Exported fields referenceedit
The following fields can be returned in osquery results. Note the following about osquery fields:
-
Some fields list multiple descriptions because the one that applies depends on which table was queried. For example, a result stored in the
osquery.autoupdate
field may represent a response from thefirefox_addons
table or thewindows_security_center
table. -
In the cases where a field name is associated with more than one osquery table, we have made a best guess at what the data
type
should be. In the cases where it is unknown, the data type is set as akeyword
object.
For more information about osquery tables, see the osquery schema documentation.
Fieldsedit
UUID - keyword, text.text
- system_extensions.UUID - Extension unique id
access - keyword, text.text
- ntfs_acl_permissions.access - Specific permissions that indicate the rights described by the ACE.
accessed_directories - keyword, text.text
- prefetch.accessed_directories - Directories accessed by application within ten seconds of launch.
accessed_directories_count - keyword, number.long
- prefetch.accessed_directories_count - Number of directories accessed.
accessed_files - keyword, text.text
- prefetch.accessed_files - Files accessed by application within ten seconds of launch.
accessed_files_count - keyword, number.long
- prefetch.accessed_files_count - Number of files accessed.
accessed_time - keyword, number.long
- shellbags.accessed_time - Directory Accessed time.
account - keyword, text.text
- keychain_items.account - Optional item account
account_id - keyword, text.text
- ec2_instance_metadata.account_id - AWS account ID which owns this EC2 instance
action - keyword, text.text
- disk_events.action - Appear or disappear
- file_events.action - Change action (UPDATE, REMOVE, etc)
- hardware_events.action - Remove, insert, change properties, etc
- ntfs_journal_events.action - Change action (Write, Delete, etc)
- scheduled_tasks.action - Actions executed by the scheduled task
- socket_events.action - The socket action (bind, listen, close)
- windows_firewall_rules.action - Action for the rule or default setting
- yara_events.action - Change action (UPDATE, REMOVE, etc)
activated - keyword, number.long
- tpm_info.activated - TPM is activated
active - keyword, number.long
- firefox_addons.active - 1 If the addon is active else 0
- memory_info.active - The total amount of buffer or page cache memory, in bytes, that is in active use
- osquery_events.active - 1 if the publisher or subscriber is active else 0
- osquery_packs.active - Whether this pack is active (the version, platform and discovery queries match) yes=1, no=0.
- osquery_registry.active - 1 If this plugin is active else 0
- virtual_memory_info.active - Total number of active pages.
active_disks - keyword, number.long
- md_devices.active_disks - Number of active disks in array
active_state - keyword, text.text
- systemd_units.active_state - The high-level unit activation state, i.e. generalization of SUB
activity - keyword, number.long
- unified_log.activity - the activity ID associate with the entry
actual - keyword, number.long
- fan_speed_sensors.actual - Actual speed
add_reason - keyword, text.text
- wifi_networks.add_reason - Shows why this network was added, via menubar or command line or something else
added_at - keyword, number.long
- wifi_networks.added_at - Time this network was added as a unix_time
address - keyword, text.text
- arp_cache.address - IPv4 address target
- dns_resolvers.address - Resolver IP/IPv6 address
- etc_hosts.address - IP address mapping
- interface_addresses.address - Specific address for interface
- kernel_modules.address - Kernel module address
- listening_ports.address - Specific address for bind
- platform_info.address - Relative address of firmware mapping
- user_events.address - The Internet protocol address or family ID
address_width - keyword, text.text
- cpu_info.address_width - The width of the CPU address bus.
admindir - keyword, text.text
- deb_packages.admindir - libdpkg admindir. Defaults to /var/lib/dpkg
algorithm - keyword, text.text
- authorized_keys.algorithm - Key type
alias - keyword, text.text
- etc_protocols.alias - Protocol alias
- time_machine_destinations.alias - Human readable name of drive
aliases - keyword, text.text
- etc_services.aliases - Optional space separated list of other names for a service
- lxd_images.aliases - Comma-separated list of image aliases
allow_maximum - keyword, number.long
- shared_resources.allow_maximum - Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.
allow_root - keyword, text.text
- authorizations.allow_root - Label top-level key
allow_signed_enabled - keyword, number.long
- alf.allow_signed_enabled - 1 If allow signed mode is enabled else 0
ami_id - keyword, text.text
- ec2_instance_metadata.ami_id - AMI ID used to launch this EC2 instance
amperage - keyword, number.long
- battery.amperage - The battery’s current amperage in mA
anonymous - keyword, number.long
- virtual_memory_info.anonymous - Total number of anonymous pages.
antispyware - keyword, text.text
- windows_security_center.antispyware - Deprecated (always Good).
antivirus - keyword, text.text
- windows_security_center.antivirus - The health of the monitored Antivirus solution (see windows_security_products)
api_version - keyword, text.text
- docker_version.api_version - API version
app_name - keyword, text.text
- windows_firewall_rules.app_name - Friendly name of the application to which the rule applies
apparmor - keyword, text.text
- apparmor_events.apparmor - Apparmor Status like ALLOWED, DENIED etc.
applescript_enabled - keyword, text.text
- apps.applescript_enabled - Info properties NSAppleScriptEnabled label
application - keyword, text.text
- office_mru.application - Associated Office application
arch - keyword, text.text
- deb_packages.arch - Package architecture
- docker_version.arch - Hardware architecture
- os_version.arch - OS Architecture
- rpm_packages.arch - Architecture(s) supported
- seccomp_events.arch - Information about the CPU architecture
- signature.arch - If applicable, the arch of the signed code
architecture - keyword, text.text
- docker_info.architecture - Hardware architecture
- ec2_instance_metadata.architecture - Hardware architecture of this EC2 instance
- lxd_images.architecture - Target architecture for the image
- lxd_instances.architecture - Instance architecture
architectures - keyword, text.text
- apt_sources.architectures - Repository architectures
args - keyword, text.text
- startup_items.args - Arguments provided to startup executable
arguments - keyword, text.text
- kernel_info.arguments - Kernel arguments
array_handle - keyword, text.text
- memory_devices.array_handle - The memory array that the device is attached to
assessments_enabled - keyword, number.long
- gatekeeper.assessments_enabled - 1 If a Gatekeeper is enabled else 0
asset_tag - keyword, text.text
- memory_devices.asset_tag - Manufacturer specific asset tag of memory device
atime - keyword, number.long
- device_file.atime - Last access time
- file.atime - Last access time
- file_events.atime - Last access time
- process_events.atime - File last access in UNIX time
- shared_memory.atime - Attached time
attach - keyword, text.text
- apparmor_profiles.attach - Which executable(s) a profile will attach to.
attached - keyword, number.long
- shared_memory.attached - Number of attached processes
attributes - keyword, text.text
- file.attributes - File attrib string. See: https://ss64.com/nt/attrib.html
audible_alarm - keyword, text.text
- chassis_info.audible_alarm - If TRUE, the frame is equipped with an audible alarm.
audit_account_logon - keyword, number.long
- security_profile_info.audit_account_logon - Determines whether the operating system MUST audit each time this computer validates the credentials of an account
audit_account_manage - keyword, number.long
- security_profile_info.audit_account_manage - Determines whether the operating system MUST audit each event of account management on a computer
audit_ds_access - keyword, number.long
- security_profile_info.audit_ds_access - Determines whether the operating system MUST audit each instance of user attempts to access an Active Directory object that has its own system access control list (SACL) specified
audit_logon_events - keyword, number.long
- security_profile_info.audit_logon_events - Determines whether the operating system MUST audit each instance of a user attempt to log on or log off this computer
audit_object_access - keyword, number.long
- security_profile_info.audit_object_access - Determines whether the operating system MUST audit each instance of user attempts to access a non-Active Directory object that has its own SACL specified
audit_policy_change - keyword, number.long
- security_profile_info.audit_policy_change - Determines whether the operating system MUST audit each instance of user attempts to change user rights assignment policy, audit policy, account policy, or trust policy
audit_privilege_use - keyword, number.long
- security_profile_info.audit_privilege_use - Determines whether the operating system MUST audit each instance of user attempts to exercise a user right
audit_process_tracking - keyword, number.long
- security_profile_info.audit_process_tracking - Determines whether the operating system MUST audit process-related events
audit_system_events - keyword, number.long
- security_profile_info.audit_system_events - Determines whether the operating system MUST audit System Change, System Startup, System Shutdown, Authentication Component Load, and Loss or Excess of Security events
auid - keyword
- process_events.auid - Audit User ID at process start
- process_file_events.auid - Audit user ID of the process using the file
- seccomp_events.auid - Audit user ID (loginuid) of the user who started the analyzed process
- socket_events.auid - Audit User ID
- user_events.auid - Audit User ID
authenticate_user - keyword, text.text
- authorizations.authenticate_user - Label top-level key
authentication_package - keyword, text.text
- logon_sessions.authentication_package - The authentication package used to authenticate the owner of the logon session.
author - keyword, text.text
- chocolatey_packages.author - Optional package author
- chrome_extensions.author - Optional extension author
- npm_packages.author - Package-supplied author
- python_packages.author - Optional package author
- safari_extensions.author - Optional extension author
authority - keyword, text.text
- signature.authority - Certificate Common Name
authority_key_id - keyword, text.text
- certificates.authority_key_id - AKID an optionally included SHA1
authority_key_identifier - keyword, text.text
- curl_certificate.authority_key_identifier - Authority Key Identifier
authorizations - keyword, text.text
- keychain_acls.authorizations - A space delimited set of authorization attributes
auto_join - keyword, number.long
- wifi_networks.auto_join - 1 if this network set to join automatically, 0 otherwise
auto_login - keyword, number.long
- wifi_networks.auto_login - 1 if auto login is enabled, 0 otherwise
auto_update - keyword, number.long
- lxd_images.auto_update - Whether the image auto-updates (1) or not (0)
autoupdate - keyword
- firefox_addons.autoupdate - 1 If the addon applies background updates else 0
- windows_security_center.autoupdate - The health of the Windows Autoupdate feature
availability - keyword, text.text
- cpu_info.availability - The availability and status of the CPU.
availability_zone - keyword, text.text
- ec2_instance_metadata.availability_zone - Availability zone in which this instance launched
average - keyword, text.text
- load_average.average - Load average over the specified period.
average_memory - keyword, number.long
- osquery_schedule.average_memory - Average of the bytes of resident memory left allocated after collecting results
avg_disk_bytes_per_read - keyword, number.long
- physical_disk_performance.avg_disk_bytes_per_read - Average number of bytes transferred from the disk during read operations
avg_disk_bytes_per_write - keyword, number.long
- physical_disk_performance.avg_disk_bytes_per_write - Average number of bytes transferred to the disk during write operations
avg_disk_read_queue_length - keyword, number.long
- physical_disk_performance.avg_disk_read_queue_length - Average number of read requests that were queued for the selected disk during the sample interval
avg_disk_sec_per_read - keyword, number.long
- physical_disk_performance.avg_disk_sec_per_read - Average time, in seconds, of a read operation of data from the disk
avg_disk_sec_per_write - keyword, number.long
- physical_disk_performance.avg_disk_sec_per_write - Average time, in seconds, of a write operation of data to the disk
avg_disk_write_queue_length - keyword, number.long
- physical_disk_performance.avg_disk_write_queue_length - Average number of write requests that were queued for the selected disk during the sample interval
backup_date - keyword, number.long
- time_machine_backups.backup_date - Backup Date
bank_locator - keyword, text.text
- memory_devices.bank_locator - String number of the string that identifies the physically-labeled bank where the memory device is located
base64 - keyword, number.long
- extended_attributes.base64 - 1 if the value is base64 encoded else 0
base_image - keyword, text.text
- lxd_instances.base_image - ID of image used to launch this instance
base_uri - keyword, text.text
- apt_sources.base_uri - Repository base URI
baseurl - keyword, text.text
- yum_sources.baseurl - Repository base URL
basic_constraint - keyword, text.text
- curl_certificate.basic_constraint - Basic Constraints
binary_queue - keyword, number.long
- carbon_black_info.binary_queue - Size in bytes of binaries waiting to be sent to Carbon Black server
bitmap_chunk_size - keyword, text.text
- md_devices.bitmap_chunk_size - Bitmap chunk size
bitmap_external_file - keyword, text.text
- md_devices.bitmap_external_file - External referenced bitmap file
bitmap_on_mem - keyword, text.text
- md_devices.bitmap_on_mem - Pages allocated in in-memory bitmap, if enabled
block - keyword, text.text
- ssh_configs.block - The host or match block
block_size - keyword, number.long
- block_devices.block_size - Block size in bytes
- device_file.block_size - Block size of filesystem
- file.block_size - Block size of filesystem
blocks - keyword, number.long
- device_partitions.blocks - Number of blocks
- mounts.blocks - Mounted device used blocks
blocks_available - keyword, number.long
- mounts.blocks_available - Mounted device available blocks
blocks_free - keyword, number.long
- mounts.blocks_free - Mounted device free blocks
blocks_size - keyword, number.long
- device_partitions.blocks_size - Byte size of each block
- mounts.blocks_size - Block size in bytes
bluetooth_sharing - keyword, number.long
- sharing_preferences.bluetooth_sharing - 1 If bluetooth sharing is enabled for any user else 0
board_model - keyword, text.text
- system_info.board_model - Board model
board_serial - keyword, text.text
- system_info.board_serial - Board serial number
board_vendor - keyword, text.text
- system_info.board_vendor - Board vendor
board_version - keyword, text.text
- system_info.board_version - Board version
boot_partition - keyword, number.long
- logical_drives.boot_partition - True if Windows booted from this drive.
boot_uuid - keyword, text.text
- ibridge_info.boot_uuid - Boot UUID of the iBridge controller
bp_microcode_disabled - keyword, number.long
- kva_speculative_info.bp_microcode_disabled - Branch Predictions are disabled due to lack of microcode update.
bp_mitigations - keyword, number.long
- kva_speculative_info.bp_mitigations - Branch Prediction mitigations are enabled.
bp_system_pol_disabled - keyword, number.long
- kva_speculative_info.bp_system_pol_disabled - Branch Predictions are disabled via system policy.
breach_description - keyword, text.text
- chassis_info.breach_description - If provided, gives a more detailed description of a detected security breach.
bridge_nf_ip6tables - keyword, number.long
- docker_info.bridge_nf_ip6tables - 1 if bridge netfilter ip6tables is enabled. 0 otherwise
bridge_nf_iptables - keyword, number.long
- docker_info.bridge_nf_iptables - 1 if bridge netfilter iptables is enabled. 0 otherwise
broadcast - keyword, text.text
- interface_addresses.broadcast - Broadcast address for the interface
browser_type - keyword, text.text
- chrome_extension_content_scripts.browser_type - The browser type (Valid values: chrome, chromium, opera, yandex, brave)
- chrome_extensions.browser_type - The browser type (Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta)
bsd_flags - keyword, text.text
- file.bsd_flags - The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND
bssid - keyword, text.text
- wifi_status.bssid - The current basic service set identifier
- wifi_survey.bssid - The current basic service set identifier
btime - keyword, number.long
- file.btime - (B)irth or (cr)eate time
- process_events.btime - File creation in UNIX time
buffers - keyword, number.long
- memory_info.buffers - The amount of physical RAM, in bytes, used for file buffers
build - keyword, text.text
- os_version.build - Optional build-specific or variant string
build_distro - keyword, text.text
- osquery_info.build_distro - osquery toolkit platform distribution name (os version)
build_id - keyword, text.text
- sandboxes.build_id - Sandbox-specific identifier
build_number - keyword, number.long
- windows_crashes.build_number - Windows build number of the crashing machine
build_platform - keyword, text.text
- osquery_info.build_platform - osquery toolkit build platform
build_time - keyword, text.text
- docker_version.build_time - Build time
- portage_packages.build_time - Unix time when package was built
bundle_executable - keyword, text.text
- apps.bundle_executable - Info properties CFBundleExecutable label
bundle_identifier - keyword, text.text
- apps.bundle_identifier - Info properties CFBundleIdentifier label
- running_apps.bundle_identifier - The bundle identifier of the application
bundle_name - keyword, text.text
- apps.bundle_name - Info properties CFBundleName label
bundle_package_type - keyword, text.text
- apps.bundle_package_type - Info properties CFBundlePackageType label
bundle_path - keyword, text.text
- sandboxes.bundle_path - Application bundle used by the sandbox
- system_extensions.bundle_path - System extension bundle path
bundle_short_version - keyword, text.text
- apps.bundle_short_version - Info properties CFBundleShortVersionString label
bundle_version - keyword, text.text
- apps.bundle_version - Info properties CFBundleVersion label
busy_state - keyword, number.long
- iokit_devicetree.busy_state - 1 if the device is in a busy state else 0
- iokit_registry.busy_state - 1 if the node is in a busy state else 0
bytes - keyword, number.long
- curl.bytes - Number of bytes in the response
- iptables.bytes - Number of matching bytes for this rule.
bytes_available - keyword, number.long
- time_machine_destinations.bytes_available - Bytes available on volume
bytes_received - keyword, number.long
- lxd_networks.bytes_received - Number of bytes received on this network
bytes_sent - keyword, number.long
- lxd_networks.bytes_sent - Number of bytes sent on this network
bytes_used - keyword, number.long
- time_machine_destinations.bytes_used - Bytes used on volume
ca - keyword, number.long
- certificates.ca - 1 if CA: true (certificate is an authority) else 0
cache_path - keyword, text.text
- quicklook_cache.cache_path - Path to cache data
cached - keyword, number.long
- lxd_images.cached - Whether image is cached (1) or not (0)
- memory_info.cached - The amount of physical RAM, in bytes, used as cache memory
capability - keyword, number.long
- apparmor_events.capability - Capability number
capname - keyword, text.text
- apparmor_events.capname - Capability requested by the process
caption - keyword, text.text
- patches.caption - Short description of the patch.
- windows_optional_features.caption - Caption of feature in settings UI
captive_login_date - keyword, number.long
- wifi_networks.captive_login_date - Time this network logged in to a captive portal as unix_time
captive_portal - keyword, number.long
- wifi_networks.captive_portal - 1 if this network has a captive portal, 0 otherwise
carve - keyword, number.long
- carves.carve - Set this value to 1 to start a file carve
carve_guid - keyword, text.text
- carves.carve_guid - Identifying value of the carve session
category - keyword, text.text
- apps.category - The UTI that categorizes the app for the App Store
- file_events.category - The category of the file defined in the config
- ntfs_journal_events.category - The category that the event originated from
- power_sensors.category - The sensor category: currents, voltage, wattage
- system_extensions.category - System extension category
- unified_log.category - the category of the os_log_t used
- yara_events.category - The category of the file
cdhash - keyword, text.text
- es_process_events.cdhash - Codesigning hash of the process
- signature.cdhash - Hash of the application Code Directory
celsius - keyword, number.double
- temperature_sensors.celsius - Temperature in Celsius
certificate - keyword, text.text
- lxd_certificates.certificate - Certificate content
cgroup_driver - keyword, text.text
- docker_info.cgroup_driver - Control groups driver
cgroup_namespace - keyword, text.text
- docker_containers.cgroup_namespace - cgroup namespace
- process_namespaces.cgroup_namespace - cgroup namespace inode
cgroup_path - keyword, text.text
- processes.cgroup_path - The full hierarchical path of the process’s control group
chain - keyword, text.text
- iptables.chain - Size of module content.
change_type - keyword, text.text
- docker_container_fs_changes.change_type - Type of change: C:Modified, A:Added, D:Deleted
channel - keyword
- wifi_status.channel - Channel number
- wifi_survey.channel - Channel number
- windows_eventlog.channel - Source or channel of the event
channel_band - keyword, number.long
- wifi_status.channel_band - Channel band
- wifi_survey.channel_band - Channel band
channel_width - keyword, number.long
- wifi_status.channel_width - Channel width
- wifi_survey.channel_width - Channel width
charged - keyword, number.long
- battery.charged - 1 if the battery is currently completely charged. 0 otherwise
charging - keyword, number.long
- battery.charging - 1 if the battery is currently being charged by a power source. 0 otherwise
chassis_types - keyword, text.text
- chassis_info.chassis_types - A comma-separated list of chassis types, such as Desktop or Laptop.
check_array_finish - keyword, text.text
- md_devices.check_array_finish - Estimated duration of the check array activity
check_array_progress - keyword, text.text
- md_devices.check_array_progress - Progress of the check array activity
check_array_speed - keyword, text.text
- md_devices.check_array_speed - Speed of the check array activity
checksum - keyword, text.text
- disk_events.checksum - UDIF Master checksum if available (CRC32)
child_pid - keyword, number.long
- es_process_events.child_pid - Process ID of a child process in case of a fork event
chunk_size - keyword, number.long
- md_devices.chunk_size - chunk size in bytes
cid - keyword, number.long
- bpf_process_events.cid - Cgroup ID
- bpf_socket_events.cid - Cgroup ID
class - keyword, text.text
- authorizations.class - Label top-level key
- drivers.class - Device/driver class name
- iokit_devicetree.class - Best matching device class (most-specific category)
- iokit_registry.class - Best matching device class (most-specific category)
- usb_devices.class - USB Device class
- wmi_cli_event_consumers.class - The name of the class.
- wmi_event_filters.class - The name of the class.
- wmi_filter_consumer_binding.class - The name of the class.
