osquery
Is it possible to add the description or other custom field to query result log?
I have the following scheduled query in combination with a TLS plugin logger.
"vssadmin.exe": {
"query": "select * from file WHERE directory = 'C:\\Windows\\Prefetch\\' and filename like '%vssadmin%';",
"interval": 600,
"description": "Vssadmin Execute, usaullay used to execute activity on Volume Shadow copy",
"platform": "windows"
},
I'd like to add the description field to the result output log of this specific query, so I can use it to map my queries to a framework. Unfortunately the provided documentation doesn't state such option. Is it possible to add the description or other custom field to the logged output?
Solution
Like this?
Tag your #osquery queries/logs with MITRE ATT&CK IDs like so:
SELECT username,shell, 'T1136' AS attckID FROM users;
- Custom Logger plugin not receiving the logs from osquery
- A non-auto load osquery logger plug-in
- how to save console result of osquery as a csv or excel in windows
- memory_map does not give expected results in Linux
- Using OSquery to modifying or kill processes, etc
- Called read on non-open pipe
- Why OSQuery does not include "Computer" event information when reading Windows EventLogs?
- Can osquery generate apt package information like it does rpm?
- Is it possible to add the description or other custom field to query result log?
- Error: failed to find any PEM data in certificate input when start to run fleet server
- Fail to connect osquery from window server to kolide fleet
- Osquery takes too much space
- Does osquery inotify install watcher on directory or files
- OsQuery not giving json or csv output in window
- How to use "%" character in sql query on linux shell?
- Loop through SQL query using variable from another table
- Running a process messes up shell
- How to Convert Chrome Browser History Sqlite Timestamps with Osquery
- Using osquery wildcards for multi-level patterns
- How to execute a SQL-query to osquery remotely?
- How to save output of SQL query fired from Osquery to a file
- osquery - removing verbose migration info on every osqueryi query
- OSQuery how can i retrieve Anti virus details?
- osquery - How can I retrieve a file origin using osquery?
- I want to connect my web application to show the reports from osquery SQLITE database
- osquery-python extension causing osqueryi errors