_keys.serial_number_ - The serial key of the key. * _memory_devices.serial_number_ - Serial number of memory device *serial_port_enabled* - keyword, text.text @@ -5049,6 +5199,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq *session_id* - keyword, number.long * _logon_sessions.session_id_ - The Terminal Services session identifier. +* _process_etw_events.session_id_ - Session ID * _winbaseobj.session_id_ - Terminal Services Session Id *session_owner* - keyword, text.text @@ -5206,6 +5357,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _shared_memory.size_ - Size in bytes * _smbios_tables.size_ - Table entry size in bytes * _smc_keys.size_ - Reported size of data in bytes +* _windows_search.size_ - The item size in bytes. *size_bytes* - keyword, number.long @@ -5243,6 +5395,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _cpu_time.softirq_ - Time spent servicing softirqs +*sort* - keyword, text.text + +* _windows_search.sort_ - Sort for windows api + *source* - keyword, text.text * _apt_sources.source_ - Source file @@ -5693,6 +5849,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _ntfs_journal_events.time_ - Time of file event * _package_install_history.time_ - Label date as UNIX timestamp * _powershell_events.time_ - Timestamp the event was received by the osquery event publisher +* _process_etw_events.time_ - Event timestamp in Unix format * _process_events.time_ - Time of execution in UNIX time * _process_file_events.time_ - Time of execution in UNIX time * _seccomp_events.time_ - Time of execution in UNIX time @@ -5714,10 +5871,15 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _windows_eventlog.time_range_ - System time to selectively filter the events +*time_windows* - keyword, number.long + +* _process_etw_events.time_windows_ - Event timestamp in Windows format + *timeout* - keyword, text.text * _authorizations.timeout_ - Label top-level key * _curl_certificate.timeout_ - Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout) +* _kernel_keys.timeout_ - The amount of time until the key will expire,expressed in human-readable form. The string perm heremeans that the key is permanent (no timeout). Thestring expd means that the key has already expired. *timestamp* - keyword, text.text @@ -5738,6 +5900,14 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _cups_jobs.title_ - Title of the printed job * _windows_update_history.title_ - Title of an update +*token_elevation_status* - keyword, number.long + +* _process_etw_events.token_elevation_status_ - Primary token elevation status - Present only on ProcessStart events + +*token_elevation_type* - keyword, text.text + +* _process_etw_events.token_elevation_type_ - Primary token elevation type - Present only on ProcessStart events + *total_seconds* - keyword, number.long * _uptime.total_seconds_ - Total uptime seconds @@ -5803,6 +5973,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _hardware_events.type_ - Type of hardware and hardware event * _interface_addresses.type_ - Type of address. One of dhcp, manual, auto, other, unknown * _interface_details.type_ - Interface type (includes virtual) +* _kernel_keys.type_ - The key type. * _keychain_items.type_ - Keychain item type (class) * _last.type_ - Entry type, according to ut_type types (utmp.h) * _logged_in_users.type_ - Login type @@ -5815,6 +5986,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _osquery_events.type_ - Either publisher or subscriber * _osquery_extensions.type_ - SDK extension type: core, extension, or module * _osquery_flags.type_ - Flag type +* _process_etw_events.type_ - Event Type (ProcessStart, ProcessStop) * _process_open_pipes.type_ - Pipe Type: named vs unnamed/anonymous * _registry.type_ - Type of the registry value, or 'subkey' if item is a subkey * _routes.type_ - Type of route @@ -5828,6 +6000,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _user_events.type_ - The file description for the process socket * _users.type_ - Whether the account is roaming (domain), local, or a system profile * _windows_crashes.type_ - Type of crash log +* _windows_search.type_ - The item type * _windows_security_products.type_ - Type of security product * _xprotect_meta.type_ - Either plugin or extension @@ -5855,6 +6028,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _file.uid_ - Owning user ID * _file_events.uid_ - Owning user ID * _firefox_addons.uid_ - The local user that owns the addon +* _kernel_keys.uid_ - The user ID of the key owner. * _known_hosts.uid_ - The local user that owns the known_hosts file * _launchd_overrides.uid_ - User ID applied to the override, 0 applies to all * _package_bom.uid_ - Expected user of file or directory @@ -5891,6 +6065,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _ibridge_info.unique_chip_id_ - Unique id of the iBridge controller +*unit_file_state* - keyword, text.text + +* _systemd_units.unit_file_state_ - Whether the unit file is enabled, e.g. `enabled`, `masked`, `disabled`, etc + *unix_time* - keyword, number.long * _time.unix_time_ - Current UNIX time in UTC @@ -5964,6 +6142,10 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _curl.url_ - The url for the request * _lxd_cluster_members.url_ - URL of the node +*usage* - keyword, number.long + +* _kernel_keys.usage_ - the number of threads and open file references thatrefer to this key. + *usb_address* - keyword, number.long * _usb_devices.usb_address_ - USB Device used address @@ -6030,6 +6212,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq * _launchd.username_ - Run this daemon or agent as this username * _managed_policies.username_ - Policy applies only this user * _preferences.username_ - (optional) read preferences for a specific user +* _process_etw_events.username_ - User rights - primary token username * _rpm_package_files.username_ - File default username from info DB * _shadow.username_ - Username * _startup_items.username_ - The user associated with the startup item @@ -6119,6 +6302,7 @@ For more information about osquery tables, see the https://osquery.io/schema[osq *vendor_id* - keyword, text.text +* _connected_displays.vendor_id_ - The vendor ID of the display. * _hardware_events.vendor_id_ - Hex encoded Hardware vendor identifier * _pci_devices.vendor_id_ - Hex encoded PCI Device vendor identifier * _usb_devices.vendor_id_ - Hex encoded USB Device vendor identifier