- wmi_script_event_consumers.class - The name of the class.
clear_text_password - keyword, number.long
- security_profile_info.clear_text_password - Determines whether passwords MUST be stored by using reversible encryption
client_app_id - keyword, text.text
- windows_update_history.client_app_id - Identifier of the client application that processed an update
client_site_name - keyword, text.text
- ntdomains.client_site_name - The name of the site where the domain controller is configured.
cmdline - keyword, text.text
- bpf_process_events.cmdline - Command line arguments
- docker_container_processes.cmdline - Complete argv
- es_process_events.cmdline - Command line arguments (argv)
- process_events.cmdline - Command line arguments (argv)
- processes.cmdline - Complete argv
cmdline_count - keyword, number.long
- es_process_events.cmdline_count - Number of command line arguments
cmdline_size - keyword, number.long
- process_events.cmdline_size - Actual size (bytes) of command line arguments
code - keyword, text.text
- seccomp_events.code - The seccomp action
code_integrity_policy_enforcement_status - keyword, text.text
- hvci_status.code_integrity_policy_enforcement_status - The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.
codename - keyword, text.text
- os_version.codename - OS version codename
codesigning_flags - keyword, text.text
- es_process_events.codesigning_flags - Codesigning flags matching one of these options, in a comma separated list: NOT_VALID, ADHOC, NOT_RUNTIME, INSTALLER. See kern/cs_blobs.h in XNU for descriptions.
collect_cross_processes - keyword, number.long
- carbon_black_info.collect_cross_processes - If the sensor is configured to cross process events
collect_data_file_writes - keyword, number.long
- carbon_black_info.collect_data_file_writes - If the sensor is configured to collect non binary file writes
collect_emet_events - keyword, number.long
- carbon_black_info.collect_emet_events - If the sensor is configured to EMET events
collect_file_mods - keyword, number.long
- carbon_black_info.collect_file_mods - If the sensor is configured to collect file modification events
collect_module_info - keyword, number.long
- carbon_black_info.collect_module_info - If the sensor is configured to collect metadata of binaries
collect_module_loads - keyword, number.long
- carbon_black_info.collect_module_loads - If the sensor is configured to capture module loads
collect_net_conns - keyword, number.long
- carbon_black_info.collect_net_conns - If the sensor is configured to collect network connections
collect_process_user_context - keyword, number.long
- carbon_black_info.collect_process_user_context - If the sensor is configured to collect the user running a process
collect_processes - keyword, number.long
- carbon_black_info.collect_processes - If the sensor is configured to process events
collect_reg_mods - keyword, number.long
- carbon_black_info.collect_reg_mods - If the sensor is configured to collect registry modification events
collect_sensor_operations - keyword, number.long
- carbon_black_info.collect_sensor_operations - Unknown
collect_store_files - keyword, number.long
- carbon_black_info.collect_store_files - If the sensor is configured to send back binaries to the Carbon Black server
collisions - keyword, number.long
- interface_details.collisions - Packet Collisions detected
color_depth - keyword, number.long
- video_info.color_depth - The amount of bits per pixel to represent color.
comm - keyword, text.text
- apparmor_events.comm - Command-line name of the command that was used to invoke the analyzed process
- seccomp_events.comm - Command-line name of the command that was used to invoke the analyzed process
command - keyword, text.text
- crontab.command - Raw command string
- docker_containers.command - Command with arguments
- shell_history.command - Unparsed date/line/command history line
command_line - keyword, text.text
- windows_crashes.command_line - Command-line string passed to the crashed process
command_line_template - keyword, text.text
- wmi_cli_event_consumers.command_line_template - Standard string template that specifies the process to be started. This property can be NULL, and the ExecutablePath property is used as the command line.
comment - keyword, text.text
- authorizations.comment - Label top-level key
- authorized_keys.comment - Optional comment
- docker_image_history.comment - Instruction comment
- etc_protocols.comment - Comment with protocol description
- etc_services.comment - Optional comment for a service.
- groups.comment - Remarks or comments associated with the group
- keychain_items.comment - Optional keychain comment
common_name - keyword, text.text
- certificates.common_name - Certificate CommonName
- curl_certificate.common_name - Common name of company issued to
compat - keyword, number.long
- seccomp_events.compat - Is system call in compatibility mode
compiler - keyword, text.text
- apps.compiler - Info properties DTCompiler label
completed_time - keyword, number.long
- cups_jobs.completed_time - When the job completed printing
components - keyword, text.text
- apt_sources.components - Repository components
compressed - keyword, number.long
- virtual_memory_info.compressed - The total number of pages that have been compressed by the VM compressor.
compressor - keyword, number.long
- virtual_memory_info.compressor - The number of pages used to store compressed VM pages.
computer_name - keyword, text.text
- system_info.computer_name - Friendly computer name (optional)
- windows_eventlog.computer_name - Hostname of system where event was generated
- windows_events.computer_name - Hostname of system where event was generated
condition - keyword, text.text
- battery.condition - One of the following: "Normal" indicates the condition of the battery is within normal tolerances, "Service Needed" indicates that the battery should be checked out by a licensed Mac repair service, "Permanent Failure" indicates the battery needs replacement
config_entrypoint - keyword, text.text
- docker_containers.config_entrypoint - Container entrypoint(s)
config_flag - keyword, text.text
- sip_config.config_flag - The System Integrity Protection config flag
config_hash - keyword, text.text
- osquery_info.config_hash - Hash of the working configuration state
config_name - keyword, text.text
- carbon_black_info.config_name - Sensor group
config_valid - keyword, number.long
- osquery_info.config_valid - 1 if the config was loaded and considered valid, else 0
config_value - keyword, text.text
- system_controls.config_value - The MIB value set in /etc/sysctl.conf
configured_clock_speed - keyword, number.long
- memory_devices.configured_clock_speed - Configured speed of memory device in megatransfers per second (MT/s)
configured_voltage - keyword, number.long
- memory_devices.configured_voltage - Configured operating voltage of device in millivolts
connection_id - keyword, text.text
- interface_details.connection_id - Name of the network connection as it appears in the Network Connections Control Panel program.
connection_status - keyword, text.text
- interface_details.connection_status - State of the network adapter connection to the network.
consistency_scan_date - keyword, number.long
- time_machine_destinations.consistency_scan_date - Consistency scan date
consumer - keyword, text.text
- wmi_filter_consumer_binding.consumer - Reference to an instance of __EventConsumer that represents the object path to a logical consumer, the recipient of an event.
containers - keyword, number.long
- docker_info.containers - Total number of containers
containers_paused - keyword, number.long
- docker_info.containers_paused - Number of containers in paused state
containers_running - keyword, number.long
- docker_info.containers_running - Number of containers currently running
containers_stopped - keyword, number.long
- docker_info.containers_stopped - Number of containers in stopped state
content - keyword, text.text
- disk_events.content - Disk event content
content_caching - keyword, number.long
- sharing_preferences.content_caching - 1 If content caching is enabled else 0
content_type - keyword, text.text
- package_install_history.content_type - Package content_type (optional)
conversion_status - keyword, number.long
- bitlocker_info.conversion_status - The bitlocker conversion status of the drive.
coprocessor_version - keyword, text.text
- ibridge_info.coprocessor_version - The manufacturer and chip version
copy - keyword, number.long
- virtual_memory_info.copy - Total number of copy-on-write pages.
copyright - keyword, text.text
- apps.copyright - Info properties NSHumanReadableCopyright label
core - keyword, number.long
- cpu_time.core - Name of the cpu (core)
cosine_similarity - keyword, number.double
- powershell_events.cosine_similarity - How similar the Powershell script is to a provided normal character frequency
count - keyword, number.long
- userassist.count - Number of times the application has been executed.
- yara.count - Number of YARA matches
- yara_events.count - Number of YARA matches
country_code - keyword, text.text
- wifi_status.country_code - The country code (ISO/IEC 3166-1:1997) for the network
- wifi_survey.country_code - The country code (ISO/IEC 3166-1:1997) for the network
cpu - keyword, number.double
- docker_container_processes.cpu - CPU utilization as percentage
cpu_brand - keyword, text.text
- system_info.cpu_brand - CPU brand string, contains vendor and model
cpu_cfs_period - keyword, number.long
- docker_info.cpu_cfs_period - 1 if CPU Completely Fair Scheduler (CFS) period support is enabled. 0 otherwise
cpu_cfs_quota - keyword, number.long
- docker_info.cpu_cfs_quota - 1 if CPU Completely Fair Scheduler (CFS) quota support is enabled. 0 otherwise
cpu_kernelmode_usage - keyword, number.long
- docker_container_stats.cpu_kernelmode_usage - CPU kernel mode usage
cpu_logical_cores - keyword, number.long
- system_info.cpu_logical_cores - Number of logical CPU cores available to the system
cpu_microcode - keyword, text.text
- system_info.cpu_microcode - Microcode version
cpu_physical_cores - keyword, number.long
- system_info.cpu_physical_cores - Number of physical CPU cores in to the system
cpu_pred_cmd_supported - keyword, number.long
- kva_speculative_info.cpu_pred_cmd_supported - PRED_CMD MSR supported by CPU Microcode.
cpu_set - keyword, number.long
- docker_info.cpu_set - 1 if CPU set selection support is enabled. 0 otherwise
cpu_shares - keyword, number.long
- docker_info.cpu_shares - 1 if CPU share weighting support is enabled. 0 otherwise
cpu_spec_ctrl_supported - keyword, number.long
- kva_speculative_info.cpu_spec_ctrl_supported - SPEC_CTRL MSR supported by CPU Microcode.
cpu_status - keyword, number.long
- cpu_info.cpu_status - The current operating status of the CPU.
cpu_subtype - keyword
- processes.cpu_subtype - Indicates the specific processor on which an entry may be used.
- system_info.cpu_subtype - CPU subtype
cpu_total_usage - keyword, number.long
- docker_container_stats.cpu_total_usage - Total CPU usage
cpu_type - keyword
- processes.cpu_type - Indicates the specific processor designed for installation.
- system_info.cpu_type - CPU type
cpu_usermode_usage - keyword, number.long
- docker_container_stats.cpu_usermode_usage - CPU user mode usage
cpus - keyword, number.long
- docker_info.cpus - Number of CPUs
crash_path - keyword, text.text
- crashes.crash_path - Location of log file
- windows_crashes.crash_path - Path of the log file
crashed_thread - keyword, number.long
- crashes.crashed_thread - Thread ID which crashed
created - keyword, text.text
- authorizations.created - Label top-level key
- docker_containers.created - Time of creation as UNIX time
- docker_image_history.created - Time of creation as UNIX time
- docker_images.created - Time of creation as UNIX time
- docker_networks.created - Time of creation as UNIX time
- keychain_items.created - Date item was created
created_at - keyword, text.text
- lxd_images.created_at - ISO time of image creation
- lxd_instances.created_at - ISO time of creation
created_by - keyword, text.text
- docker_image_history.created_by - Created by instruction
created_time - keyword, number.long
- shellbags.created_time - Directory Created time.
creation_time - keyword
- account_policy_data.creation_time - When the account was first created
- cups_jobs.creation_time - When the print request was initiated
creator - keyword, text.text
- firefox_addons.creator - Addon-supported creator string
creator_pid - keyword, number.long
- shared_memory.creator_pid - Process ID that created the segment
creator_uid - keyword, number.long
- shared_memory.creator_uid - User ID of creator process
csname - keyword, text.text
- patches.csname - The name of the host the patch is installed on.
ctime - keyword
- device_file.ctime - Creation time
- file.ctime - Last status change time
- file_events.ctime - Last status change time
- gatekeeper_approved_apps.ctime - Last change time
- process_events.ctime - File last metadata change in UNIX time
- shared_memory.ctime - Changed time
current_capacity - keyword, number.long
- battery.current_capacity - The battery’s current charged capacity in mAh
current_clock_speed - keyword, number.long
- cpu_info.current_clock_speed - The current frequency of the CPU.
current_directory - keyword, text.text
- windows_crashes.current_directory - Current working directory of the crashed process
current_disk_queue_length - keyword, number.long
- physical_disk_performance.current_disk_queue_length - Number of requests outstanding on the disk at the time the performance data is collected
current_locale - keyword, text.text
- chrome_extensions.current_locale - Current locale supported by extension
current_value - keyword, text.text
- system_controls.current_value - Value of setting
cwd - keyword, text.text
- bpf_process_events.cwd - Current working directory
- es_process_events.cwd - The process current working directory
- process_events.cwd - The process current working directory
- process_file_events.cwd - The current working directory of the process
- processes.cwd - Process current working directory
cycle_count - keyword, number.long
- battery.cycle_count - The number of charge/discharge cycles
data - keyword, text.text
- magic.data - Magic number data from libmagic
- registry.data - Data content of registry value
- windows_eventlog.data - Data associated with the event
- windows_events.data - Data associated with the event
data_width - keyword, number.long
- memory_devices.data_width - Data width, in bits, of this memory device
database - keyword, number.long
- lxd_cluster_members.database - Whether the server is a database node (1) or not (0)
date - keyword
- drivers.date - Driver date
- platform_info.date - Self-reported platform code update date
- windows_update_history.date - Date and the time an update was applied
datetime - keyword, text.text
- crashes.datetime - Date/Time at which the crash occurred
- powershell_events.datetime - System time at which the Powershell script event occurred
- syslog_events.datetime - Time known to syslog
- time.datetime - Current date and time (ISO format) in UTC
- windows_crashes.datetime - Timestamp (log format) of the crash
- windows_eventlog.datetime - System time at which the event occurred
- windows_events.datetime - System time at which the event occurred
day - keyword, number.long
- time.day - Current day in UTC
day_of_month - keyword, text.text
- crontab.day_of_month - The day of the month for the job
day_of_week - keyword, text.text
- crontab.day_of_week - The day of the week for the job
days - keyword, number.long
- uptime.days - Days of uptime
dc_site_name - keyword, text.text
- ntdomains.dc_site_name - The name of the site where the domain controller is located.
decompressed - keyword, number.long
- virtual_memory_info.decompressed - The total number of pages that have been decompressed by the VM compressor.
default_locale - keyword, text.text
- chrome_extensions.default_locale - Default locale supported by extension
default_value - keyword, text.text
- osquery_flags.default_value - Flag default value
denied_mask - keyword, text.text
- apparmor_events.denied_mask - Denied permissions for the process
denylisted - keyword, number.long
- osquery_schedule.denylisted - 1 if the query is denylisted else 0
dependencies - keyword, text.text
- kernel_panics.dependencies - Module dependencies existing in crashed module’s backtrace
depth - keyword, number.long
- iokit_devicetree.depth - Device nested depth
- iokit_registry.depth - Node nested depth
description - keyword, text.text
- appcompat_shims.description - Description of the SDB.
- atom_packages.description - Package supplied description
- browser_plugins.description - Plugin description text
- chassis_info.description - An extended description of the chassis if available.
- chrome_extensions.description - Extension-optional description
- disk_info.description - The OS’s description of the disk.
- drivers.description - Driver description
- firefox_addons.description - Addon-supplied description string
- interface_details.description - Short description of the object a one-line string.
- keychain_acls.description - The description included with the ACL entry
- keychain_items.description - Optional item description
- logical_drives.description - The canonical description of the drive, e.g. Logical Fixed Disk, CD-ROM Disk.
- lxd_images.description - Image description
- lxd_instances.description - Instance description
- npm_packages.description - Package-supplied description
- osquery_flags.description - Flag description
- patches.description - Fuller description of the patch.
- safari_extensions.description - Optional extension description text
- services.description - Service Description
- shared_resources.description - A textual description of the object
- smbios_tables.description - Table entry description
- systemd_units.description - Unit description
- users.description - Optional user description
- windows_update_history.description - Description of an update
- ycloud_instance_metadata.description - Description of the VM
designed_capacity - keyword, number.long
- battery.designed_capacity - The battery’s designed capacity in mAh
dest_filename - keyword, text.text
- es_process_file_events.dest_filename - Destination filename for the event
dest_path - keyword, text.text
- process_file_events.dest_path - The canonical path associated with the event
destination - keyword, text.text
- cups_jobs.destination - The printer the job was sent to
- docker_container_mounts.destination - Destination path inside container
- routes.destination - Destination IP address
destination_id - keyword, text.text
- time_machine_backups.destination_id - Time Machine destination ID
- time_machine_destinations.destination_id - Time Machine destination ID
dev_id_enabled - keyword, number.long
- gatekeeper.dev_id_enabled - 1 If a Gatekeeper allows execution from identified developers else 0
developer_id - keyword, text.text
- safari_extensions.developer_id - Optional developer identifier
- xprotect_meta.developer_id - Developer identity (SHA1) of extension
development_region - keyword, text.text
- apps.development_region - Info properties CFBundleDevelopmentRegion label
- browser_plugins.development_region - Plugin language-localization
device - keyword, text.text
- device_file.device - Absolute file path to device node
- device_firmware.device - The device name
- device_hash.device - Absolute file path to device node
- device_partitions.device - Absolute file path to device node
- disk_events.device - Disk event BSD name
- file.device - Device ID (optional)
- kernel_info.device - Kernel device identifier
- lxd_instance_devices.device - Name of the device
- mounts.device - Mounted device
- process_memory_map.device - MA:MI Major/minor device ID
device_alias - keyword, text.text
- mounts.device_alias - Mounted device alias
device_error_address - keyword, text.text
- memory_error_info.device_error_address - 32 bit physical address of the error relative to the start of the failing memory address, in bytes
device_id - keyword, text.text
- bitlocker_info.device_id - ID of the encrypted drive.
- cpu_info.device_id - The DeviceID of the CPU.
- drivers.device_id - Device ID
- logical_drives.device_id - The drive id, usually the drive name, e.g., C:.
device_locator - keyword, text.text
- memory_devices.device_locator - String number of the string that identifies the physically-labeled socket or board position where the memory device is located
device_name - keyword, text.text
- drivers.device_name - Device name
- md_devices.device_name - md device name
device_path - keyword, text.text
- iokit_devicetree.device_path - Device tree path
device_type - keyword, text.text
- lxd_instance_devices.device_type - Device type
dhcp_enabled - keyword, number.long
- interface_details.dhcp_enabled - If TRUE, the dynamic host configuration protocol (DHCP) server automatically assigns an IP address to the computer system when establishing a network connection.
dhcp_lease_expires - keyword, text.text
- interface_details.dhcp_lease_expires - Expiration date and time for a leased IP address that was assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_lease_obtained - keyword, text.text
- interface_details.dhcp_lease_obtained - Date and time the lease was obtained for the IP address assigned to the computer by the dynamic host configuration protocol (DHCP) server.
dhcp_server - keyword, text.text
- interface_details.dhcp_server - IP address of the dynamic host configuration protocol (DHCP) server.
direction - keyword, text.text
- windows_firewall_rules.direction - Direction of traffic for which the rule applies
directory - keyword, text.text
- extended_attributes.directory - Directory of file(s)
- file.directory - Directory of file(s)
- hash.directory - Must provide a path or directory
- npm_packages.directory - Directory where node_modules are located
- python_packages.directory - Directory where Python modules are located
- users.directory - User’s home directory
disabled - keyword
- browser_plugins.disabled - Is the plugin disabled. 1 = Disabled
- firefox_addons.disabled - 1 If the addon is application-disabled else 0
- launchd.disabled - Skip loading this daemon or agent on boot
- wifi_networks.disabled - 1 if this network is disabled, 0 otherwise
disc_sharing - keyword, number.long
- sharing_preferences.disc_sharing - 1 If CD or DVD sharing is enabled else 0
disconnected - keyword, number.long
- connectivity.disconnected - True if the all interfaces are not connected to any network
discovery_cache_hits - keyword, number.long
- osquery_packs.discovery_cache_hits - The number of times that the discovery query used cached values since the last time the config was reloaded
discovery_executions - keyword, number.long
- osquery_packs.discovery_executions - The number of times that the discovery queries have been executed since the last time the config was reloaded
disk_bytes_read - keyword, number.long
- processes.disk_bytes_read - Bytes read from disk
disk_bytes_written - keyword, number.long
- processes.disk_bytes_written - Bytes written to disk
disk_index - keyword, number.long
- disk_info.disk_index - Physical drive number of the disk.
disk_read - keyword, number.long
- docker_container_stats.disk_read - Total disk read bytes
disk_size - keyword, number.long
- disk_info.disk_size - Size of the disk.
disk_write - keyword, number.long
- docker_container_stats.disk_write - Total disk write bytes
display_name - keyword, text.text
- apps.display_name - Info properties CFBundleDisplayName label
- services.display_name - Service Display name
dns_domain - keyword, text.text
- interface_details.dns_domain - Organization name followed by a period and an extension that indicates the type of organization, such as microsoft.com.
dns_domain_name - keyword, text.text
- logon_sessions.dns_domain_name - The DNS name for the owner of the logon session.
dns_domain_suffix_search_order - keyword, text.text
- interface_details.dns_domain_suffix_search_order - Array of DNS domain suffixes to be appended to the end of host names during name resolution.
dns_forest_name - keyword, text.text
- ntdomains.dns_forest_name - The name of the root of the DNS tree.
dns_host_name - keyword, text.text
- interface_details.dns_host_name - Host name used to identify the local computer for authentication by some utilities.
dns_server_search_order - keyword, text.text
- interface_details.dns_server_search_order - Array of server IP addresses to be used in querying for DNS servers.
domain - keyword, text.text
- ad_config.domain - Active Directory trust domain
- managed_policies.domain - System or manager-chosen domain key
- preferences.domain - Application ID usually in com.name.product format
domain_controller_address - keyword, text.text
- ntdomains.domain_controller_address - The IP Address of the discovered domain controller..
domain_controller_name - keyword, text.text
- ntdomains.domain_controller_name - The name of the discovered domain controller.
domain_name - keyword, text.text
- ntdomains.domain_name - The name of the domain.
drive_letter - keyword, text.text
- bitlocker_info.drive_letter - Drive letter of the encrypted drive.
- ntfs_journal_events.drive_letter - The drive letter identifying the source journal
drive_name - keyword, text.text
- md_drives.drive_name - Drive device name
driver - keyword, text.text
- docker_container_mounts.driver - Driver providing the mount
- docker_networks.driver - Network driver
- docker_volumes.driver - Volume driver
- hardware_events.driver - Driver claiming the device
- lxd_storage_pools.driver - Storage driver
- pci_devices.driver - PCI Device used driver
- video_info.driver - The driver of the device.
driver_date - keyword, number.long
- video_info.driver_date - The date listed on the installed driver.
driver_key - keyword, text.text
- drivers.driver_key - Driver key
driver_version - keyword, text.text
- video_info.driver_version - The version of the installed driver.
dst_ip - keyword, text.text
- iptables.dst_ip - Destination IP address.
dst_mask - keyword, text.text
- iptables.dst_mask - Destination IP address mask.
dst_port - keyword, text.text
- iptables.dst_port - Protocol destination port(s).
dtime - keyword, number.long
- shared_memory.dtime - Detached time
dump_certificate - keyword, number.long
- curl_certificate.dump_certificate - Set this value to 1 to dump certificate
duration - keyword, number.long
- bpf_process_events.duration - How much time was spent inside the syscall (nsecs)
- bpf_socket_events.duration - How much time was spent inside the syscall (nsecs)
eapi - keyword, number.long
- portage_packages.eapi - The eapi for the ebuild
egid - keyword
- docker_container_processes.egid - Effective group ID
- es_process_events.egid - Effective Group ID of the process
- process_events.egid - Effective group ID at process start
- process_file_events.egid - Effective group ID of the process using the file
- processes.egid - Unsigned effective group ID
eid - keyword, text.text
- apparmor_events.eid - Event ID
- bpf_process_events.eid - Event ID
- bpf_socket_events.eid - Event ID
- disk_events.eid - Event ID
- es_process_events.eid - Event ID
- es_process_file_events.eid - Event ID
- file_events.eid - Event ID
- hardware_events.eid - Event ID
- ntfs_journal_events.eid - Event ID
- process_events.eid - Event ID
- process_file_events.eid - Event ID
- selinux_events.eid - Event ID
- socket_events.eid - Event ID
- syslog_events.eid - Event ID
- user_events.eid - Event ID
- windows_events.eid - Event ID
- yara_events.eid - Event ID
ejectable - keyword, number.long
- disk_events.ejectable - 1 if ejectable, 0 if not
elapsed_time - keyword, number.long
- processes.elapsed_time - Elapsed time in seconds this process has been running.
element - keyword, text.text
- apps.element - Does the app identify as a background agent
elevated_token - keyword, number.long
- processes.elevated_token - Process uses elevated token yes=1, no=0
enable_admin_account - keyword, number.long
- security_profile_info.enable_admin_account - Determines whether the Administrator account on the local computer is enabled
enable_guest_account - keyword, number.long
- security_profile_info.enable_guest_account - Determines whether the Guest account on the local computer is enabled
enable_ipv6 - keyword, number.long
- docker_networks.enable_ipv6 - 1 if IPv6 is enabled on this network. 0 otherwise
enabled - keyword
- app_schemes.enabled - 1 if this handler is the OS default, else 0
- event_taps.enabled - Is the Event Tap enabled
- interface_details.enabled - Indicates whether the adapter is enabled or not.
- location_services.enabled - 1 if Location Services are enabled, else 0
- lxd_cluster.enabled - Whether clustering enabled (1) or not (0) on this node
- sandboxes.enabled - Application sandboxings enabled on container
- scheduled_tasks.enabled - Whether or not the scheduled task is enabled
- screenlock.enabled - 1 If a password is required after sleep or the screensaver begins; else 0
- sip_config.enabled - 1 if this configuration is enabled, otherwise 0
- tpm_info.enabled - TPM is enabled
- windows_firewall_rules.enabled - 1 if the rule is enabled
- yum_sources.enabled - Whether the repository is used
enabled_nvram - keyword, number.long
- sip_config.enabled_nvram - 1 if this configuration is enabled, otherwise 0
encrypted - keyword, number.long
- disk_encryption.encrypted - 1 If encrypted: true (disk is encrypted), else 0
- user_ssh_keys.encrypted - 1 if key is encrypted, 0 otherwise
encryption - keyword, text.text
- time_machine_destinations.encryption - Last known encrypted state
encryption_method - keyword, text.text
- bitlocker_info.encryption_method - The encryption type of the device.
encryption_status - keyword, text.text
- disk_encryption.encryption_status - Disk encryption status with one of following values: encrypted | not encrypted | undefined
end - keyword, text.text
- memory_map.end - End address of memory region
- process_memory_map.end - Virtual end address (hex)
ending_address - keyword, text.text
- memory_array_mapped_addresses.ending_address - Physical ending address of last kilobyte of a range of memory mapped to physical memory array
- memory_device_mapped_addresses.ending_address - Physical ending address of last kilobyte of a range of memory mapped to physical memory array
endpoint_id - keyword, text.text
- docker_container_networks.endpoint_id - Endpoint ID
entry - keyword, text.text
- authorization_mechanisms.entry - The whole string entry
- shimcache.entry - Execution order.
env - keyword, text.text
- es_process_events.env - Environment variables delimited by spaces
- process_events.env - Environment variables delimited by spaces
env_count - keyword, number.long
- es_process_events.env_count - Number of environment variables
- process_events.env_count - Number of environment variables
env_size - keyword, number.long
- process_events.env_size - Actual size (bytes) of environment list
env_variables - keyword, text.text
- docker_containers.env_variables - Container environmental variables
environment - keyword, text.text
- apps.environment - Application-set environment variables
ephemeral - keyword, number.long
- lxd_instances.ephemeral - Whether the instance is ephemeral(1) or not(0)
epoch - keyword, number.long
- rpm_packages.epoch - Package epoch value
error - keyword, text.text
- apparmor_events.error - Error information
error_granularity - keyword, text.text
- memory_error_info.error_granularity - Granularity to which the error can be resolved
error_operation - keyword, text.text
- memory_error_info.error_operation - Memory access operation that caused the error
error_resolution - keyword, text.text
- memory_error_info.error_resolution - Range, in bytes, within which this error can be determined, when an error address is given
error_type - keyword, text.text
- memory_error_info.error_type - type of error associated with current error status for array or device
euid - keyword
- docker_container_processes.euid - Effective user ID
- es_process_events.euid - Effective User ID of the process
- process_events.euid - Effective user ID at process start
- process_file_events.euid - Effective user ID of the process using the file
- processes.euid - Unsigned effective user ID
event - keyword, text.text
- crontab.event - The job @event name (rare)
event_queue - keyword, number.long
- carbon_black_info.event_queue - Size in bytes of Carbon Black event files on disk
event_tap_id - keyword, number.long
- event_taps.event_tap_id - Unique ID for the Tap
event_tapped - keyword, text.text
- event_taps.event_tapped - The mask that identifies the set of events to be observed.
event_type - keyword, text.text
- es_process_events.event_type - Type of EndpointSecurity event
- es_process_file_events.event_type - Type of EndpointSecurity event
eventid - keyword, number.long
- windows_eventlog.eventid - Event ID of the event
- windows_events.eventid - Event ID of the event
events - keyword, number.long
- osquery_events.events - Number of events emitted or received since osquery started
exception_address - keyword, text.text
- windows_crashes.exception_address - Address (in hex) where the exception occurred
exception_code - keyword, text.text
- windows_crashes.exception_code - The Windows exception code
exception_codes - keyword, text.text
- crashes.exception_codes - Exception codes from the crash
exception_message - keyword, text.text
- windows_crashes.exception_message - The NTSTATUS error message associated with the exception code
exception_notes - keyword, text.text
- crashes.exception_notes - Exception notes from the crash
exception_type - keyword, text.text
- crashes.exception_type - Exception type of the crash
exe - keyword, text.text
- seccomp_events.exe - The path to the executable that was used to invoke the analyzed process
executable - keyword, text.text
- appcompat_shims.executable - Name of the executable that is being shimmed. This is pulled from the registry.
- process_file_events.executable - The executable path
executable_path - keyword, text.text
- wmi_cli_event_consumers.executable_path - Module to execute. The string can specify the full path and file name of the module to execute, or it can specify a partial name. If a partial name is specified, the current drive and current directory are assumed.
execution_flag - keyword, number.long
- shimcache.execution_flag - Boolean Execution flag, 1 for execution, 0 for no execution, -1 for missing (this flag does not exist on Windows 10 and higher).
executions - keyword, number.long
- osquery_schedule.executions - Number of times the query was executed
exit_code - keyword, text.text
- bpf_process_events.exit_code - Exit code of the system call
- bpf_socket_events.exit_code - Exit code of the system call
- es_process_events.exit_code - Exit code of a process in case of an exit event
expand - keyword, number.long
- default_environment.expand - 1 if the variable needs expanding, 0 otherwise
expire - keyword, number.long
- shadow.expire - Number of days since UNIX epoch date until account is disabled
expires_at - keyword, text.text
- lxd_images.expires_at - ISO time of image expiration
extended_key_usage - keyword, text.text
- curl_certificate.extended_key_usage - Extended usage of key in certificate
extensions - keyword, text.text
- osquery_info.extensions - osquery extensions status
external - keyword, number.long
- app_schemes.external - 1 if this handler does NOT exist on macOS by default, else 0
extra - keyword, text.text
- asl.extra - Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.
- platform_info.extra - Platform-specific additional information
facility - keyword, text.text
- asl.facility - Sender’s facility. Default is user.
- syslog_events.facility - Syslog facility
fahrenheit - keyword, number.double
- temperature_sensors.fahrenheit - Temperature in Fahrenheit
failed_disks - keyword, number.long
- md_devices.failed_disks - Number of failed disks in array
failed_login_count - keyword, number.long
- account_policy_data.failed_login_count - The number of failed login attempts using an incorrect password. Count resets after a correct password is entered.
failed_login_timestamp - keyword, number.double
- account_policy_data.failed_login_timestamp - The time of the last failed login attempt. Resets after a correct password is entered
family - keyword, number.long
- bpf_socket_events.family - The Internet protocol family ID
- listening_ports.family - Network protocol (IPv4, IPv6)
- process_open_sockets.family - Network protocol (IPv4, IPv6)
- socket_events.family - The Internet protocol family ID
fan - keyword, text.text
- fan_speed_sensors.fan - Fan number
faults - keyword, number.long
- virtual_memory_info.faults - Total number of calls to vm_faults.
fd - keyword, text.text
- bpf_socket_events.fd - The file description for the process socket
- listening_ports.fd - Socket file descriptor number
- process_open_files.fd - Process-specific file descriptor number
- process_open_pipes.fd - File descriptor
- process_open_sockets.fd - Socket file descriptor number
- socket_events.fd - The file description for the process socket
feature - keyword, text.text
- cpuid.feature - Present feature flags
feature_control - keyword, number.long
- msr.feature_control - Bitfield controlling enabled features.
field_name - keyword, text.text
- system_controls.field_name - Specific attribute of opaque type
file_attributes - keyword, text.text
- ntfs_journal_events.file_attributes - File attributes
file_backed - keyword, number.long
- virtual_memory_info.file_backed - Total number of file backed pages.
file_id - keyword, text.text
- file.file_id - file ID
file_sharing - keyword, number.long
- sharing_preferences.file_sharing - 1 If file sharing is enabled else 0
file_system - keyword, text.text
- logical_drives.file_system - The file system of the drive.
file_version - keyword, text.text
- file.file_version - File version
filename - keyword, text.text
- device_file.filename - Name portion of file path
- es_process_file_events.filename - The source or target filename for the event
- file.filename - Name portion of file path
- lxd_images.filename - Filename of the image file
- prefetch.filename - Executable filename.
- xprotect_entries.filename - Use this file name to match
filepath - keyword, text.text
- package_bom.filepath - Package file or directory
filesystem - keyword, text.text
- disk_events.filesystem - Filesystem if available
filetype - keyword, text.text
- xprotect_entries.filetype - Use this file type to match
filevault_status - keyword, text.text
- disk_encryption.filevault_status - FileVault status with one of following values: on | off | unknown
filter - keyword, text.text
- wmi_filter_consumer_binding.filter - Reference to an instance of __EventFilter that represents the object path to an event filter which is a query that specifies the type of event to be received.
filter_name - keyword, text.text
- iptables.filter_name - Packet matching filter table name.
fingerprint - keyword, text.text
- lxd_certificates.fingerprint - SHA256 hash of the certificate
finished_at - keyword, text.text
- docker_containers.finished_at - Container finish time as string
firewall - keyword, text.text
- windows_security_center.firewall - The health of the monitored Firewall (see windows_security_products)
firewall_unload - keyword, number.long
- alf.firewall_unload - 1 If firewall unloading enabled else 0
firmware_type - keyword, text.text
- platform_info.firmware_type - The type of firmware (uefi, bios, iboot, openfirmware, unknown).
firmware_version - keyword, text.text
- ibridge_info.firmware_version - The build version of the firmware
fix_comments - keyword, text.text
- patches.fix_comments - Additional comments about the patch.
flag - keyword, number.long
- shadow.flag - Reserved
flags - keyword
- device_partitions.flags -
- dns_cache.flags - DNS record flags
- interface_details.flags - Flags (netdevice) for the device
- mounts.flags - Mounted device flags
- pipes.flags - The flags indicating whether this pipe connection is a server or client end, and if the pipe for sending messages or bytes
- routes.flags - Flags to describe route
folder_id - keyword, text.text
- ycloud_instance_metadata.folder_id - Folder identifier for the VM
following - keyword, text.text
- systemd_units.following - The name of another unit that this unit follows in state
force_logoff_when_expire - keyword, number.long
- security_profile_info.force_logoff_when_expire - Determines whether SMB client sessions with the SMB server will be forcibly disconnected when the client’s logon hours expire
forced - keyword, number.long
- preferences.forced - 1 if the value is forced/managed, else 0
form_factor - keyword, text.text
- memory_devices.form_factor - Implementation form factor for this memory device
format - keyword, text.text
- cups_jobs.format - The format of the print job
forwarding_enabled - keyword, number.long
- interface_ipv6.forwarding_enabled - Enable IP forwarding
fragment_path - keyword, text.text
- systemd_units.fragment_path - The unit file path this unit was read from, if there is any
frame_backtrace - keyword, text.text
- kernel_panics.frame_backtrace - Backtrace of the crashed module
free - keyword, number.long
- virtual_memory_info.free - Total number of free pages.
free_space - keyword, number.long
- logical_drives.free_space - The amount of free space, in bytes, of the drive (-1 on failure).
friendly_name - keyword, text.text
- interface_addresses.friendly_name - The friendly display name of the interface.
- interface_details.friendly_name - The friendly display name of the interface.
from_webstore - keyword, text.text
- chrome_extensions.from_webstore - True if this extension was installed from the web store
fs_id - keyword, text.text
- quicklook_cache.fs_id - Quicklook file fs_id key
fsgid - keyword
- process_events.fsgid - Filesystem group ID at process start
- process_file_events.fsgid - Filesystem group ID of the process using the file
fsuid - keyword
- apparmor_events.fsuid - Filesystem user ID
- process_events.fsuid - Filesystem user ID at process start
- process_file_events.fsuid - Filesystem user ID of the process using the file
gateway - keyword, text.text
- docker_container_networks.gateway - Gateway
- docker_networks.gateway - Network gateway
- routes.gateway - Route gateway
gid - keyword
- asl.gid - GID that sent the log message (set by the server).
- bpf_process_events.gid - Group ID
- bpf_socket_events.gid - Group ID
- device_file.gid - Owning group ID
- docker_container_processes.gid - Group ID
- es_process_events.gid - Group ID of the process
- file.gid - Owning group ID
- file_events.gid - Owning group ID
- groups.gid - Unsigned int64 group ID
- package_bom.gid - Expected group of file or directory
- process_events.gid - Group ID at process start
- process_file_events.gid - The gid of the process performing the action
- processes.gid - Unsigned group ID
- seccomp_events.gid - Group ID of the user who started the analyzed process
- user_groups.gid - Group ID
- users.gid - Group ID (unsigned)
gid_signed - keyword, number.long
- groups.gid_signed - A signed int64 version of gid
- users.gid_signed - Default group ID as int64 signed (Apple)
git_commit - keyword, text.text
- docker_version.git_commit - Docker build git commit
global_seq_num - keyword, number.long
- es_process_events.global_seq_num - Global sequence number
- es_process_file_events.global_seq_num - Global sequence number
global_state - keyword, number.long
- alf.global_state - 1 If the firewall is enabled with exceptions, 2 if the firewall is configured to block all incoming connections, else 0
go_version - keyword, text.text
- docker_version.go_version - Go version
gpgcheck - keyword, text.text
- yum_sources.gpgcheck - Whether packages are GPG checked
gpgkey - keyword, text.text
- yum_sources.gpgkey - URL to GPG key
grace_period - keyword, number.long
- screenlock.grace_period - The amount of time in seconds the screen must be asleep or the screensaver on before a password is required on-wake. 0 = immediately; -1 = no password is required on-wake
group_sid - keyword, text.text
- groups.group_sid - Unique group ID
grouping - keyword, text.text
- windows_firewall_rules.grouping - Group to which an individual rule belongs
groupname - keyword, text.text
- groups.groupname - Canonical local group name
- launchd.groupname - Run this daemon or agent as this group
- rpm_package_files.groupname - File default groupname from info DB
- suid_bin.groupname - Binary owner group
guest - keyword, number.long
- cpu_time.guest - Time spent running a virtual CPU for a guest OS under the control of the Linux kernel
guest_nice - keyword, number.long
- cpu_time.guest_nice - Time spent running a niced guest
handle - keyword, text.text
- memory_array_mapped_addresses.handle - Handle, or instance number, associated with the structure
- memory_arrays.handle - Handle, or instance number, associated with the array
- memory_device_mapped_addresses.handle - Handle, or instance number, associated with the structure
- memory_devices.handle - Handle, or instance number, associated with the structure in SMBIOS
- memory_error_info.handle - Handle, or instance number, associated with the structure
- oem_strings.handle - Handle, or instance number, associated with the Type 11 structure
- smbios_tables.handle - Table entry handle
handle_count - keyword, number.long
- processes.handle_count - Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process.
handler - keyword, text.text
- app_schemes.handler - Application label for the handler
hard_limit - keyword, text.text
- ulimit_info.hard_limit - Maximum limit value
hard_links - keyword, number.long
- device_file.hard_links - Number of hard links
- file.hard_links - Number of hard links
hardware_model - keyword, text.text
- disk_info.hardware_model - Hard drive model.
- system_info.hardware_model - Hardware model
hardware_serial - keyword, text.text
- system_info.hardware_serial - Device serial number
hardware_vendor - keyword, text.text
- system_info.hardware_vendor - Hardware vendor
hardware_version - keyword, text.text
- system_info.hardware_version - Hardware version
has_expired - keyword, number.long
- curl_certificate.has_expired - 1 if the certificate has expired, 0 otherwise
hash - keyword, text.text
- prefetch.hash - Prefetch CRC hash.
hash_alg - keyword, text.text
- shadow.hash_alg - Password hashing algorithm
hash_resources - keyword, number.long
- signature.hash_resources - Set to 1 to also hash resources, or 0 otherwise. Default is 1
hashed - keyword, number.long
- file_events.hashed - 1 if the file was hashed, 0 if not, -1 if hashing failed
header - keyword, text.text
- sudoers.header - Symbol for given rule
header_size - keyword, number.long
- smbios_tables.header_size - Header size in bytes
health - keyword, text.text
- battery.health - One of the following: "Good" describes a well-performing battery, "Fair" describes a functional battery with limited capacity, or "Poor" describes a battery that’s not capable of providing power
hidden - keyword, number.long
- scheduled_tasks.hidden - Whether or not the task is visible in the UI
- smc_keys.hidden - 1 if this key is normally hidden, otherwise 0
history_file - keyword, text.text
- shell_history.history_file - Path to the .*_history for this user
hit_count - keyword, text.text
- quicklook_cache.hit_count - Number of cache hits on thumbnail
home_directory - keyword, text.text
- logon_sessions.home_directory - The home directory for the logon session.
home_directory_drive - keyword, text.text
- logon_sessions.home_directory_drive - The drive location of the home directory of the logon session.
homepage - keyword, text.text
- atom_packages.homepage - Package supplied homepage
- npm_packages.homepage - Package supplied homepage
hop_limit - keyword, number.long
- interface_ipv6.hop_limit - Current Hop Limit
hopcount - keyword, number.long
- routes.hopcount - Max hops expected
host - keyword, text.text
- asl.host - Sender’s address (set by the server).
- last.host - Entry hostname
- logged_in_users.host - Remote hostname
- preferences.host - current or any host, where current takes precedence
- syslog_events.host - Hostname configured for syslog
host_ip - keyword, text.text
- docker_container_ports.host_ip - Host IP address on which public port is listening
host_port - keyword, number.long
- docker_container_ports.host_port - Host port
hostname - keyword, text.text
- curl_certificate.hostname - Hostname to CURL (domain[:port], e.g. osquery.io)
- system_info.hostname - Network hostname including domain
- ycloud_instance_metadata.hostname - Hostname of the VM
hostnames - keyword, text.text
- etc_hosts.hostnames - Raw hosts mapping
hotfix_id - keyword, text.text
- patches.hotfix_id - The KB ID of the patch.
hour - keyword, text.text
- crontab.hour - The hour of the day for the job
- time.hour - Current hour in UTC
hours - keyword, number.long
- uptime.hours - Hours of uptime
hresult - keyword, number.long
- windows_update_history.hresult - HRESULT value that is returned from the operation on an update
http_proxy - keyword, text.text
- docker_info.http_proxy - HTTP proxy
https_proxy - keyword, text.text
- docker_info.https_proxy - HTTPS proxy
hwaddr - keyword, text.text
- lxd_networks.hwaddr - Hardware address for this network
iam_arn - keyword, text.text
- ec2_instance_metadata.iam_arn - If there is an IAM role associated with the instance, contains instance profile ARN
ibrs_support_enabled - keyword, number.long
- kva_speculative_info.ibrs_support_enabled - Windows uses IBRS.
ibytes - keyword, number.long
- interface_details.ibytes - Input bytes
icmp_types_codes - keyword, text.text
- windows_firewall_rules.icmp_types_codes - ICMP types and codes for the rule
icon_mode - keyword, number.long
- quicklook_cache.icon_mode - Thumbnail icon mode
id - keyword, text.text
- disk_info.id - The unique identifier of the drive on the system.
- dns_resolvers.id - Address type index or order
- docker_container_envs.id - Container ID
- docker_container_fs_changes.id - Container ID
- docker_container_labels.id - Container ID
- docker_container_mounts.id - Container ID
- docker_container_networks.id - Container ID
- docker_container_ports.id - Container ID
- docker_container_processes.id - Container ID
- docker_container_stats.id - Container ID
- docker_containers.id - Container ID
- docker_image_history.id - Image ID
- docker_image_labels.id - Image ID
- docker_image_layers.id - Image ID
- docker_images.id - Image ID
- docker_info.id - Docker system ID
- docker_network_labels.id - Network ID
- docker_networks.id - Network ID
- iokit_devicetree.id - IOKit internal registry ID
- iokit_registry.id - IOKit internal registry ID
- lxd_images.id - Image ID
- systemd_units.id - Unique unit identifier
identifier - keyword, text.text
- browser_plugins.identifier - Plugin identifier
- chrome_extension_content_scripts.identifier - Extension identifier
- chrome_extensions.identifier - Extension identifier, computed from its manifest. Empty in case of error.
- crashes.identifier - Identifier of the crashed process
- firefox_addons.identifier - Addon identifier
- safari_extensions.identifier - Extension identifier
- signature.identifier - The signing identifier sealed into the signature
- system_extensions.identifier - Identifier name
- xprotect_meta.identifier - Browser plugin or extension identifier
identifying_number - keyword, text.text
- programs.identifying_number - Product identification such as a serial number on software, or a die number on a hardware chip.
identity - keyword, text.text
- xprotect_entries.identity - XProtect identity (SHA1) of content
idle - keyword, number.long
- cpu_time.idle - Time spent in the idle task
idrops - keyword, number.long
- interface_details.idrops - Input drops
idx - keyword, number.long
- kernel_extensions.idx - Extension load tag or index
ierrors - keyword, number.long
- interface_details.ierrors - Input errors
image - keyword, text.text
- docker_containers.image - Docker image (name) used to launch this container
- drivers.image - Path to driver image file
image_id - keyword, text.text
- docker_containers.image_id - Docker image ID
images - keyword, number.long
- docker_info.images - Number of images
inactive - keyword, number.long
- memory_info.inactive - The total amount of buffer or page cache memory, in bytes, that are free and available
- shadow.inactive - Number of days after password expires until account is blocked
- virtual_memory_info.inactive - Total number of inactive pages.
inetd_compatibility - keyword, text.text
- launchd.inetd_compatibility - Run this daemon or agent as it was launched from inetd
inf - keyword, text.text
- drivers.inf - Associated inf file
info - keyword, text.text
- apparmor_events.info - Additional information
info_access - keyword, text.text
- curl_certificate.info_access - Authority Information Access
info_string - keyword, text.text
- apps.info_string - Info properties CFBundleGetInfoString label
inherited_from - keyword, text.text
- ntfs_acl_permissions.inherited_from - The inheritance policy of the ACE.
iniface - keyword, text.text
- iptables.iniface - Input interface for the rule.
iniface_mask - keyword, text.text
- iptables.iniface_mask - Input interface mask for the rule.
inode - keyword, number.long
- device_file.inode - Filesystem inode number
- device_hash.inode - Filesystem inode number
- file.inode - Filesystem inode number
- file_events.inode - Filesystem inode number
- process_memory_map.inode - Mapped path inode, 0 means uninitialized (BSS)
- process_open_pipes.inode - Pipe inode number
- quicklook_cache.inode - Parsed file ID (inode) from fs_id
inodes - keyword, number.long
- device_partitions.inodes - Number of meta nodes
- mounts.inodes - Mounted device used inodes
inodes_free - keyword, number.long
- mounts.inodes_free - Mounted device free inodes
inodes_total - keyword, number.long
- lxd_storage_pools.inodes_total - Total number of inodes available in this storage pool
inodes_used - keyword, number.long
- lxd_storage_pools.inodes_used - Number of inodes used
input_eax - keyword, text.text
- cpuid.input_eax - Value of EAX used
install_date - keyword
- os_version.install_date - The install date of the OS.
- patches.install_date - Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.
- programs.install_date - Date that this product was installed on the system.
- shared_resources.install_date - Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.
install_location - keyword, text.text
- programs.install_location - The installation location directory of the product.
install_source - keyword, text.text
- programs.install_source - The installation source of the product.
install_time - keyword
- appcompat_shims.install_time - Install time of the SDB
- chrome_extensions.install_time - Extension install time, in its original Webkit format
- package_receipts.install_time - Timestamp of install time
- rpm_packages.install_time - When the package was installed
install_timestamp - keyword, number.long
- chrome_extensions.install_timestamp - Extension install time, converted to unix time
installed_by - keyword, text.text
- patches.installed_by - The system context in which the patch as installed.
installed_on - keyword, text.text
- patches.installed_on - The date when the patch was installed.
installer_name - keyword, text.text
- package_receipts.installer_name - Name of installer process
instance_id - keyword, text.text
- ec2_instance_metadata.instance_id - EC2 instance ID
- ec2_instance_tags.instance_id - EC2 instance ID
- osquery_info.instance_id - Unique, long-lived ID per instance of osquery
- ycloud_instance_metadata.instance_id - Unique identifier for the VM
instance_identifier - keyword, text.text
- hvci_status.instance_identifier - The instance ID of Device Guard.
instance_type - keyword, text.text
- ec2_instance_metadata.instance_type - EC2 instance type
instances - keyword, number.long
- pipes.instances - Number of instances of the named pipe
interface - keyword, text.text
- arp_cache.interface - Interface of the network for the MAC
- interface_addresses.interface - Interface name
- interface_details.interface - Interface name
- interface_ipv6.interface - Interface name
- routes.interface - Route local interface
- wifi_status.interface - Name of the interface
- wifi_survey.interface - Name of the interface
interleave_data_depth - keyword, number.long
- memory_device_mapped_addresses.interleave_data_depth - The max number of consecutive rows from memory device that are accessed in a single interleave transfer; 0 indicates device is non-interleave
interleave_position - keyword, number.long
- memory_device_mapped_addresses.interleave_position - The position of the device in a interleave, i.e. 0 indicates non-interleave, 1 indicates 1st interleave, 2 indicates 2nd interleave, etc.
internal - keyword, number.long
- osquery_registry.internal - 1 If the plugin is internal else 0
internet_settings - keyword, text.text
- windows_security_center.internet_settings - The health of the Internet Settings
internet_sharing - keyword, number.long
- sharing_preferences.internet_sharing - 1 If internet sharing is enabled else 0
interval - keyword, number.long
- docker_container_stats.interval - Difference between read and preread in nano-seconds
- osquery_schedule.interval - The interval in seconds to run this query, not an exact interval
iowait - keyword, number.long
- cpu_time.iowait - Time spent waiting for I/O to complete
ip - keyword, text.text
- seccomp_events.ip - Instruction pointer value
ip_address - keyword, text.text
- docker_container_networks.ip_address - IP address
ip_prefix_len - keyword, number.long
- docker_container_networks.ip_prefix_len - IP subnet prefix length
ipackets - keyword, number.long
- interface_details.ipackets - Input packets
ipc_namespace - keyword, text.text
- docker_containers.ipc_namespace - IPC namespace
- process_namespaces.ipc_namespace - ipc namespace inode
ipv4_address - keyword, text.text
- lxd_networks.ipv4_address - IPv4 address
ipv4_forwarding - keyword, number.long
- docker_info.ipv4_forwarding - 1 if IPv4 forwarding is enabled. 0 otherwise
ipv4_internet - keyword, number.long
- connectivity.ipv4_internet - True if any interface is connected to the Internet via IPv4
ipv4_local_network - keyword, number.long
- connectivity.ipv4_local_network - True if any interface is connected to a routed network via IPv4
ipv4_no_traffic - keyword, number.long
- connectivity.ipv4_no_traffic - True if any interface is connected via IPv4, but has seen no traffic
ipv4_subnet - keyword, number.long
- connectivity.ipv4_subnet - True if any interface is connected to the local subnet via IPv4
ipv6_address - keyword, text.text
- docker_container_networks.ipv6_address - IPv6 address
- lxd_networks.ipv6_address - IPv6 address
ipv6_gateway - keyword, text.text
- docker_container_networks.ipv6_gateway - IPv6 gateway
ipv6_internet - keyword, number.long
- connectivity.ipv6_internet - True if any interface is connected to the Internet via IPv6
ipv6_local_network - keyword, number.long
- connectivity.ipv6_local_network - True if any interface is connected to a routed network via IPv6
ipv6_no_traffic - keyword, number.long
- connectivity.ipv6_no_traffic - True if any interface is connected via IPv6, but has seen no traffic
ipv6_prefix_len - keyword, number.long
- docker_container_networks.ipv6_prefix_len - IPv6 subnet prefix length
ipv6_subnet - keyword, number.long
- connectivity.ipv6_subnet - True if any interface is connected to the local subnet via IPv6
irq - keyword, number.long
- cpu_time.irq - Time spent servicing interrupts
is_active - keyword, number.long
- running_apps.is_active - (DEPRECATED)
is_hidden - keyword, number.long
- groups.is_hidden - IsHidden attribute set in OpenDirectory
- users.is_hidden - IsHidden attribute set in OpenDirectory
iso_8601 - keyword, text.text
- time.iso_8601 - Current time (ISO format) in UTC
issuer - keyword, text.text
- certificates.issuer - Certificate issuer distinguished name (deprecated, use issuer2)
issuer2 - keyword, text.text
- certificates.issuer2 - Certificate issuer distinguished name
issuer_alternative_names - keyword, text.text
- curl_certificate.issuer_alternative_names - Issuer Alternative Name
issuer_common_name - keyword, text.text
- curl_certificate.issuer_common_name - Issuer common name
issuer_name - keyword, text.text
- authenticode.issuer_name - The certificate issuer name
issuer_organization - keyword, text.text
- curl_certificate.issuer_organization - Issuer organization
issuer_organization_unit - keyword, text.text
- curl_certificate.issuer_organization_unit - Issuer organization unit
job_id - keyword, number.long
- systemd_units.job_id - Next queued job id
job_path - keyword, text.text
- systemd_units.job_path - The object path for the job
job_type - keyword, text.text
- systemd_units.job_type - Job type
json_cmdline - keyword, text.text
- bpf_process_events.json_cmdline - Command line arguments, in JSON format
keep_alive - keyword, text.text
- launchd.keep_alive - Should the process be restarted if killed
kernel_memory - keyword, number.long
- docker_info.kernel_memory - 1 if kernel memory limit support is enabled. 0 otherwise
kernel_version - keyword, text.text
- docker_info.kernel_version - Kernel version
- docker_version.kernel_version - Kernel version
- kernel_panics.kernel_version - Version of the system kernel
key - keyword, text.text
- authorized_keys.key - Key encoded as base64
- azure_instance_tags.key - The tag key
- chrome_extensions.key - The extension key, from the manifest file
- docker_container_envs.key - Environment variable name
- docker_container_labels.key - Label key
- docker_image_labels.key - Label key
- docker_network_labels.key - Label key
- docker_volume_labels.key - Label key
- ec2_instance_tags.key - Tag key
- extended_attributes.key - Name of the value generated from the extended attribute
- known_hosts.key - parsed authorized keys line
- launchd_overrides.key - Name of the override key
- lxd_instance_config.key - Configuration parameter name
- lxd_instance_devices.key - Device info param name
- mdls.key - Name of the metadata key
- plist.key - Preference top-level key
- power_sensors.key - The SMC key on macOS
- preferences.key - Preference top-level key
- process_envs.key - Environment variable name
- registry.key - Name of the key to search for
- selinux_settings.key - Key or class name.
- smc_keys.key - 4-character key
- temperature_sensors.key - The SMC key on macOS
key_algorithm - keyword, text.text
- certificates.key_algorithm - Key algorithm used
key_file - keyword, text.text
- authorized_keys.key_file - Path to the authorized_keys file
- known_hosts.key_file - Path to known_hosts file
key_strength - keyword, text.text
- certificates.key_strength - Key size used for RSA/DSA, or curve name
key_type - keyword, text.text
- user_ssh_keys.key_type - The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string.
key_usage - keyword, text.text
- certificates.key_usage - Certificate key usage and extended key usage
- curl_certificate.key_usage - Usage of key in certificate
keychain_path - keyword, text.text
- keychain_acls.keychain_path - The path of the keychain
keyword - keyword, text.text
- portage_keywords.keyword - The keyword applied to the package
keywords - keyword, text.text
- windows_eventlog.keywords - A bitmask of the keywords defined in the event
- windows_events.keywords - A bitmask of the keywords defined in the event
kva_shadow_enabled - keyword, number.long
- kva_speculative_info.kva_shadow_enabled - Kernel Virtual Address shadowing is enabled.
kva_shadow_inv_pcid - keyword, number.long
- kva_speculative_info.kva_shadow_inv_pcid - Kernel VA INVPCID is enabled.
kva_shadow_pcid - keyword, number.long
- kva_speculative_info.kva_shadow_pcid - Kernel VA PCID flushing optimization is enabled.
kva_shadow_user_global - keyword, number.long
- kva_speculative_info.kva_shadow_user_global - User pages are marked as global.
label - keyword, text.text
- apparmor_events.label - AppArmor label
- augeas.label - The label of the configuration item
- authorization_mechanisms.label - Label of the authorization right
- authorizations.label - Item name, usually in reverse domain format
- block_devices.label - Block device label string
- device_partitions.label -
- keychain_acls.label - An optional label tag that may be included with the keychain entry
- keychain_items.label - Generic item name
- launchd.label - Daemon or agent service name
- launchd_overrides.label - Daemon or agent service name
- quicklook_cache.label - Parsed version gen field
- sandboxes.label - UTI-format bundle or label ID
language - keyword, text.text
- programs.language - The language of the product.
last_change - keyword, number.long
- interface_details.last_change - Time of last device modification (optional)
- shadow.last_change - Date of last password change (starting from UNIX epoch date)
last_connected - keyword, number.long
- wifi_networks.last_connected - Last time this network was connected to as a unix_time
last_executed - keyword, number.long
- osquery_schedule.last_executed - UNIX time stamp in seconds of the last completed execution
last_execution_time - keyword, number.long
- background_activities_moderator.last_execution_time - Most recent time application was executed.
- userassist.last_execution_time - Most recent time application was executed.
last_hit_date - keyword, number.long
- quicklook_cache.last_hit_date - Apple date format for last thumbnail cache hit
last_loaded - keyword, text.text
- kernel_panics.last_loaded - Last loaded module before panic
last_memory - keyword, number.long
- osquery_schedule.last_memory - Resident memory in bytes left allocated after collecting results of the latest execution
last_opened_time - keyword
- apps.last_opened_time - The time that the app was last used
- office_mru.last_opened_time - Most recent opened time file was opened
last_run_code - keyword, text.text
- scheduled_tasks.last_run_code - Exit status code of the last task run
last_run_message - keyword, text.text
- scheduled_tasks.last_run_message - Exit status message of the last task run
last_run_time - keyword, number.long
- prefetch.last_run_time - Most recent time application was run.
- scheduled_tasks.last_run_time - Timestamp the task last ran
last_system_time - keyword, number.long
- osquery_schedule.last_system_time - System time in milliseconds of the latest execution
last_unloaded - keyword, text.text
- kernel_panics.last_unloaded - Last unloaded module before panic
last_used_at - keyword, text.text
- lxd_images.last_used_at - ISO time for the most recent use of this image in terms of container spawn
last_user_time - keyword, number.long
- osquery_schedule.last_user_time - User time in milliseconds of the latest execution
last_wall_time_ms - keyword, number.long
- osquery_schedule.last_wall_time_ms - Wall time in milliseconds of the latest execution
launch_type - keyword, text.text
- xprotect_entries.launch_type - Launch services content type
layer_id - keyword, text.text
- docker_image_layers.layer_id - Layer ID
layer_order - keyword, number.long
- docker_image_layers.layer_order - Layer Order (1 = base layer)
level - keyword
- asl.level - Log level number. See levels in asl.h.
- unified_log.level - the severity level of the entry
- windows_eventlog.level - Severity level associated with the event
- windows_events.level - The severity level associated with the event
license - keyword, text.text
- atom_packages.license - License for package
- chocolatey_packages.license - License under which package is launched
- npm_packages.license - License under which package is launched
- python_packages.license - License under which package is launched
link_speed - keyword, number.long
- interface_details.link_speed - Interface speed in Mb/s
linked_against - keyword, text.text
- kernel_extensions.linked_against - Indexes of extensions this extension is linked against
load_state - keyword, text.text
- systemd_units.load_state - Reflects whether the unit definition was properly loaded
local_address - keyword, text.text
- bpf_socket_events.local_address - Local address associated with socket
- process_open_sockets.local_address - Socket local address
- socket_events.local_address - Local address associated with socket
local_addresses - keyword, text.text
- windows_firewall_rules.local_addresses - Local addresses for the rule
local_hostname - keyword, text.text
- ec2_instance_metadata.local_hostname - Private IPv4 DNS hostname of the first interface of this instance
- system_info.local_hostname - Local hostname (optional)
local_ipv4 - keyword, text.text
- ec2_instance_metadata.local_ipv4 - Private IPv4 address of the first interface of this instance
local_port - keyword, number.long
- bpf_socket_events.local_port - Local network protocol port number
- process_open_sockets.local_port - Socket local port
- socket_events.local_port - Local network protocol port number
local_ports - keyword, text.text
- windows_firewall_rules.local_ports - Local ports for the rule
local_timezone - keyword, text.text
- time.local_timezone - Current local timezone in of the system
location - keyword, text.text
- azure_instance_metadata.location - Azure Region the VM is running in
- firefox_addons.location - Global, profile location
- memory_arrays.location - Physical location of the memory array
- package_receipts.location - Optional relative install path on volume
lock - keyword, text.text
- chassis_info.lock - If TRUE, the frame is equipped with a lock.
lock_status - keyword, number.long
- bitlocker_info.lock_status - The accessibility status of the drive from Windows.
locked - keyword, number.long
- shared_memory.locked - 1 if segment is locked else 0
lockout_bad_count - keyword, number.long
- security_profile_info.lockout_bad_count - Number of failed logon attempts after which a user account MUST be locked out
log_file_disk_quota_mb - keyword, number.long
- carbon_black_info.log_file_disk_quota_mb - Event file disk quota in MB
log_file_disk_quota_percentage - keyword, number.long
- carbon_black_info.log_file_disk_quota_percentage - Event file disk quota in a percentage
logging_driver - keyword, text.text
- docker_info.logging_driver - Logging driver
logging_enabled - keyword, number.long
- alf.logging_enabled - 1 If logging mode is enabled else 0
logging_option - keyword, number.long
- alf.logging_option - Firewall logging option
logical_processors - keyword, number.long
- cpu_info.logical_processors - The number of logical processors of the CPU.
logon_domain - keyword, text.text
- logon_sessions.logon_domain - The name of the domain used to authenticate the owner of the logon session.
logon_id - keyword, number.long
- logon_sessions.logon_id - A locally unique identifier (LUID) that identifies a logon session.
logon_script - keyword, text.text
- logon_sessions.logon_script - The script used for logging on.
logon_server - keyword, text.text
- logon_sessions.logon_server - The name of the server used to authenticate the owner of the logon session.
logon_sid - keyword, text.text
- logon_sessions.logon_sid - The user’s security identifier (SID).
logon_time - keyword, number.long
- logon_sessions.logon_time - The time the session owner logged on.
logon_to_change_password - keyword, number.long
- security_profile_info.logon_to_change_password - Determines if logon session is required to change the password
logon_type - keyword, text.text
- logon_sessions.logon_type - The logon method.
lsa_anonymous_name_lookup - keyword, number.long
- security_profile_info.lsa_anonymous_name_lookup - Determines if an anonymous user is allowed to query the local LSA policy
mac - keyword, text.text
- arp_cache.mac - MAC address of broadcasted address
- ec2_instance_metadata.mac - MAC address for the first network interface of this EC2 instance
- interface_details.mac - MAC of interface (optional)
mac_address - keyword, text.text
- docker_container_networks.mac_address - MAC address
machine_name - keyword, text.text
- windows_crashes.machine_name - Name of the machine where the crash happened
magic_db_files - keyword, text.text
- magic.magic_db_files - Colon(:) separated list of files where the magic db file can be found. By default one of the following is used: /usr/share/file/magic/magic, /usr/share/misc/magic or /usr/share/misc/magic.mgc
maintainer - keyword, text.text
- apt_sources.maintainer - Repository maintainer
- deb_packages.maintainer - Package maintainer
major - keyword, number.long
- os_version.major - Major release version
major_version - keyword, number.long
- windows_crashes.major_version - Windows major version of the machine
managed - keyword, number.long
- lxd_networks.managed - 1 if network created by LXD, 0 otherwise
manifest_hash - keyword, text.text
- chrome_extensions.manifest_hash - The SHA256 hash of the manifest.json file
manifest_json - keyword, text.text
- chrome_extensions.manifest_json - The manifest file of the extension
manual - keyword, number.long
- managed_policies.manual - 1 if policy was loaded manually, otherwise 0
manufacture_date - keyword, number.long
- battery.manufacture_date - The date the battery was manufactured UNIX Epoch
manufacturer - keyword, text.text
- battery.manufacturer - The battery manufacturer’s name
- chassis_info.manufacturer - The manufacturer of the chassis.
- cpu_info.manufacturer - The manufacturer of the CPU.
- disk_info.manufacturer - The manufacturer of the disk.
- drivers.manufacturer - Device manufacturer
- interface_details.manufacturer - Name of the network adapter’s manufacturer.
- memory_devices.manufacturer - Manufacturer ID string
- video_info.manufacturer - The manufacturer of the gpu.
manufacturer_id - keyword, number.long
- tpm_info.manufacturer_id - TPM manufacturers ID
manufacturer_name - keyword, text.text
- tpm_info.manufacturer_name - TPM manufacturers name
manufacturer_version - keyword, text.text
- tpm_info.manufacturer_version - TPM version
mask - keyword, text.text
- interface_addresses.mask - Interface netmask
- portage_keywords.mask - If the package is masked
match - keyword, text.text
- chrome_extension_content_scripts.match - The pattern that the script is matched against
- iptables.match - Matching rule that applies.
matches - keyword, text.text
- yara.matches - List of YARA matches
- yara_events.matches - List of YARA matches
max - keyword, number.long
- fan_speed_sensors.max - Maximum speed
- shadow.max - Maximum number of days between password changes
max_capacity - keyword, number.long
- battery.max_capacity - The battery’s actual capacity when it is fully charged in mAh
- memory_arrays.max_capacity - Maximum capacity of array in gigabytes
max_clock_speed - keyword, number.long
- cpu_info.max_clock_speed - The maximum possible frequency of the CPU.
max_instances - keyword, number.long
- pipes.max_instances - The maximum number of instances creatable for this pipe
max_rows - keyword, number.long
- unified_log.max_rows - the max number of rows returned (defaults to 100)
max_speed - keyword, number.long
- memory_devices.max_speed - Max speed of memory device in megatransfers per second (MT/s)
max_voltage - keyword, number.long
- memory_devices.max_voltage - Maximum operating voltage of device in millivolts
maximum_allowed - keyword, number.long
- shared_resources.maximum_allowed - Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.
maximum_password_age - keyword, number.long
- security_profile_info.maximum_password_age - Determines the maximum number of days that a password can be used before the client requires the user to change it
md5 - keyword, text.text
- acpi_tables.md5 - MD5 hash of table content
- device_hash.md5 - MD5 hash of provided inode data
- file_events.md5 - The MD5 of the file after change
- hash.md5 - MD5 hash of provided filesystem data
- smbios_tables.md5 - MD5 hash of table entry
md_device_name - keyword, text.text
- md_drives.md_device_name - md device name
mdm_managed - keyword, number.long
- system_extensions.mdm_managed - 1 if managed by MDM system extension payload configuration, 0 otherwise
mechanism - keyword, text.text
- authorization_mechanisms.mechanism - Name of the mechanism that will be called
media_name - keyword, text.text
- disk_events.media_name - Disk event media name string
mem - keyword, number.double
- docker_container_processes.mem - Memory utilization as percentage
member_config_description - keyword, text.text
- lxd_cluster.member_config_description - Config description
member_config_entity - keyword, text.text
- lxd_cluster.member_config_entity - Type of configuration parameter for this node
member_config_key - keyword, text.text
- lxd_cluster.member_config_key - Config key
member_config_name - keyword, text.text
- lxd_cluster.member_config_name - Name of configuration parameter
member_config_value - keyword, text.text
- lxd_cluster.member_config_value - Config value
memory - keyword, number.long
- docker_info.memory - Total memory
memory_array_error_address - keyword, text.text
- memory_error_info.memory_array_error_address - 32 bit physical address of the error based on the addressing of the bus to which the memory array is connected
memory_array_handle - keyword, text.text
- memory_array_mapped_addresses.memory_array_handle - Handle of the memory array associated with this structure
memory_array_mapped_address_handle - keyword, text.text
- memory_device_mapped_addresses.memory_array_mapped_address_handle - Handle of the memory array mapped address to which this device range is mapped to
memory_available - keyword, number.long
- memory_info.memory_available - The amount of physical RAM, in bytes, available for starting new applications, without swapping
memory_device_handle - keyword, text.text
- memory_device_mapped_addresses.memory_device_handle - Handle of the memory device structure associated with this structure
memory_error_correction - keyword, text.text
- memory_arrays.memory_error_correction - Primary hardware error correction or detection method supported
memory_error_info_handle - keyword, text.text
- memory_arrays.memory_error_info_handle - Handle, or instance number, associated with any error that was detected for the array
memory_free - keyword, number.long
- memory_info.memory_free - The amount of physical RAM, in bytes, left unused by the system
memory_limit - keyword, number.long
- docker_container_stats.memory_limit - Memory limit
- docker_info.memory_limit - 1 if memory limit support is enabled. 0 otherwise
memory_max_usage - keyword, number.long
- docker_container_stats.memory_max_usage - Memory maximum usage
memory_total - keyword, number.long
- memory_info.memory_total - Total amount of physical RAM, in bytes
memory_type - keyword, text.text
- memory_devices.memory_type - Type of memory used
memory_type_details - keyword, text.text
- memory_devices.memory_type_details - Additional details for memory device
memory_usage - keyword, number.long
- docker_container_stats.memory_usage - Memory usage
message - keyword, text.text
- apparmor_events.message - Raw audit message
- asl.message - Message text.
- lxd_cluster_members.message - Message from the node (Online/Offline)
- selinux_events.message - Message
- syslog_events.message - The syslog message
- unified_log.message - composed message
- user_events.message - Message from the event
metadata_endpoint - keyword, text.text
- ycloud_instance_metadata.metadata_endpoint - Endpoint used to fetch VM metadata
method - keyword, text.text
- curl.method - The HTTP method for the request
metric - keyword, number.long
- interface_details.metric - Metric based on the speed of the interface
- routes.metric - Cost of route. Lowest is preferred
metric_name - keyword, text.text
- prometheus_metrics.metric_name - Name of collected Prometheus metric
metric_value - keyword, number.double
- prometheus_metrics.metric_value - Value of collected Prometheus metric
mft_entry - keyword, number.long
- shellbags.mft_entry - Directory master file table entry.
mft_sequence - keyword, number.long
- shellbags.mft_sequence - Directory master file table sequence.
mime_encoding - keyword, text.text
- magic.mime_encoding - MIME encoding data from libmagic
mime_type - keyword, text.text
- magic.mime_type - MIME type data from libmagic
min - keyword, number.long
- fan_speed_sensors.min - Minimum speed
- shadow.min - Minimal number of days between password changes
min_api_version - keyword, text.text
- docker_version.min_api_version - Minimum API version supported
min_version - keyword, text.text
- xprotect_meta.min_version - The minimum allowed plugin version.
min_voltage - keyword, number.long
- memory_devices.min_voltage - Minimum operating voltage of device in millivolts
minimum_password_age - keyword, number.long
- security_profile_info.minimum_password_age - Determines the minimum number of days that a password must be used before the user can change it
minimum_password_length - keyword, number.long
- security_profile_info.minimum_password_length - Determines the least number of characters that can make up a password for a user account
minimum_system_version - keyword, text.text
- apps.minimum_system_version - Minimum version of macOS required for the app to run
minor - keyword, number.long
- os_version.minor - Minor release version
minor_version - keyword, number.long
- windows_crashes.minor_version - Windows minor version of the machine
minute - keyword, text.text
- crontab.minute - The exact minute for the job
minutes - keyword, number.long
- time.minutes - Current minutes in UTC
- uptime.minutes - Minutes of uptime
minutes_to_full_charge - keyword, number.long
- battery.minutes_to_full_charge - The number of minutes until the battery is fully charged. This value is -1 if this time is still being calculated
minutes_until_empty - keyword, number.long
- battery.minutes_until_empty - The number of minutes until the battery is fully depleted. This value is -1 if this time is still being calculated
mirrorlist - keyword, text.text
- yum_sources.mirrorlist - Mirrorlist URL
mnt_namespace - keyword, text.text
- docker_containers.mnt_namespace - Mount namespace
- process_namespaces.mnt_namespace - mnt namespace inode
mode - keyword, text.text
- apparmor_profiles.mode - How the policy is applied.
- device_file.mode - Permission bits
- docker_container_mounts.mode - Mount options (rw, ro)
- file.mode - Permission bits
- file_events.mode - Permission bits
- package_bom.mode - Expected permissions
- process_events.mode - File mode permissions
- process_open_pipes.mode - Pipe open mode (r/w)
- rpm_package_files.mode - File permissions mode from info DB
- wifi_status.mode - The current operating mode for the Wi-Fi interface
model - keyword, text.text
- battery.model - The battery’s model number
- block_devices.model - Block device model string identifier
- chassis_info.model - The model of the chassis.
- cpu_info.model - The model of the CPU.
- hardware_events.model - Hardware device model
- pci_devices.model - PCI Device model
- usb_devices.model - USB Device model string
- video_info.model - The model of the gpu.
model_id - keyword, text.text
- hardware_events.model_id - Hex encoded Hardware model identifier
- pci_devices.model_id - Hex encoded PCI Device model identifier
- usb_devices.model_id - Hex encoded USB Device model identifier
modified - keyword, text.text
- authorizations.modified - Label top-level key
- keychain_items.modified - Date of last modification
modified_time - keyword, number.long
- package_bom.modified_time - Timestamp the file was installed
- shellbags.modified_time - Directory Modified time.
- shimcache.modified_time - File Modified time.
module - keyword, text.text
- windows_crashes.module - Path of the crashed module within the process
module_backtrace - keyword, text.text
- kernel_panics.module_backtrace - Modules appearing in the crashed module’s backtrace
module_path - keyword, text.text
- services.module_path - Path to ServiceDll
month - keyword, text.text
- crontab.month - The month of the year for the job
- time.month - Current month in UTC
mount_namespace_id - keyword, text.text
- deb_packages.mount_namespace_id - Mount namespace id
- file.mount_namespace_id - Mount namespace id
- hash.mount_namespace_id - Mount namespace id
- npm_packages.mount_namespace_id - Mount namespace id
- os_version.mount_namespace_id - Mount namespace id
- rpm_packages.mount_namespace_id - Mount namespace id
mount_point - keyword, text.text
- docker_volumes.mount_point - Mount point
mountable - keyword, number.long
- disk_events.mountable - 1 if mountable, 0 if not
mtime - keyword
- device_file.mtime - Last modification time
- file.mtime - Last modification time
- file_events.mtime - Last modification time
- gatekeeper_approved_apps.mtime - Last modification time
- process_events.mtime - File modification in UNIX time
- quicklook_cache.mtime - Parsed version date field
- registry.mtime - timestamp of the most recent registry write
mtu - keyword, number.long
- interface_details.mtu - Network MTU
- lxd_networks.mtu - MTU size
- routes.mtu - Maximum Transmission Unit for the route
name - keyword, text.text
- acpi_tables.name - ACPI table name
- ad_config.name - The macOS-specific configuration name
- apparmor_events.name - Process name
- apparmor_profiles.name - Policy name.
- apps.name - Name of the Name.app folder
- apt_sources.name - Repository name
- atom_packages.name - Package display name
- autoexec.name - Name of the program
- azure_instance_metadata.name - Name of the VM
- block_devices.name - Block device name
- browser_plugins.name - Plugin display name
- chocolatey_packages.name - Package display name
- chrome_extensions.name - Extension display name
- cups_destinations.name - Name of the printer
- deb_packages.name - Package name
- disk_encryption.name - Disk name
- disk_events.name - Disk event name
- disk_info.name - The label of the disk object.
- dns_cache.name - DNS record name
- docker_container_mounts.name - Optional mount name
- docker_container_networks.name - Network name
- docker_container_processes.name - The process path or shorthand argv[0]
- docker_container_stats.name - Container name
- docker_containers.name - Container name
- docker_info.name - Name of the docker host
- docker_networks.name - Network name
- docker_volume_labels.name - Volume name
- docker_volumes.name - Volume name
- etc_protocols.name - Protocol name
- etc_services.name - Service name
- fan_speed_sensors.name - Fan name
- firefox_addons.name - Addon display name
- homebrew_packages.name - Package name
- ie_extensions.name - Extension display name
- iokit_devicetree.name - Device node name
- iokit_registry.name - Default name of the node
- kernel_extensions.name - Extension label
- kernel_modules.name - Module name
- kernel_panics.name - Process name corresponding to crashed thread
- launchd.name - File name of plist (used by launchd)
- lxd_certificates.name - Name of the certificate
- lxd_instance_config.name - Instance name
- lxd_instance_devices.name - Instance name
- lxd_instances.name - Instance name
- lxd_networks.name - Name of the network
- lxd_storage_pools.name - Name of the storage pool
- managed_policies.name - Policy key name
- md_personalities.name - Name of personality supported by kernel
- memory_map.name - Region name
- npm_packages.name - Package display name
- ntdomains.name - The label by which the object is known.
- nvram.name - Variable name
- os_version.name - Distribution or product name
- osquery_events.name - Event publisher or subscriber name
- osquery_extensions.name - Extension’s name
- osquery_flags.name - Flag name
- osquery_packs.name - The given name for this query pack
- osquery_registry.name - Name of the plugin item
- osquery_schedule.name - The given name for this query
- package_install_history.name - Package display name
- physical_disk_performance.name - Name of the physical disk
- pipes.name - Name of the pipe
- power_sensors.name - Name of power source
- processes.name - The process path or shorthand argv[0]
- programs.name - Commonly used product name.
- python_packages.name - Package display name
- registry.name - Name of the registry value entry
- rpm_packages.name - RPM package name
- safari_extensions.name - Extension display name
- scheduled_tasks.name - Name of the scheduled task
- services.name - Service name
- shared_folders.name - The shared name of the folder as it appears to other users
- shared_resources.name - Alias given to a path set up as a share on a computer system running Windows.
- startup_items.name - Name of startup item
- system_controls.name - Full sysctl MIB name
- temperature_sensors.name - Name of temperature source
- windows_firewall_rules.name - Friendly name of the rule
- windows_optional_features.name - Name of the feature
- windows_security_products.name - Name of product
- wmi_bios_info.name - Name of the Bios setting
- wmi_cli_event_consumers.name - Unique name of a consumer.
- wmi_event_filters.name - Unique identifier of an event filter.
- wmi_script_event_consumers.name - Unique identifier for the event consumer.
- xprotect_entries.name - Description of XProtected malware
- xprotect_reports.name - Description of XProtected malware
- ycloud_instance_metadata.name - Name of the VM
- yum_sources.name - Repository name
name_constraints - keyword, text.text
- curl_certificate.name_constraints - Name Constraints
namespace - keyword, text.text
- apparmor_events.namespace - AppArmor namespace
native - keyword, number.long
- browser_plugins.native - Plugin requires native execution
net_namespace - keyword, text.text
- docker_containers.net_namespace - Network namespace
- listening_ports.net_namespace - The inode number of the network namespace
- process_namespaces.net_namespace - net namespace inode
- process_open_sockets.net_namespace - The inode number of the network namespace
netmask - keyword, text.text
- dns_resolvers.netmask - Address (sortlist) netmask length
- routes.netmask - Netmask length
network_id - keyword, text.text
- docker_container_networks.network_id - Network ID
network_name - keyword, text.text
- wifi_networks.network_name - Name of the network
- wifi_status.network_name - Name of the network
- wifi_survey.network_name - Name of the network
network_rx_bytes - keyword, number.long
- docker_container_stats.network_rx_bytes - Total network bytes read
network_tx_bytes - keyword, number.long
- docker_container_stats.network_tx_bytes - Total network bytes transmitted
new_administrator_name - keyword, text.text
- security_profile_info.new_administrator_name - Determines the name of the Administrator account on the local computer
new_guest_name - keyword, text.text
- security_profile_info.new_guest_name - Determines the name of the Guest account on the local computer
next_run_time - keyword, number.long
- scheduled_tasks.next_run_time - Timestamp the task is scheduled to run next
nice - keyword, number.long
- cpu_time.nice - Time spent in user mode with low priority (nice)
- docker_container_processes.nice - Process nice level (-20 to 20, default 0)
- processes.nice - Process nice level (-20 to 20, default 0)
no_proxy - keyword, text.text
- docker_info.no_proxy - Comma-separated list of domain extensions proxy should not be used for
node - keyword, text.text
- augeas.node - The node path of the configuration item
node_ref_number - keyword, text.text
- ntfs_journal_events.node_ref_number - The ordinal that associates a journal record with a filename
noise - keyword, number.long
- wifi_status.noise - The current noise measurement (dBm)
- wifi_survey.noise - The current noise measurement (dBm)
not_valid_after - keyword, text.text
- certificates.not_valid_after - Certificate expiration data
not_valid_before - keyword, text.text
- certificates.not_valid_before - Lower bound of valid date
nr_raid_disks - keyword, number.long
- md_devices.nr_raid_disks - Number of partitions or disk devices to comprise the array
ntime - keyword, text.text
- bpf_process_events.ntime - The nsecs uptime timestamp as obtained from BPF
- bpf_socket_events.ntime - The nsecs uptime timestamp as obtained from BPF
num_procs - keyword, number.long
- docker_container_stats.num_procs - Number of processors
number - keyword, number.long
- etc_protocols.number - Protocol number
- oem_strings.number - The string index of the structure
- smbios_tables.number - Table entry number
number_memory_devices - keyword, number.long
- memory_arrays.number_memory_devices - Number of memory devices on array
number_of_cores - keyword, text.text
- cpu_info.number_of_cores - The number of cores of the CPU.
object_name - keyword, text.text
- winbaseobj.object_name - Object Name
object_path - keyword, text.text
- systemd_units.object_path - The object path for this unit
object_type - keyword, text.text
- winbaseobj.object_type - Object Type
obytes - keyword, number.long
- interface_details.obytes - Output bytes
odrops - keyword, number.long
- interface_details.odrops - Output drops
oerrors - keyword, number.long
- interface_details.oerrors - Output errors
offer - keyword, text.text
- azure_instance_metadata.offer - Offer information for the VM image (Azure image gallery VMs only)
offset - keyword, number.long
- device_partitions.offset -
- process_memory_map.offset - Offset into mapped path
oid - keyword, text.text
- system_controls.oid - Control MIB
old_path - keyword, text.text
- ntfs_journal_events.old_path - Old path (renames only)
on_demand - keyword, text.text
- launchd.on_demand - Deprecated key, replaced by keep_alive
on_disk - keyword, number.long
- processes.on_disk - The process path exists yes=1, no=0, unknown=-1
online_cpus - keyword, number.long
- docker_container_stats.online_cpus - Online CPUs
oom_kill_disable - keyword, number.long
- docker_info.oom_kill_disable - 1 if Out-of-memory kill is disabled. 0 otherwise
opackets - keyword, number.long
- interface_details.opackets - Output packets
opaque_version - keyword, text.text
- gatekeeper.opaque_version - Version of Gatekeeper’s gkopaque.bundle
operation - keyword, text.text
- apparmor_events.operation - Permission requested by the process
- process_file_events.operation - Operation type
- windows_update_history.operation - Operation on an update
option - keyword, text.text
- ad_config.option - Canonical name of option
- ssh_configs.option - The option and value
option_name - keyword, text.text
- cups_destinations.option_name - Option name
option_value - keyword, text.text
- cups_destinations.option_value - Option value
optional - keyword, number.long
- xprotect_entries.optional - Match any of the identities/patterns for this XProtect name
optional_permissions - keyword, text.text
- chrome_extensions.optional_permissions - The permissions optionally required by the extensions
optional_permissions_json - keyword, text.text
- chrome_extensions.optional_permissions_json - The JSON-encoded permissions optionally required by the extensions
options - keyword, text.text
- authorized_keys.options - Optional list of login options
- dns_resolvers.options - Resolver options
- nfs_shares.options - Options string set on the export share
organization - keyword, text.text
- curl_certificate.organization - Organization issued to
organization_unit - keyword, text.text
- curl_certificate.organization_unit - Organization unit issued to
original_filename - keyword, text.text
- file.original_filename - (Executable files only) Original filename
original_parent - keyword, number.long
- es_process_events.original_parent - Original parent process ID in case of reparenting
original_program_name - keyword, text.text
- authenticode.original_program_name - The original program name that the publisher has signed
os - keyword, text.text
- docker_info.os - Operating system
- docker_version.os - Operating system
- lxd_images.os - OS on which image is based
- lxd_instances.os - The OS of this instance
os_type - keyword, text.text
- azure_instance_metadata.os_type - Linux or Windows
- docker_info.os_type - Operating system type
os_version - keyword, text.text
- kernel_panics.os_version - Version of the operating system
other - keyword, text.text
- md_devices.other - Other information associated with array from /proc/mdstat
other_run_times - keyword, text.text
- prefetch.other_run_times - Other execution times in prefetch file.
ouid - keyword, number.long
- apparmor_events.ouid - Object owner’s user ID
outiface - keyword, text.text
- iptables.outiface - Output interface for the rule.
outiface_mask - keyword, text.text
- iptables.outiface_mask - Output interface mask for the rule.
output_bit - keyword, number.long
- cpuid.output_bit - Bit in register value for feature value
output_register - keyword, text.text
- cpuid.output_register - Register used to for feature value
output_size - keyword, number.long
- osquery_schedule.output_size - Cumulative total number of bytes generated by the resultant rows of the query
overflows - keyword, text.text
- process_events.overflows - List of structures that overflowed
owned - keyword, number.long
- tpm_info.owned - TPM is owned
owner_gid - keyword, number.long
- process_events.owner_gid - File owner group ID
owner_uid - keyword, number.long
- process_events.owner_uid - File owner user ID
- shared_memory.owner_uid - User ID of owning process
owner_uuid - keyword, number.long
- osquery_registry.owner_uuid - Extension route UUID (0 for core)
package - keyword, text.text
- portage_keywords.package - Package name
- portage_packages.package - Package name
- portage_use.package - Package name
- rpm_package_files.package - RPM package name
package_filename - keyword, text.text
- package_receipts.package_filename - Filename of original .pkg file
package_group - keyword, text.text
- rpm_packages.package_group - Package group
package_id - keyword, text.text
- package_install_history.package_id - Label packageIdentifiers
- package_receipts.package_id - Package domain identifier
packets - keyword, number.long
- iptables.packets - Number of matching packets for this rule.
packets_received - keyword, number.long
- lxd_networks.packets_received - Number of packets received on this network
packets_sent - keyword, number.long
- lxd_networks.packets_sent - Number of packets sent on this network
page_ins - keyword, number.long
- virtual_memory_info.page_ins - The total number of requests for pages from a pager.
page_outs - keyword, number.long
- virtual_memory_info.page_outs - Total number of pages paged out.
parent - keyword
- apparmor_events.parent - Parent process PID
- block_devices.parent - Block device parent name
- bpf_process_events.parent - Parent process ID
- bpf_socket_events.parent - Parent process ID
- crashes.parent - Parent PID of the crashed process
- docker_container_processes.parent - Process parent’s PID
- es_process_events.parent - Parent process ID
- es_process_file_events.parent - Parent process ID
- iokit_devicetree.parent - Parent device registry ID
- iokit_registry.parent - Parent registry ID
- process_events.parent - Process parent’s PID, or -1 if cannot be determined.
- processes.parent - Process parent’s PID
parent_ref_number - keyword, text.text
- ntfs_journal_events.parent_ref_number - The ordinal that associates a journal record with a filename’s parent directory
part_number - keyword, text.text
- memory_devices.part_number - Manufacturer specific serial number of memory device
partial - keyword
- ntfs_journal_events.partial - Set to 1 if either path or old_path only contains the file or folder name
- process_file_events.partial - True if this is a partial event (i.e.: this process existed before we started osquery)
partition - keyword, text.text
- device_file.partition - A partition number
- device_hash.partition - A partition number
- device_partitions.partition - A partition number or description
partition_row_position - keyword, number.long
- memory_device_mapped_addresses.partition_row_position - Identifies the position of the referenced memory device in a row of the address partition
partition_width - keyword, number.long
- memory_array_mapped_addresses.partition_width - Number of memory devices that form a single row of memory for the address partition of this structure
partitions - keyword, number.long
- disk_info.partitions - Number of detected partitions on disk.
partner_fd - keyword, number.long
- process_open_pipes.partner_fd - File descriptor of shared pipe at partner’s end
partner_mode - keyword, text.text
- process_open_pipes.partner_mode - Mode of shared pipe at partner’s end
partner_pid - keyword, number.long
- process_open_pipes.partner_pid - Process ID of partner process sharing a particular pipe
passpoint - keyword, number.long
- wifi_networks.passpoint - 1 if Passpoint is supported, 0 otherwise
password_complexity - keyword, number.long
- security_profile_info.password_complexity - Determines whether passwords must meet a series of strong-password guidelines
password_history_size - keyword, number.long
- security_profile_info.password_history_size - Number of unique new passwords that must be associated with a user account before an old password can be reused
password_last_set_time - keyword, number.double
- account_policy_data.password_last_set_time - The time the password was last changed
password_status - keyword, text.text
- shadow.password_status - Password status
patch - keyword, number.long
- os_version.patch - Optional patch release
path - keyword, text.text
- alf_exceptions.path - Path to the executable that is excepted
- apparmor_profiles.path - Unique, aa-status compatible, policy identifier.
- appcompat_shims.path - This is the path to the SDB database.
- apps.path - Absolute and full Name.app path
- atom_packages.path - Package’s package.json path
- augeas.path - The path to the configuration file
- authenticode.path - Must provide a path or directory
- autoexec.path - Path to the executable
- background_activities_moderator.path - Application file path.
- bpf_process_events.path - Binary path
- bpf_socket_events.path - Path of executed file
- browser_plugins.path - Path to plugin bundle
- carves.path - The path of the requested carve
- certificates.path - Path to Keychain or PEM bundle
- chocolatey_packages.path - Path at which this package resides
- chrome_extension_content_scripts.path - Path to extension folder
- chrome_extensions.path - Path to extension folder
- crashes.path - Path to the crashed process
- crontab.path - File parsed
- device_file.path - A logical path within the device node
- disk_events.path - Path of the DMG file accessed
- docker_container_fs_changes.path - FIle or directory path relative to rootfs
- docker_containers.path - Container path
- es_process_events.path - Path of executed file
- es_process_file_events.path - Path of executed file
- extended_attributes.path - Absolute file path
- file.path - Absolute file path
- firefox_addons.path - Path to plugin bundle
- gatekeeper_approved_apps.path - Path of executable allowed to run
- hardware_events.path - Local device path assigned (optional)
- hash.path - Must provide a path or directory
- homebrew_packages.path - Package install path
- ie_extensions.path - Path to executable
- kernel_extensions.path - Optional path to extension bundle
- kernel_info.path - Kernel path
- kernel_panics.path - Location of log file
- keychain_acls.path - The path of the authorized application
- keychain_items.path - Path to keychain containing item
- launchd.path - Path to daemon or agent plist
- launchd_overrides.path - Path to daemon or agent plist
- listening_ports.path - Path for UNIX domain sockets
- magic.path - Absolute path to target file
- mdfind.path - Path of the file returned from spotlight
- mdls.path - Path of the file
- mounts.path - Mounted device path
- npm_packages.path - Path at which this module resides
- ntfs_acl_permissions.path - Path to the file or directory.
- ntfs_journal_events.path - Path
- office_mru.path - File path
- osquery_extensions.path - Path of the extension’s Thrift connection or library path
- package_bom.path - Path of package bom
- package_receipts.path - Path of receipt plist
- plist.path - (required) read preferences from a plist
- prefetch.path - Prefetch file path.
- process_events.path - Path of executed file
- process_file_events.path - The path associated with the event
- process_memory_map.path - Path to mapped file or mapped type
- process_open_files.path - Filesystem path of descriptor
- process_open_sockets.path - For UNIX sockets (family=AF_UNIX), the domain path
- processes.path - Path to executed binary
- python_packages.path - Path at which this module resides
- quicklook_cache.path - Path of file
- registry.path - Full path to the value
- rpm_package_files.path - File path within the package
- safari_extensions.path - Path to extension XAR bundle
- sandboxes.path - Path to sandbox container directory
- scheduled_tasks.path - Path to the executable to be run
- services.path - Path to Service Executable
- shared_folders.path - Absolute path of shared folder on the local system
- shared_resources.path - Local path of the Windows share.
- shellbags.path - Directory name.
- shimcache.path - This is the path to the executed file.
- signature.path - Must provide a path or directory
- socket_events.path - Path of executed file
- startup_items.path - Path of startup item
- suid_bin.path - Binary path
- system_extensions.path - Original path of system extension
- user_events.path - Supplied path from event
- user_ssh_keys.path - Path to key file
- userassist.path - Application file path.
- windows_crashes.path - Path of the executable file for the crashed process
- yara.path - The path scanned
pci_class - keyword, text.text
- pci_devices.pci_class - PCI Device class
pci_class_id - keyword, text.text
- pci_devices.pci_class_id - PCI Device class ID in hex format
pci_slot - keyword, text.text
- interface_details.pci_slot - PCI slot number
- pci_devices.pci_slot - PCI Device used slot
pci_subclass - keyword, text.text
- pci_devices.pci_subclass - PCI Device subclass
pci_subclass_id - keyword, text.text
- pci_devices.pci_subclass_id - PCI Device subclass in hex format
pem - keyword, text.text
- curl_certificate.pem - Certificate PEM format
percent_disk_read_time - keyword, number.long
- physical_disk_performance.percent_disk_read_time - Percentage of elapsed time that the selected disk drive is busy servicing read requests
percent_disk_time - keyword, number.long
- physical_disk_performance.percent_disk_time - Percentage of elapsed time that the selected disk drive is busy servicing read or write requests
percent_disk_write_time - keyword, number.long
- physical_disk_performance.percent_disk_write_time - Percentage of elapsed time that the selected disk drive is busy servicing write requests
percent_idle_time - keyword, number.long
- physical_disk_performance.percent_idle_time - Percentage of time during the sample interval that the disk was idle
percent_processor_time - keyword, number.long
- processes.percent_processor_time - Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks.
percent_remaining - keyword, number.long
- battery.percent_remaining - The percentage of battery remaining before it is drained
percentage_encrypted - keyword, number.long
- bitlocker_info.percentage_encrypted - The percentage of the drive that is encrypted.
perf_ctl - keyword, number.long
- msr.perf_ctl - Performance setting for the processor.
perf_status - keyword, number.long
- msr.perf_status - Performance status for the processor.
period - keyword, text.text
- load_average.period - Period over which the average is calculated.
permanent - keyword, text.text
- arp_cache.permanent - 1 for true, 0 for false
permissions - keyword, text.text
- chrome_extensions.permissions - The permissions required by the extension
- process_memory_map.permissions - r=read, w=write, x=execute, p=private (cow)
- shared_memory.permissions - Memory segment permissions
- suid_bin.permissions - Binary permissions
permissions_json - keyword, text.text
- chrome_extensions.permissions_json - The JSON-encoded permissions required by the extension
persistent - keyword, number.long
- chrome_extensions.persistent - 1 If extension is persistent across all tabs else 0
persistent_volume_id - keyword, text.text
- bitlocker_info.persistent_volume_id - Persistent ID of the drive.
personal_hotspot - keyword, number.long
- wifi_networks.personal_hotspot - 1 if this network is a personal hotspot, 0 otherwise
pgroup - keyword, number.long
- docker_container_processes.pgroup - Process group
- processes.pgroup - Process group
physical_adapter - keyword, number.long
- interface_details.physical_adapter - Indicates whether the adapter is a physical or a logical adapter.
physical_memory - keyword, number.long
- system_info.physical_memory - Total physical memory in bytes
physical_presence_version - keyword, text.text
- tpm_info.physical_presence_version - Version of the Physical Presence Interface
pid - keyword, number.long
- apparmor_events.pid - Process ID
- asl.pid - Sending process ID encoded as a string. Set automatically.
- bpf_process_events.pid - Process ID
- bpf_socket_events.pid - Process ID
- crashes.pid - Process (or thread) ID of the crashed process
- docker_container_processes.pid - Process ID
- docker_containers.pid - Identifier of the initial process
- es_process_events.pid - Process (or thread) ID
- es_process_file_events.pid - Process (or thread) ID
- last.pid - Process (or thread) ID
- listening_ports.pid - Process (or thread) ID
- logged_in_users.pid - Process (or thread) ID
- lxd_instances.pid - Instance’s process ID
- osquery_info.pid - Process (or thread/handle) ID
- pipes.pid - Process ID of the process to which the pipe belongs
- process_envs.pid - Process (or thread) ID
- process_events.pid - Process (or thread) ID
- process_file_events.pid - Process ID
- process_memory_map.pid - Process (or thread) ID
- process_namespaces.pid - Process (or thread) ID
- process_open_files.pid - Process (or thread) ID
- process_open_pipes.pid - Process ID
- process_open_sockets.pid - Process (or thread) ID
- processes.pid - Process (or thread) ID
- running_apps.pid - The pid of the application
- seccomp_events.pid - Process ID
- services.pid - the Process ID of the service
- shared_memory.pid - Process ID to last use the segment
- socket_events.pid - Process (or thread) ID
- unified_log.pid - the pid of the process that made the entry
- user_events.pid - Process (or thread) ID
- windows_crashes.pid - Process ID of the crashed process
- windows_eventlog.pid - Process ID which emitted the event record
pid_namespace - keyword, text.text
- docker_containers.pid_namespace - PID namespace
- process_namespaces.pid_namespace - pid namespace inode
pid_with_namespace - keyword, number.long
- apt_sources.pid_with_namespace - Pids that contain a namespace
- authorized_keys.pid_with_namespace - Pids that contain a namespace
- crontab.pid_with_namespace - Pids that contain a namespace
- deb_packages.pid_with_namespace - Pids that contain a namespace
- dns_resolvers.pid_with_namespace - Pids that contain a namespace
- etc_hosts.pid_with_namespace - Pids that contain a namespace
- file.pid_with_namespace - Pids that contain a namespace
- groups.pid_with_namespace - Pids that contain a namespace
- hash.pid_with_namespace - Pids that contain a namespace
- npm_packages.pid_with_namespace - Pids that contain a namespace
- os_version.pid_with_namespace - Pids that contain a namespace
- python_packages.pid_with_namespace - Pids that contain a namespace
- rpm_packages.pid_with_namespace - Pids that contain a namespace
- suid_bin.pid_with_namespace - Pids that contain a namespace
- user_ssh_keys.pid_with_namespace - Pids that contain a namespace
- users.pid_with_namespace - Pids that contain a namespace
- yum_sources.pid_with_namespace - Pids that contain a namespace
pids - keyword, number.long
- docker_container_stats.pids - Number of processes
placement_group_id - keyword, text.text
- azure_instance_metadata.placement_group_id - Placement group for the VM scale set
platform - keyword, text.text
- os_version.platform - OS Platform or ID
- osquery_packs.platform - Platforms this query is supported on
platform_binary - keyword, number.long
- es_process_events.platform_binary - Indicates if the binary is Apple signed binary (1) or not (0)
platform_fault_domain - keyword, text.text
- azure_instance_metadata.platform_fault_domain - Fault domain the VM is running in
platform_info - keyword, number.long
- msr.platform_info - Platform information.
platform_like - keyword, text.text
- os_version.platform_like - Closely related platforms
platform_mask - keyword, number.long
- osquery_info.platform_mask - The osquery platform bitmask
platform_update_domain - keyword, text.text
- azure_instance_metadata.platform_update_domain - Update domain the VM is running in
plugin - keyword, text.text
- authorization_mechanisms.plugin - Authorization plugin name
pnp_device_id - keyword, text.text
- disk_info.pnp_device_id - The unique identifier of the drive on the system.
point_to_point - keyword, text.text
- interface_addresses.point_to_point - PtP address for the interface
policies - keyword, text.text
- curl_certificate.policies - Certificate Policies
policy - keyword, text.text
- iptables.policy - Policy that applies for this rule.
policy_constraints - keyword, text.text
- curl_certificate.policy_constraints - Policy Constraints
policy_content - keyword, text.text
- password_policy.policy_content - Policy content
policy_description - keyword, text.text
- password_policy.policy_description - Policy description
policy_identifier - keyword, text.text
- password_policy.policy_identifier - Policy Identifier
policy_mappings - keyword, text.text
- curl_certificate.policy_mappings - Policy Mappings
port - keyword, number.long
- docker_container_ports.port - Port inside the container
- etc_services.port - Service port number
- listening_ports.port - Transport layer port
possibly_hidden - keyword, number.long
- wifi_networks.possibly_hidden - 1 if network is possibly a hidden network, 0 otherwise
ppid - keyword, number.long
- process_file_events.ppid - Parent process ID
pre_cpu_kernelmode_usage - keyword, number.long
- docker_container_stats.pre_cpu_kernelmode_usage - Last read CPU kernel mode usage
pre_cpu_total_usage - keyword, number.long
- docker_container_stats.pre_cpu_total_usage - Last read total CPU usage
pre_cpu_usermode_usage - keyword, number.long
- docker_container_stats.pre_cpu_usermode_usage - Last read CPU user mode usage
pre_online_cpus - keyword, number.long
- docker_container_stats.pre_online_cpus - Last read online CPUs
pre_system_cpu_usage - keyword, number.long
- docker_container_stats.pre_system_cpu_usage - Last read CPU system usage
prefix - keyword, text.text
- homebrew_packages.prefix - Homebrew install prefix
preread - keyword, number.long
- docker_container_stats.preread - UNIX time when stats were last read
principal - keyword, text.text
- ntfs_acl_permissions.principal - User or group to which the ACE applies.
printer_sharing - keyword, number.long
- sharing_preferences.printer_sharing - 1 If printer sharing is enabled else 0
priority - keyword, text.text
- deb_packages.priority - Package priority
privileged - keyword, text.text
- authorization_mechanisms.privileged - If privileged it will run as root, else as an anonymous user
- docker_containers.privileged - Is the container privileged
probe_error - keyword, number.long
- bpf_process_events.probe_error - Set to 1 if one or more buffers could not be captured
- bpf_socket_events.probe_error - Set to 1 if one or more buffers could not be captured
process - keyword, text.text
- alf_explicit_auths.process - Process name explicitly allowed
- unified_log.process - the name of the process that made the entry
process_being_tapped - keyword, number.long
- event_taps.process_being_tapped - The process ID of the target application
process_type - keyword, text.text
- launchd.process_type - Key describes the intended purpose of the job
process_uptime - keyword, number.long
- windows_crashes.process_uptime - Uptime of the process in seconds
processes - keyword, number.long
- lxd_instances.processes - Number of processes running inside this instance
processing_time - keyword, number.long
- cups_jobs.processing_time - How long the job took to process
processor_number - keyword, number.long
- msr.processor_number - The processor number as reported in /proc/cpuinfo
processor_type - keyword, text.text
- cpu_info.processor_type - The processor type, such as Central, Math, or Video.
product_name - keyword, text.text
- tpm_info.product_name - Product name of the TPM
product_version - keyword, text.text
- file.product_version - File product version
profile - keyword, text.text
- apparmor_events.profile - Apparmor profile name
- chrome_extensions.profile - The name of the Chrome profile that contains this extension
profile_domain - keyword, number.long
- windows_firewall_rules.profile_domain - 1 if the rule profile type is domain
profile_path - keyword, text.text
- chrome_extension_content_scripts.profile_path - The profile path
- chrome_extensions.profile_path - The profile path
- logon_sessions.profile_path - The home directory for the logon session.
profile_private - keyword, number.long
- windows_firewall_rules.profile_private - 1 if the rule profile type is private
profile_public - keyword, number.long
- windows_firewall_rules.profile_public - 1 if the rule profile type is public
program - keyword, text.text
- launchd.program - Path to target program
program_arguments - keyword, text.text
- launchd.program_arguments - Command line arguments passed to program
propagation - keyword, text.text
- docker_container_mounts.propagation - Mount propagation
protected - keyword, number.long
- app_schemes.protected - 1 if this handler is protected (reserved) by macOS, else 0
protection_disabled - keyword, number.long
- carbon_black_info.protection_disabled - If the sensor is configured to report tamper events
protection_status - keyword, number.long
- bitlocker_info.protection_status - The bitlocker protection status of the drive.
protection_type - keyword, text.text
- processes.protection_type - The protection type of the process
protocol - keyword
- bpf_socket_events.protocol - The network protocol ID
- etc_services.protocol - Transport protocol (TCP/UDP)
- iptables.protocol - Protocol number identification.
- listening_ports.protocol - Transport protocol (TCP/UDP)
- process_open_sockets.protocol - Transport protocol (TCP/UDP)
- socket_events.protocol - The network protocol ID
- usb_devices.protocol - USB Device protocol
- windows_firewall_rules.protocol - IP protocol of the rule
provider - keyword, text.text
- drivers.provider - Driver provider
provider_guid - keyword, text.text
- windows_eventlog.provider_guid - Provider guid of the event
- windows_events.provider_guid - Provider guid of the event
provider_name - keyword, text.text
- windows_eventlog.provider_name - Provider name of the event
- windows_events.provider_name - Provider name of the event
pseudo - keyword, number.long
- process_memory_map.pseudo - 1 If path is a pseudo path, else 0
public - keyword, number.long
- lxd_images.public - Whether image is public (1) or not (0)
publisher - keyword, text.text
- azure_instance_metadata.publisher - Publisher of the VM image
- osquery_events.publisher - Name of the associated publisher
- programs.publisher - Name of the product supplier.
purgeable - keyword, number.long
- virtual_memory_info.purgeable - Total number of purgeable pages.
purged - keyword, number.long
- virtual_memory_info.purged - Total number of purged pages.
query - keyword, text.text
- mdfind.query - The query that was run to find the file
- osquery_schedule.query - The exact query to run
- wmi_event_filters.query - Windows Management Instrumentation Query Language (WQL) event query that specifies the set of events for consumer notification, and the specific conditions for notification.
query_language - keyword, text.text
- wmi_event_filters.query_language - Query language that the query is written in.
queue_directories - keyword, text.text
- launchd.queue_directories - Similar to watch_paths but only with non-empty directories
raid_disks - keyword, number.long
- md_devices.raid_disks - Number of configured RAID disks in array
raid_level - keyword, number.long
- md_devices.raid_level - Current raid level of the array
rapl_energy_status - keyword, number.long
- msr.rapl_energy_status - Run Time Average Power Limiting energy status.
rapl_power_limit - keyword, number.long
- msr.rapl_power_limit - Run Time Average Power Limiting power limit.
rapl_power_units - keyword, number.long
- msr.rapl_power_units - Run Time Average Power Limiting power units.
reactivated - keyword, number.long
- virtual_memory_info.reactivated - Total number of reactivated pages.
read - keyword, number.long
- docker_container_stats.read - UNIX time when stats were read
readonly - keyword, number.long
- nfs_shares.readonly - 1 if the share is exported readonly else 0
readonly_rootfs - keyword, number.long
- docker_containers.readonly_rootfs - Is the root filesystem mounted as read only
record_timestamp - keyword, text.text
- ntfs_journal_events.record_timestamp - Journal record timestamp
record_usn - keyword, text.text
- ntfs_journal_events.record_usn - The update sequence number that identifies the journal record
recovery_finish - keyword, text.text
- md_devices.recovery_finish - Estimated duration of recovery activity
recovery_progress - keyword, text.text
- md_devices.recovery_progress - Progress of the recovery activity
recovery_speed - keyword, text.text
- md_devices.recovery_speed - Speed of recovery activity
redirect_accept - keyword, number.long
- interface_ipv6.redirect_accept - Accept ICMP redirect messages
ref_pid - keyword, number.long
- asl.ref_pid - Reference PID for messages proxied by launchd
ref_proc - keyword, text.text
- asl.ref_proc - Reference process for messages proxied by launchd
referenced - keyword, number.long
- chrome_extension_content_scripts.referenced - 1 if this extension is referenced by the Preferences file of the profile
- chrome_extensions.referenced - 1 if this extension is referenced by the Preferences file of the profile
referenced_identifier - keyword, text.text
- chrome_extensions.referenced_identifier - Extension identifier, as specified by the preferences file. Empty if the extension is not in the profile.
refreshes - keyword, number.long
- osquery_events.refreshes - Publisher only: number of runloop restarts
refs - keyword, number.long
- kernel_extensions.refs - Reference count
region - keyword, text.text
- ec2_instance_metadata.region - AWS region in which this instance launched
registers - keyword, text.text
- crashes.registers - The value of the system registers
- kernel_panics.registers - A space delimited line of register:value pairs
- windows_crashes.registers - The values of the system registers
registry - keyword, text.text
- osquery_registry.registry - Name of the osquery registry
registry_hive - keyword, text.text
- logged_in_users.registry_hive - HKEY_USERS registry hive
registry_path - keyword, text.text
- ie_extensions.registry_path - Extension identifier
relative_path - keyword, text.text
- wmi_cli_event_consumers.relative_path - Relative path to the class or instance.
- wmi_event_filters.relative_path - Relative path to the class or instance.
- wmi_filter_consumer_binding.relative_path - Relative path to the class or instance.
- wmi_script_event_consumers.relative_path - Relative path to the class or instance.
release - keyword, text.text
- apt_sources.release - Release name
- lxd_images.release - OS release version on which the image is based
- rpm_packages.release - Package release
remediation_path - keyword, text.text
- windows_security_products.remediation_path - Remediation path
remote_address - keyword, text.text
- bpf_socket_events.remote_address - Remote address associated with socket
- process_open_sockets.remote_address - Socket remote address
- socket_events.remote_address - Remote address associated with socket
remote_addresses - keyword, text.text
- windows_firewall_rules.remote_addresses - Remote addresses for the rule
remote_apple_events - keyword, number.long
- sharing_preferences.remote_apple_events - 1 If remote apple events are enabled else 0
remote_login - keyword, number.long
- sharing_preferences.remote_login - 1 If remote login is enabled else 0
remote_management - keyword, number.long
- sharing_preferences.remote_management - 1 If remote management is enabled else 0
remote_port - keyword, number.long
- bpf_socket_events.remote_port - Remote network protocol port number
- process_open_sockets.remote_port - Socket remote port
- socket_events.remote_port - Remote network protocol port number
remote_ports - keyword, text.text
- windows_firewall_rules.remote_ports - Remote ports for the rule
removable - keyword, number.long
- usb_devices.removable - 1 If USB device is removable else 0
repository - keyword, text.text
- portage_packages.repository - From which repository the ebuild was used
request_id - keyword, text.text
- carves.request_id - Identifying value of the carve request (e.g., scheduled query name, distributed request, etc)
requested_mask - keyword, text.text
- apparmor_events.requested_mask - Requested access mask
requirement - keyword, text.text
- gatekeeper_approved_apps.requirement - Code signing requirement language
reservation_id - keyword, text.text
- ec2_instance_metadata.reservation_id - ID of the reservation
reshape_finish - keyword, text.text
- md_devices.reshape_finish - Estimated duration of reshape activity
reshape_progress - keyword, text.text
- md_devices.reshape_progress - Progress of the reshape activity
reshape_speed - keyword, text.text
- md_devices.reshape_speed - Speed of reshape activity
resident_size - keyword, number.long
- docker_container_processes.resident_size - Bytes of private memory used by process
- processes.resident_size - Bytes of private memory used by process
resource_group_name - keyword, text.text
- azure_instance_metadata.resource_group_name - Resource group for the VM
response_code - keyword, number.long
- curl.response_code - The HTTP status code for the response
responsible - keyword, text.text
- crashes.responsible - Process responsible for the crashed process
result - keyword, text.text
- authenticode.result - The signature check result
- curl.result - The HTTP response body
result_code - keyword, text.text
- windows_update_history.result_code - Result of an operation on an update
resync_finish - keyword, text.text
- md_devices.resync_finish - Estimated duration of resync activity
resync_progress - keyword, text.text
- md_devices.resync_progress - Progress of the resync activity
resync_speed - keyword, text.text
- md_devices.resync_speed - Speed of resync activity
retain_count - keyword, number.long
- iokit_devicetree.retain_count - The device reference count
- iokit_registry.retain_count - The node reference count
revision - keyword, text.text
- deb_packages.revision - Package revision
- hardware_events.revision - Device revision (optional)
- platform_info.revision - BIOS major and minor revision
roaming - keyword, number.long
- wifi_networks.roaming - 1 if roaming is supported, 0 otherwise
roaming_profile - keyword, text.text
- wifi_networks.roaming_profile - Describe the roaming profile, usually one of Single, Dual or Multi
root - keyword, text.text
- processes.root - Process virtual root directory
root_dir - keyword, text.text
- docker_info.root_dir - Docker root directory
root_directory - keyword, text.text
- launchd.root_directory - Key used to specify a directory to chroot to before launch
root_volume_uuid - keyword, text.text
- time_machine_destinations.root_volume_uuid - Root UUID of backup volume
round_trip_time - keyword, number.long
- curl.round_trip_time - Time taken to complete the request
rowid - keyword, number.long
- quicklook_cache.rowid - Quicklook file rowid key
rssi - keyword, number.long
- wifi_status.rssi - The current received signal strength indication (dbm)
- wifi_survey.rssi - The current received signal strength indication (dbm)
rtadv_accept - keyword, number.long
- interface_ipv6.rtadv_accept - Accept ICMP Router Advertisement
rule_details - keyword, text.text
- sudoers.rule_details - Rule definition
run_at_load - keyword, text.text
- launchd.run_at_load - Should the program run on launch load
run_count - keyword, number.long
- prefetch.run_count - Number of times the application has been run.
rw - keyword, number.long
- docker_container_mounts.rw - 1 if read/write. 0 otherwise
scheme - keyword, text.text
- app_schemes.scheme - Name of the scheme/protocol
scope - keyword, text.text
- selinux_settings.scope - Where the key is located inside the SELinuxFS mount point.
screen_sharing - keyword, number.long
- sharing_preferences.screen_sharing - 1 If screen sharing is enabled else 0
script - keyword, text.text
- chrome_extension_content_scripts.script - The content script used by the extension
script_block_count - keyword, number.long
- powershell_events.script_block_count - The total number of script blocks for this script
script_block_id - keyword, text.text
- powershell_events.script_block_id - The unique GUID of the powershell script to which this block belongs
script_file_name - keyword, text.text
- wmi_script_event_consumers.script_file_name - Name of the file from which the script text is read, intended as an alternative to specifying the text of the script in the ScriptText property.
script_name - keyword, text.text
- powershell_events.script_name - The name of the Powershell script
script_path - keyword, text.text
- powershell_events.script_path - The path for the Powershell script
script_text - keyword, text.text
- powershell_events.script_text - The text content of the Powershell script
- wmi_script_event_consumers.script_text - Text of the script that is expressed in a language known to the scripting engine. This property must be NULL if the ScriptFileName property is not NULL.
scripting_engine - keyword, text.text
- wmi_script_event_consumers.scripting_engine - Name of the scripting engine to use, for example, VBScript. This property cannot be NULL.
sdb_id - keyword, text.text
- appcompat_shims.sdb_id - Unique GUID of the SDB.
sdk - keyword, text.text
- browser_plugins.sdk - Build SDK used to compile plugin
- safari_extensions.sdk - Bundle SDK used to compile extension
sdk_version - keyword, text.text
- osquery_extensions.sdk_version - osquery SDK version used to build the extension
seconds - keyword, number.long
- time.seconds - Current seconds in UTC
- uptime.seconds - Seconds of uptime
section - keyword, text.text
- deb_packages.section - Package section
secure_boot - keyword, number.long
- secureboot.secure_boot - Whether secure boot is enabled
secure_process - keyword, number.long
- processes.secure_process - Process is secure (IUM) yes=1, no=0
security_breach - keyword, text.text
- chassis_info.security_breach - The physical status of the chassis such as Breach Successful, Breach Attempted, etc.
security_groups - keyword, text.text
- ec2_instance_metadata.security_groups - Comma separated list of security group names
security_options - keyword, text.text
- docker_containers.security_options - List of container security options
security_type - keyword, text.text
- wifi_networks.security_type - Type of security on this network
- wifi_status.security_type - Type of security on this network
self_signed - keyword, number.long
- certificates.self_signed - 1 if self-signed, else 0
sender - keyword, text.text
- asl.sender - Sender’s identification string. Default is process name.
- unified_log.sender - the name of the binary image that made the entry
sensor_backend_server - keyword, text.text
- carbon_black_info.sensor_backend_server - Carbon Black server
sensor_id - keyword, number.long
- carbon_black_info.sensor_id - Sensor ID of the Carbon Black sensor
sensor_ip_addr - keyword, text.text
- carbon_black_info.sensor_ip_addr - IP address of the sensor
seq_num - keyword, number.long
- es_process_events.seq_num - Per event sequence number
- es_process_file_events.seq_num - Per event sequence number
serial - keyword, text.text
- certificates.serial - Certificate serial number
- chassis_info.serial - The serial number of the chassis.
- disk_info.serial - The serial number of the disk.
- hardware_events.serial - Device serial (optional)
- usb_devices.serial - USB Device serial connection
serial_number - keyword, text.text
- authenticode.serial_number - The certificate serial number
- battery.serial_number - The battery’s unique serial number
- curl_certificate.serial_number - Certificate serial number
- memory_devices.serial_number - Serial number of memory device
serial_port_enabled - keyword, text.text
- ycloud_instance_metadata.serial_port_enabled - Indicates if serial port is enabled for the VM
series - keyword, text.text
- video_info.series - The series of the gpu.
server_name - keyword, text.text
- lxd_cluster.server_name - Name of the LXD server node
- lxd_cluster_members.server_name - Name of the LXD server node
server_selection - keyword, text.text
- windows_update_history.server_selection - Value that indicates which server provided an update
server_version - keyword, text.text
- docker_info.server_version - Server version
service - keyword, text.text
- drivers.service - Driver service name, if one exists
- interface_details.service - The name of the service the network adapter uses.
- iokit_devicetree.service - 1 if the device conforms to IOService else 0
service_exit_code - keyword, number.long
- services.service_exit_code - The service-specific error code that the service returns when an error occurs while the service is starting or stopping
service_id - keyword, text.text
- windows_update_history.service_id - Service identifier of an update service that is not a Windows update
service_key - keyword, text.text
- drivers.service_key - Driver service registry key
service_name - keyword, text.text
- windows_firewall_rules.service_name - Service name property of the application
service_type - keyword, text.text
- services.service_type - Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)
ses - keyword, number.long
- seccomp_events.ses - Session ID of the session from which the analyzed process was invoked
session_id - keyword, number.long
- logon_sessions.session_id - The Terminal Services session identifier.
- winbaseobj.session_id - Terminal Services Session Id
session_owner - keyword, text.text
- authorizations.session_owner - Label top-level key
set - keyword, number.long
- memory_devices.set - Identifies if memory device is one of a set of devices. A value of 0 indicates no set affiliation.
setup_mode - keyword, number.long
- secureboot.setup_mode - Whether setup mode is enabled
severity - keyword, number.long
- syslog_events.severity - Syslog severity
sgid - keyword
- docker_container_processes.sgid - Saved group ID
- process_events.sgid - Saved group ID at process start
- process_file_events.sgid - Saved group ID of the process using the file
- processes.sgid - Unsigned saved group ID
sha1 - keyword, text.text
- apparmor_profiles.sha1 - A unique hash that identifies this policy.
- certificates.sha1 - SHA1 hash of the raw certificate contents
- device_hash.sha1 - SHA1 hash of provided inode data
- file_events.sha1 - The SHA1 of the file after change
- hash.sha1 - SHA1 hash of provided filesystem data
- rpm_packages.sha1 - SHA1 hash of the package contents
sha1_fingerprint - keyword, text.text
- curl_certificate.sha1_fingerprint - SHA1 fingerprint
sha256 - keyword, text.text
- carves.sha256 - A SHA256 sum of the carved archive
- device_hash.sha256 - SHA256 hash of provided inode data
- file_events.sha256 - The SHA256 of the file after change
- hash.sha256 - SHA256 hash of provided filesystem data
- rpm_package_files.sha256 - SHA256 file digest from RPM info DB
sha256_fingerprint - keyword, text.text
- curl_certificate.sha256_fingerprint - SHA-256 fingerprint
shard - keyword, number.long
- osquery_packs.shard - Shard restriction limit, 1-100, 0 meaning no restriction
share - keyword, text.text
- nfs_shares.share - Filesystem path to the share
shared - keyword, text.text
- authorizations.shared - Label top-level key
shell - keyword, text.text
- users.shell - User’s configured default shell
shell_only - keyword, number.long
- osquery_flags.shell_only - Is the flag shell only?
shmid - keyword, number.long
- shared_memory.shmid - Shared memory segment ID
sid - keyword, text.text
- background_activities_moderator.sid - User SID.
- certificates.sid - SID
- logged_in_users.sid - The user’s unique security identifier
- office_mru.sid - User SID
- shellbags.sid - User SID
- userassist.sid - User SID.
sig - keyword, number.long
- seccomp_events.sig - Signal value sent to process by seccomp
sig_group - keyword, text.text
- yara.sig_group - Signature group used
sigfile - keyword, text.text
- yara.sigfile - Signature file used
signature - keyword, text.text
- curl_certificate.signature - Signature
signature_algorithm - keyword, text.text
- curl_certificate.signature_algorithm - Signature Algorithm
signatures_up_to_date - keyword, number.long
- windows_security_products.signatures_up_to_date - 1 if product signatures are up to date, else 0
signed - keyword, number.long
- drivers.signed - Whether the driver is signed or not
- signature.signed - 1 If the file is signed else 0
signing_algorithm - keyword, text.text
- certificates.signing_algorithm - Signing algorithm used
signing_id - keyword, text.text
- es_process_events.signing_id - Signature identifier of the process
sigrule - keyword, text.text
- yara.sigrule - Signature strings used
sigurl - keyword, text.text
- yara.sigurl - Signature url
size - keyword
- acpi_tables.size - Size of compiled table data
- block_devices.size - Block device size in blocks
- carves.size - Size of the carved archive
- cups_jobs.size - The size of the print job
- deb_packages.size - Package size in bytes
- device_file.size - Size of file in bytes
- disk_events.size - Size of partition in bytes
- docker_image_history.size - Size of instruction in bytes
- file.size - Size of file in bytes
- file_events.size - Size of file in bytes
- kernel_extensions.size - Bytes of wired memory used by extension
- kernel_modules.size - Size of module content
- logical_drives.size - The total amount of space, in bytes, of the drive (-1 on failure).
- lxd_images.size - Size of image in bytes
- lxd_storage_pools.size - Size of the storage pool
- md_devices.size - size of the array in blocks
- memory_devices.size - Size of memory device in Megabyte
- package_bom.size - Expected file size
- platform_info.size - Size in bytes of firmware
- portage_packages.size - The size of the package
- prefetch.size - Application file size.
- quicklook_cache.size - Parsed version size field
- rpm_package_files.size - Expected file size in bytes from RPM info DB
- rpm_packages.size - Package size in bytes
- shared_memory.size - Size in bytes
- smbios_tables.size - Table entry size in bytes
- smc_keys.size - Reported size of data in bytes
size_bytes - keyword, number.long
- docker_images.size_bytes - Size of image in bytes
sku - keyword, text.text
- azure_instance_metadata.sku - SKU for the VM image
- chassis_info.sku - The Stock Keeping Unit number if available.
slot - keyword
- md_drives.slot - Slot position of disk
- portage_packages.slot - The slot used by package
smbios_tag - keyword, text.text
- chassis_info.smbios_tag - The assigned asset tag number of the chassis.
socket - keyword
- listening_ports.socket - Socket handle or inode number
- process_open_sockets.socket - Socket handle or inode number
- socket_events.socket - The local path (UNIX domain socket only)
socket_designation - keyword, text.text
- cpu_info.socket_designation - The assigned socket on the board for the given CPU.
soft_limit - keyword, text.text
- ulimit_info.soft_limit - Current limit value
softirq - keyword, number.long
- cpu_time.softirq - Time spent servicing softirqs
source - keyword, text.text
- apt_sources.source - Source file
- autoexec.source - Source table of the autoexec item
- deb_packages.source - Package source
- docker_container_mounts.source - Source path on host
- lxd_storage_pools.source - Storage pool source
- package_install_history.source - Install source: usually the installer process name
- routes.source - Route source
- rpm_packages.source - Source RPM package name (optional)
- shellbags.source - Shellbags source Registry file
- startup_items.source - Directory or plist containing startup item
- sudoers.source - Source file containing the given rule
- windows_events.source - Source or channel of the event
source_path - keyword, text.text
- systemd_units.source_path - Path to the (possibly generated) unit configuration file
source_url - keyword, text.text
- firefox_addons.source_url - URL that installed the addon
space_total - keyword, number.long
- lxd_storage_pools.space_total - Total available storage space in bytes for this storage pool
space_used - keyword, number.long
- lxd_storage_pools.space_used - Storage space used in bytes
spare_disks - keyword, number.long
- md_devices.spare_disks - Number of idle disks in array
spec_version - keyword, text.text
- tpm_info.spec_version - Trusted Computing Group specification that the TPM supports
speculative - keyword, number.long
- virtual_memory_info.speculative - Total number of speculative pages.
speed - keyword, number.long
- interface_details.speed - Estimate of the current bandwidth in bits per second.
src_ip - keyword, text.text
- iptables.src_ip - Source IP address.
src_mask - keyword, text.text
- iptables.src_mask - Source IP address mask.
src_port - keyword, text.text
- iptables.src_port - Protocol source port(s).
ssh_config_file - keyword, text.text
- ssh_configs.ssh_config_file - Path to the ssh_config file
ssh_public_key - keyword, text.text
- ec2_instance_metadata.ssh_public_key - SSH public key. Only available if supplied at instance launch time
- ycloud_instance_metadata.ssh_public_key - SSH public key. Only available if supplied at instance launch time
ssid - keyword, text.text
- wifi_networks.ssid - SSID octets of the network
- wifi_status.ssid - SSID octets of the network
- wifi_survey.ssid - SSID octets of the network
stack_trace - keyword, text.text
- crashes.stack_trace - Most recent frame from the stack trace
- windows_crashes.stack_trace - Multiple stack frames from the stack trace
start - keyword, text.text
- memory_map.start - Start address of memory region
- process_memory_map.start - Virtual start address (hex)
start_interval - keyword, text.text
- launchd.start_interval - Frequency to run in seconds
start_on_mount - keyword, text.text
- launchd.start_on_mount - Run daemon or agent every time a filesystem is mounted
start_time - keyword, number.long
- docker_container_processes.start_time - Process start in seconds since boot (non-sleeping)
- osquery_info.start_time - UNIX time in seconds when the process started
- processes.start_time - Process start time in seconds since Epoch, in case of error -1
start_type - keyword, text.text
- services.start_type - Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED
started_at - keyword, text.text
- docker_containers.started_at - Container start time as string
starting_address - keyword, text.text
- memory_array_mapped_addresses.starting_address - Physical stating address, in kilobytes, of a range of memory mapped to physical memory array
- memory_device_mapped_addresses.starting_address - Physical stating address, in kilobytes, of a range of memory mapped to physical memory array
state - keyword
- alf_exceptions.state - Firewall exception state
- battery.state - One of the following: "AC Power" indicates the battery is connected to an external power source, "Battery Power" indicates that the battery is drawing internal power, "Off Line" indicates the battery is off-line or no longer connected
- chrome_extensions.state - 1 if this extension is enabled
- docker_container_processes.state - Process state
- docker_containers.state - Container state (created, restarting, running, removing, paused, exited, dead)
- lxd_networks.state - Network status
- md_drives.state - State of the drive
- process_open_sockets.state - TCP socket state
- processes.state - Process state
- scheduled_tasks.state - State of the scheduled task
- system_extensions.state - System extension state
- windows_optional_features.state - Installation state value. 1 == Enabled, 2 == Disabled, 3 == Absent
- windows_security_products.state - State of protection
state_timestamp - keyword, text.text
- windows_security_products.state_timestamp - Timestamp for the product state
stateful - keyword, number.long
- lxd_instances.stateful - Whether the instance is stateful(1) or not(0)
statename - keyword, text.text
- windows_optional_features.statename - Installation state name. Enabled,Disabled,Absent
status - keyword, text.text
- carves.status - Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED
- chassis_info.status - If available, gives various operational or nonoperational statuses such as OK, Degraded, and Pred Fail.
- deb_packages.status - Package status
- docker_containers.status - Container status information
- kernel_modules.status - Kernel module status
- lxd_cluster_members.status - Status of the node (Online/Offline)
- lxd_instances.status - Instance state (running, stopped, etc.)
- md_devices.status - Current state of the array
- ntdomains.status - The current status of the domain object.
- process_events.status - OpenBSM Attribute: Status of the process
- services.status - Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED
- shared_memory.status - Destination/attach status
- shared_resources.status - String that indicates the current status of the object.
- socket_events.status - Either succeeded, failed, in_progress (connect() on non-blocking socket) or no_client (null accept() on non-blocking socket)
- startup_items.status - Startup status; either enabled or disabled
stderr_path - keyword, text.text
- launchd.stderr_path - Pipe stderr to a target path
stdout_path - keyword, text.text
- launchd.stdout_path - Pipe stdout to a target path
steal - keyword, number.long
- cpu_time.steal - Time spent in other operating systems when running in a virtualized environment
stealth_enabled - keyword, number.long
- alf.stealth_enabled - 1 If stealth mode is enabled else 0
stibp_support_enabled - keyword, number.long
- kva_speculative_info.stibp_support_enabled - Windows uses STIBP.
storage - keyword, number.long
- unified_log.storage - the storage category for the entry
storage_driver - keyword, text.text
- docker_info.storage_driver - Storage driver
store - keyword, text.text
- certificates.store - Certificate system store
store_id - keyword, text.text
- certificates.store_id - Exists for service/user stores. Contains raw store id provided by WinAPI.
store_location - keyword, text.text
- certificates.store_location - Certificate system store location
strings - keyword, text.text
- yara.strings - Matching strings
- yara_events.strings - Matching strings
sub_state - keyword, text.text
- systemd_units.sub_state - The low-level unit activation state, values depend on unit type
subclass - keyword, text.text
- usb_devices.subclass - USB Device subclass
subject - keyword, text.text
- certificates.subject - Certificate distinguished name (deprecated, use subject2)
subject2 - keyword, text.text
- certificates.subject2 - Certificate distinguished name
subject_alternative_names - keyword, text.text
- curl_certificate.subject_alternative_names - Subject Alternative Name
subject_info_access - keyword, text.text
- curl_certificate.subject_info_access - Subject Information Access
subject_key_id - keyword, text.text
- certificates.subject_key_id - SKID an optionally included SHA1
subject_key_identifier - keyword, text.text
- curl_certificate.subject_key_identifier - Subject Key Identifier
subject_name - keyword, text.text
- authenticode.subject_name - The certificate subject name
subkey - keyword, text.text
- plist.subkey - Intermediate key path, includes lists/dicts
- preferences.subkey - Intemediate key path, includes lists/dicts
subnet - keyword, text.text
- docker_networks.subnet - Network subnet
subscription_id - keyword, text.text
- azure_instance_metadata.subscription_id - Azure subscription for the VM
subscriptions - keyword, number.long
- osquery_events.subscriptions - Number of subscriptions the publisher received or subscriber used
subsystem - keyword, text.text
- system_controls.subsystem - Subsystem ID, control type
- unified_log.subsystem - the subsystem of the os_log_t used
subsystem_model - keyword, text.text
- pci_devices.subsystem_model - Device description of PCI device subsystem
subsystem_model_id - keyword, text.text
- pci_devices.subsystem_model_id - Model ID of PCI device subsystem
subsystem_vendor - keyword, text.text
- pci_devices.subsystem_vendor - Vendor of PCI device subsystem
subsystem_vendor_id - keyword, text.text
- pci_devices.subsystem_vendor_id - Vendor ID of PCI device subsystem
success - keyword, number.long
- socket_events.success - Deprecated. Use the status column instead
suid - keyword
- docker_container_processes.suid - Saved user ID
- process_events.suid - Saved user ID at process start
- process_file_events.suid - Saved user ID of the process using the file
- processes.suid - Unsigned saved user ID
summary - keyword, text.text
- chocolatey_packages.summary - Package-supplied summary
- python_packages.summary - Package-supplied summary
superblock_state - keyword, text.text
- md_devices.superblock_state - State of the superblock
superblock_update_time - keyword, number.long
- md_devices.superblock_update_time - Unix timestamp of last update
superblock_version - keyword, text.text
- md_devices.superblock_version - Version of the superblock
support_url - keyword, text.text
- windows_update_history.support_url - Hyperlink to the language-specific support information for an update
swap_cached - keyword, number.long
- memory_info.swap_cached - The amount of swap, in bytes, used as cache memory
swap_free - keyword, number.long
- memory_info.swap_free - The total amount of swap free, in bytes
swap_ins - keyword, number.long
- virtual_memory_info.swap_ins - The total number of compressed pages that have been swapped out to disk.
swap_limit - keyword, number.long
- docker_info.swap_limit - 1 if swap limit support is enabled. 0 otherwise
swap_outs - keyword, number.long
- virtual_memory_info.swap_outs - The total number of compressed pages that have been swapped back in from disk.
swap_total - keyword, number.long
- memory_info.swap_total - The total amount of swap available, in bytes
symlink - keyword, number.long
- file.symlink - 1 if the path is a symlink, otherwise 0
syscall - keyword, text.text
- bpf_process_events.syscall - System call name
- bpf_socket_events.syscall - System call name
- process_events.syscall - Syscall name: fork, vfork, clone, execve, execveat
- seccomp_events.syscall - Type of the system call
system - keyword, number.long
- cpu_time.system - Time spent in system mode
system_cpu_usage - keyword, number.long
- docker_container_stats.system_cpu_usage - CPU system usage
system_model - keyword, text.text
- kernel_panics.system_model - Physical system model, for example MacBookPro12,1 (Mac-E43C1C25D4880AD6)
system_time - keyword, number.long
- osquery_schedule.system_time - Total system time in milliseconds spent executing
- processes.system_time - CPU time in milliseconds spent in kernel space
tag - keyword, text.text
- syslog_events.tag - The syslog tag
tags - keyword, text.text
- docker_image_history.tags - Comma-separated list of tags
- docker_images.tags - Comma-separated list of repository tags
- yara.tags - Matching tags
- yara_events.tags - Matching tags
tapping_process - keyword, number.long
- event_taps.tapping_process - The process ID of the application that created the event tap.
target - keyword
- fan_speed_sensors.target - Target speed
- iptables.target - Target that applies for this rule.
target_name - keyword, text.text
- prometheus_metrics.target_name - Address of prometheus target
target_path - keyword, text.text
- file_events.target_path - The path associated with the event
- yara_events.target_path - The path scanned
task - keyword, number.long
- windows_eventlog.task - Task value associated with the event
- windows_events.task - Task value associated with the event
team - keyword, text.text
- system_extensions.team - Signing team ID
team_id - keyword, text.text
- es_process_events.team_id - Team identifier of thd process
team_identifier - keyword, text.text
- signature.team_identifier - The team signing identifier sealed into the signature
temporarily_disabled - keyword, number.long
- wifi_networks.temporarily_disabled - 1 if this network is temporarily disabled, 0 otherwise
terminal - keyword, text.text
- user_events.terminal - The network protocol ID
threads - keyword, number.long
- docker_container_processes.threads - Number of threads used by process
- processes.threads - Number of threads used by process
throttled - keyword, number.long
- virtual_memory_info.throttled - Total number of throttled pages.
tid - keyword, number.long
- bpf_process_events.tid - Thread ID
- bpf_socket_events.tid - Thread ID
- unified_log.tid - the tid of the thread that made the entry
- windows_crashes.tid - Thread ID of the crashed thread
- windows_eventlog.tid - Thread ID which emitted the event record
time - keyword
- apparmor_events.time - Time of execution in UNIX time
- asl.time - Unix timestamp. Set automatically
- bpf_process_events.time - Time of execution in UNIX time
- bpf_socket_events.time - Time of execution in UNIX time
- carves.time - Time at which the carve was kicked off
- disk_events.time - Time of appearance/disappearance in UNIX time
- docker_container_processes.time - Cumulative CPU time. [DD-]HH:MM:SS format
- es_process_events.time - Time of execution in UNIX time
- es_process_file_events.time - Time of execution in UNIX time
- file_events.time - Time of file event
- hardware_events.time - Time of hardware event
- kernel_panics.time - Formatted time of the event
- last.time - Entry timestamp
- logged_in_users.time - Time entry was made
- ntfs_journal_events.time - Time of file event
- package_install_history.time - Label date as UNIX timestamp
- powershell_events.time - Timestamp the event was received by the osquery event publisher
- process_events.time - Time of execution in UNIX time
- process_file_events.time - Time of execution in UNIX time
- seccomp_events.time - Time of execution in UNIX time
- selinux_events.time - Time of execution in UNIX time
- shell_history.time - Entry timestamp. It could be absent, default value is 0.
- socket_events.time - Time of execution in UNIX time
- syslog_events.time - Current unix epoch time
- user_events.time - Time of execution in UNIX time
- user_interaction_events.time - Time
- windows_events.time - Timestamp the event was received
- xprotect_reports.time - Quarantine alert time
- yara_events.time - Time of the scan
time_nano_sec - keyword, number.long
- asl.time_nano_sec - Nanosecond time.
time_range - keyword, text.text
- windows_eventlog.time_range - System time to selectively filter the events
timeout - keyword, text.text
- authorizations.timeout - Label top-level key
- curl_certificate.timeout - Set this value to the timeout in seconds to complete the TLS handshake (default 4s, use 0 for no timeout)
timestamp - keyword, text.text
- time.timestamp - Current timestamp (log format) in UTC
- unified_log.timestamp - unix timestamp associated with the entry
- windows_eventlog.timestamp - Timestamp to selectively filter the events
timestamp_ms - keyword, number.long
- prometheus_metrics.timestamp_ms - Unix timestamp of collected data in MS
timezone - keyword, text.text
- time.timezone - Timezone for reported time (hardcoded to UTC)
title - keyword, text.text
- cups_jobs.title - Title of the printed job
- windows_update_history.title - Title of an update
total_seconds - keyword, number.long
- uptime.total_seconds - Total uptime seconds
total_size - keyword, number.long
- docker_container_processes.total_size - Total virtual memory size
- processes.total_size - Total virtual memory size
total_width - keyword, number.long
- memory_devices.total_width - Total width, in bits, of this memory device, including any check or error-correction bits
transaction_id - keyword, number.long
- file_events.transaction_id - ID used during bulk update
- yara_events.transaction_id - ID used during bulk update
translated - keyword, number.long
- processes.translated - Indicates whether the process is running under the Rosetta Translation Environment, yes=1, no=0, error=-1.
transmit_rate - keyword, text.text
- wifi_status.transmit_rate - The current transmit rate
tries - keyword, text.text
- authorizations.tries - Label top-level key
tty - keyword, text.text
- last.tty - Entry terminal
- logged_in_users.tty - Device name
turbo_disabled - keyword, number.long
- msr.turbo_disabled - Whether the turbo feature is disabled.
turbo_ratio_limit - keyword, number.long
- msr.turbo_ratio_limit - The turbo feature ratio limit.
type - keyword, text.text
- apparmor_events.type - Event type
- appcompat_shims.type - Type of the SDB database.
- block_devices.type - Block device type string
- bpf_socket_events.type - The socket type
- crashes.type - Type of crash log
- device_file.type - File status
- device_firmware.type - Type of device
- device_partitions.type -
- disk_encryption.type - Description of cipher type and mode if available
- disk_info.type - The interface type of the disk.
- dns_cache.type - DNS record type
- dns_resolvers.type - Address type: sortlist, nameserver, search
- docker_container_mounts.type - Type of mount (bind, volume)
- docker_container_ports.type - Protocol (tcp, udp)
- docker_volumes.type - Volume type
- file.type - File status
- firefox_addons.type - Extension, addon, webapp
- hardware_events.type - Type of hardware and hardware event
- interface_addresses.type - Type of address. One of dhcp, manual, auto, other, unknown
- interface_details.type - Interface type (includes virtual)
- keychain_items.type - Keychain item type (class)
- last.type - Entry type, according to ut_type types (utmp.h)
- logged_in_users.type - Login type
- logical_drives.type - Deprecated (always Unknown).
- lxd_certificates.type - Type of the certificate
- lxd_networks.type - Type of network
- mounts.type - Mounted device type
- ntfs_acl_permissions.type - Type of access mode for the access control entry.
- nvram.type - Data type (CFData, CFString, etc)
- osquery_events.type - Either publisher or subscriber
- osquery_extensions.type - SDK extension type: core, extension, or module
- osquery_flags.type - Flag type
- process_open_pipes.type - Pipe Type: named vs unnamed/anonymous
- registry.type - Type of the registry value, or subkey if item is a subkey
- routes.type - Type of route
- selinux_events.type - Event type
- shared_resources.type - Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.
- smbios_tables.type - Table entry type
- smc_keys.type - SMC-reported type literal type
- startup_items.type - Startup Item or Login Item
- system_controls.type - Data type
- ulimit_info.type - System resource to be limited
- user_events.type - The file description for the process socket
- users.type - Whether the account is roaming (domain), local, or a system profile
- windows_crashes.type - Type of crash log
- windows_security_products.type - Type of security product
- xprotect_meta.type - Either plugin or extension
type_name - keyword, text.text
- last.type_name - Entry type name, according to ut_type types (utmp.h)
- shared_resources.type_name - Human readable value for the type column
uid - keyword
- account_policy_data.uid - User ID
- asl.uid - UID that sent the log message (set by the server).
- atom_packages.uid - The local user that owns the plugin
- authorized_keys.uid - The local owner of authorized_keys file
- bpf_process_events.uid - User ID
- bpf_socket_events.uid - User ID
- browser_plugins.uid - The local user that owns the plugin
- chrome_extension_content_scripts.uid - The local user that owns the extension
- chrome_extensions.uid - The local user that owns the extension
- crashes.uid - User ID of the crashed process
- device_file.uid - Owning user ID
- disk_encryption.uid - Currently authenticated user if available
- docker_container_processes.uid - User ID
- es_process_events.uid - User ID of the process
- file.uid - Owning user ID
- file_events.uid - Owning user ID
- firefox_addons.uid - The local user that owns the addon
- known_hosts.uid - The local user that owns the known_hosts file
- launchd_overrides.uid - User ID applied to the override, 0 applies to all
- package_bom.uid - Expected user of file or directory
- password_policy.uid - User ID for the policy, -1 for policies that are global
- process_events.uid - User ID at process start
- process_file_events.uid - The uid of the process performing the action
- processes.uid - Unsigned user ID
- safari_extensions.uid - The local user that owns the extension
- seccomp_events.uid - User ID of the user who started the analyzed process
- shell_history.uid - Shell history owner
- ssh_configs.uid - The local owner of the ssh_config file
- user_events.uid - User ID
- user_groups.uid - User ID
- user_ssh_keys.uid - The local user that owns the key file
- users.uid - User ID
uid_signed - keyword, number.long
- users.uid_signed - User ID as int64 signed (Apple)
umci_policy_status - keyword, text.text
- hvci_status.umci_policy_status - The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.
uncompressed - keyword, number.long
- virtual_memory_info.uncompressed - Total number of uncompressed pages.
uninstall_string - keyword, text.text
- programs.uninstall_string - Path and filename of the uninstaller.
unique_chip_id - keyword, text.text
- ibridge_info.unique_chip_id - Unique id of the iBridge controller
unix_time - keyword, number.long
- time.unix_time - Current UNIX time in UTC
unmask - keyword, number.long
- portage_keywords.unmask - If the package is unmasked
unused_devices - keyword, text.text
- md_devices.unused_devices - Unused devices
update_id - keyword, text.text
- windows_update_history.update_id - Revision-independent identifier of an update
update_revision - keyword, number.long
- windows_update_history.update_revision - Revision number of an update
update_source_alias - keyword, text.text
- lxd_images.update_source_alias - Alias of image at update source server
update_source_certificate - keyword, text.text
- lxd_images.update_source_certificate - Certificate for update source server
update_source_protocol - keyword, text.text
- lxd_images.update_source_protocol - Protocol used for image information update and image import from source server
update_source_server - keyword, text.text
- lxd_images.update_source_server - Server for image update
update_url - keyword, text.text
- chrome_extensions.update_url - Extension-supplied update URI
- safari_extensions.update_url - Extension-supplied update URI
upid - keyword, number.long
- processes.upid - A 64bit pid that is never reused. Returns -1 if we couldn’t gather them from the system.
uploaded_at - keyword, text.text
- lxd_images.uploaded_at - ISO time of image upload
upn - keyword, text.text
- logon_sessions.upn - The user principal name (UPN) for the owner of the logon session.
uppid - keyword, number.long
- processes.uppid - The 64bit parent pid that is never reused. Returns -1 if we couldn’t gather them from the system.
uptime - keyword, number.long
- apparmor_events.uptime - Time of execution in system uptime
- kernel_panics.uptime - System uptime at kernel panic in nanoseconds
- process_events.uptime - Time of execution in system uptime
- process_file_events.uptime - Time of execution in system uptime
- seccomp_events.uptime - Time of execution in system uptime
- selinux_events.uptime - Time of execution in system uptime
- socket_events.uptime - Time of execution in system uptime
- user_events.uptime - Time of execution in system uptime
url - keyword, text.text
- curl.url - The url for the request
- lxd_cluster_members.url - URL of the node
usb_address - keyword, number.long
- usb_devices.usb_address - USB Device used address
usb_port - keyword, number.long
- usb_devices.usb_port - USB Device used port
use - keyword, text.text
- memory_arrays.use - Function for which the array is used
- portage_use.use - USE flag which has been enabled for package
used_by - keyword, text.text
- kernel_modules.used_by - Module reverse dependencies
- lxd_networks.used_by - URLs for containers using this network
user - keyword
- cpu_time.user - Time spent in user mode
- cups_jobs.user - The user who printed the job
- docker_container_processes.user - User name
- logged_in_users.user - User login name
- logon_sessions.user - The account name of the security principal that owns the logon session.
- sandboxes.user - Sandbox owner
- systemd_units.user - The configured user, if any
user_account - keyword, text.text
- services.user_account - The name of the account that the service process will be logged on as when it runs. This name can be of the form Domain\UserName. If the account belongs to the built-in domain, the name can be of the form .\UserName.
user_account_control - keyword, text.text
- windows_security_center.user_account_control - The health of the User Account Control (UAC) capability in Windows
user_action - keyword, text.text
- xprotect_reports.user_action - Action taken by user after prompted
user_agent - keyword, text.text
- curl.user_agent - The user-agent string to use for the request
user_namespace - keyword, text.text
- docker_containers.user_namespace - User namespace
- process_namespaces.user_namespace - user namespace inode
user_time - keyword, number.long
- osquery_schedule.user_time - Total user time in milliseconds spent executing
- processes.user_time - CPU time in milliseconds spent in user space
user_uuid - keyword, text.text
- disk_encryption.user_uuid - UUID of authenticated user if available
username - keyword, text.text
- certificates.username - Username
- es_process_events.username - Username
- last.username - Entry username
- launchd.username - Run this daemon or agent as this username
- managed_policies.username - Policy applies only this user
- preferences.username - (optional) read preferences for a specific user
- rpm_package_files.username - File default username from info DB
- shadow.username - Username
- startup_items.username - The user associated with the startup item
- suid_bin.username - Binary owner username
- users.username - Username
- windows_crashes.username - Username of the user who ran the crashed process
uses_pattern - keyword, number.long
- xprotect_entries.uses_pattern - Uses a match pattern instead of identity
uts_namespace - keyword, text.text
- docker_containers.uts_namespace - UTS namespace
- process_namespaces.uts_namespace - uts namespace inode
uuid - keyword, text.text
- block_devices.uuid - Block device Universally Unique Identifier
- disk_encryption.uuid - Disk Universally Unique Identifier
- disk_events.uuid - UUID of the volume inside DMG if available
- managed_policies.uuid - Optional UUID assigned to policy set
- osquery_extensions.uuid - The transient ID assigned for communication
- osquery_info.uuid - Unique ID provided by the system
- system_info.uuid - Unique ID provided by the system
- users.uuid - User’s UUID (Apple) or SID (Windows)
valid_from - keyword, text.text
- curl_certificate.valid_from - Period of validity start date
valid_to - keyword, text.text
- curl_certificate.valid_to - Period of validity end date
value - keyword, text.text
- ad_config.value - Variable typed option value
- augeas.value - The value of the configuration item
- azure_instance_tags.value - The tag value
- cpuid.value - Bit value or string
- default_environment.value - Value of the environment variable
- docker_container_envs.value - Environment variable value
- docker_container_labels.value - Optional label value
- docker_image_labels.value - Optional label value
- docker_network_labels.value - Optional label value
- docker_volume_labels.value - Optional label value
- ec2_instance_tags.value - Tag value
- extended_attributes.value - The parsed information from the attribute
- launchd_overrides.value - Overridden value
- lxd_instance_config.value - Configuration parameter value
- lxd_instance_devices.value - Device info param value
- managed_policies.value - Policy value
- mdls.value - Value stored in the metadata key
- nvram.value - Raw variable data
- oem_strings.value - The value of the OEM string
- osquery_flags.value - Flag value
- plist.value - String value of most CF types
- power_sensors.value - Power in Watts
- preferences.value - String value of most CF types
- process_envs.value - Environment variable value
- selinux_settings.value - Active value.
- smc_keys.value - A type-encoded representation of the key value
- wmi_bios_info.value - Value of the Bios setting
valuetype - keyword, text.text
- mdls.valuetype - CoreFoundation type of data stored in value
variable - keyword, text.text
- default_environment.variable - Name of the environment variable
vbs_status - keyword, text.text
- hvci_status.vbs_status - The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.
vendor - keyword, text.text
- block_devices.vendor - Block device vendor string
- disk_events.vendor - Disk event vendor string
- hardware_events.vendor - Hardware device vendor
- pci_devices.vendor - PCI Device vendor
- platform_info.vendor - Platform code vendor
- rpm_packages.vendor - Package vendor
- usb_devices.vendor - USB Device vendor string
vendor_id - keyword, text.text
- hardware_events.vendor_id - Hex encoded Hardware vendor identifier
- pci_devices.vendor_id - Hex encoded PCI Device vendor identifier
- usb_devices.vendor_id - Hex encoded USB Device vendor identifier
vendor_syndrome - keyword, text.text
- memory_error_info.vendor_syndrome - Vendor specific ECC syndrome or CRC data associated with the erroneous access
version - keyword, text.text
- alf.version - Application Layer Firewall version
- apt_sources.version - Repository source version
- atom_packages.version - Package supplied version
- authorizations.version - Label top-level key
- azure_instance_metadata.version - Version of the VM image
- bitlocker_info.version - The FVE metadata version of the drive.
- browser_plugins.version - Plugin short version
- chocolatey_packages.version - Package-supplied version
- chrome_extension_content_scripts.version - Extension-supplied version
- chrome_extensions.version - Extension-supplied version
- crashes.version - Version info of the crashed process
- curl_certificate.version - Version Number
- deb_packages.version - Package version
- device_firmware.version - Firmware version
- docker_version.version - Docker version
- drivers.version - Driver version
- es_process_events.version - Version of EndpointSecurity event
- es_process_file_events.version - Version of EndpointSecurity event
- firefox_addons.version - Addon-supplied version string
- gatekeeper.version - Version of Gatekeeper’s gke.bundle
- homebrew_packages.version - Current linked version
- hvci_status.version - The version number of the Device Guard build.
- ie_extensions.version - Version of the executable
- intel_me_info.version - Intel ME version
- kernel_extensions.version - Extension version
- kernel_info.version - Kernel version
- npm_packages.version - Package-supplied version
- office_mru.version - Office application version number
- os_version.version - Pretty, suitable for presentation, OS version
- osquery_extensions.version - Extension’s version
- osquery_info.version - osquery toolkit version
- osquery_packs.version - Minimum osquery version that this query will run on
- package_install_history.version - Package display version
- package_receipts.version - Installed package version
- platform_info.version - Platform code version
- portage_keywords.version - The version which are affected by the use flags, empty means all
- portage_packages.version - The version which are affected by the use flags, empty means all
- portage_use.version - The version of the installed package
- programs.version - Product version information.
- python_packages.version - Package-supplied version
- rpm_packages.version - Package version
- safari_extensions.version - Extension long version
- system_extensions.version - System extension version
- usb_devices.version - USB Device version number
- windows_crashes.version - File version info of the crashed process
video_mode - keyword, text.text
- video_info.video_mode - The current resolution of the display.
virtual_process - keyword, number.long
- processes.virtual_process - Process is virtual (e.g. System, Registry, vmmem) yes=1, no=0
visible - keyword, number.long
- firefox_addons.visible - 1 If the addon is shown in browser else 0
visible_alarm - keyword, text.text
- chassis_info.visible_alarm - If TRUE, the frame is equipped with a visual alarm.
vm_id - keyword, text.text
- azure_instance_metadata.vm_id - Unique identifier for the VM
- azure_instance_tags.vm_id - Unique identifier for the VM
vm_scale_set_name - keyword, text.text
- azure_instance_metadata.vm_scale_set_name - VM scale set name
vm_size - keyword, text.text
- azure_instance_metadata.vm_size - VM size
voltage - keyword, number.long
- battery.voltage - The battery’s current voltage in mV
volume_creation - keyword, text.text
- prefetch.volume_creation - Volume creation time.
volume_id - keyword, number.long
- quicklook_cache.volume_id - Parsed volume ID from fs_id
volume_serial - keyword, text.text
- file.volume_serial - Volume serial number
- prefetch.volume_serial - Volume serial number.
volume_size - keyword, number.long
- platform_info.volume_size - (Optional) size of firmware volume
wall_time - keyword, number.long
- osquery_schedule.wall_time - Total wall time in seconds spent executing (deprecated), hidden=True
wall_time_ms - keyword, number.long
- osquery_schedule.wall_time_ms - Total wall time in milliseconds spent executing
warning - keyword, number.long
- shadow.warning - Number of days before password expires to warn user about it
was_captive_network - keyword, number.long
- wifi_networks.was_captive_network - 1 if this network was previously a captive network, 0 otherwise
watch_paths - keyword, text.text
- launchd.watch_paths - Key that launches daemon or agent if path is modified
watcher - keyword, number.long
- osquery_info.watcher - Process (or thread/handle) ID of optional watcher process
weekday - keyword, text.text
- time.weekday - Current weekday in UTC
win32_exit_code - keyword, number.long
- services.win32_exit_code - The error code that the service uses to report an error that occurs when it is starting or stopping
win_timestamp - keyword, number.long
- time.win_timestamp - Timestamp value in 100 nanosecond units
windows_security_center_service - keyword, text.text
- windows_security_center.windows_security_center_service - The health of the Windows Security Center Service
wired - keyword, number.long
- virtual_memory_info.wired - Total number of wired down pages.
wired_size - keyword, number.long
- docker_container_processes.wired_size - Bytes of unpageable memory used by process
- processes.wired_size - Bytes of unpageable memory used by process
working_directory - keyword, text.text
- launchd.working_directory - Key used to specify a directory to chdir to before launch
working_disks - keyword, number.long
- md_devices.working_disks - Number of working disks in array
world - keyword, number.long
- portage_packages.world - If package is in the world file
writable - keyword, number.long
- disk_events.writable - 1 if writable, 0 if not
xpath - keyword, text.text
- windows_eventlog.xpath - The custom query to filter events
year - keyword, number.long
- time.year - Current year in UTC
zero_fill - keyword, number.long
- virtual_memory_info.zero_fill - Total number of zero filled pages.
zone - keyword, text.text
- azure_instance_metadata.zone - Availability zone of the VM
- ycloud_instance_metadata.zone - Availability zone of the VM