Data Source: Osquery Results

Date: 2026-04-13

ID: b0f5747a-c64c-42d1-8569-89bbb4a09cc9

Author: Patrick Bareiss, Splunk

Description

Logs system queries performed using osquery, including details about processes, file access, network activity, and system configurations.

Details

Property	Value
Source	`osquery`
Sourcetype	`osquery:results`

Name ▲▼	Technique ▲▼	Type ▲▼
Linux System Network Discovery	System Network Configuration Discovery	Anomaly
MacOS Account Created	Create Account	Anomaly
MacOS AMOS Stealer - Virtual Machine Check Activity	AppleScript	Anomaly
MacOS Data Chunking	Data Transfer Size Limits	Anomaly
MacOS Gatekeeper Bypass	Gatekeeper Bypass	Anomaly
MacOS Hidden Files and Directories	Hidden Files and Directories	Anomaly
MacOS Kextload Usage	Create or Modify System Process	TTP
MacOS Keychains Dumped	Keychain	TTP
MacOS List Firewall Rules	System Network Configuration Discovery	Anomaly
MacOS Log Removal	Indicator Removal	TTP
MacOS LoginHook Persistence	Login Hook	TTP
MacOS LOLbin	Unix Shell	TTP
MacOS Network Share Discovery	Network Share Discovery	Anomaly
MacOS plutil	Plist File Modification	TTP
Processes Tapping Keyboard Events	None	TTP
Suspicious PlistBuddy Usage via OSquery	Launch Agent	TTP

Supported Apps

TA-osquery (version 1.0.4)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">calendarTime</span>
  
  <span class="pill kill-chain">columns.cdhash</span>
  
  <span class="pill kill-chain">columns.child_pid</span>
  
  <span class="pill kill-chain">columns.cmdline</span>
  
  <span class="pill kill-chain">columns.cmdline_count</span>
  
  <span class="pill kill-chain">columns.cwd</span>
  
  <span class="pill kill-chain">columns.egid</span>
  
  <span class="pill kill-chain">columns.env</span>
  
  <span class="pill kill-chain">columns.env_count</span>
  
  <span class="pill kill-chain">columns.euid</span>
  
  <span class="pill kill-chain">columns.event_type</span>
  
  <span class="pill kill-chain">columns.exit_code</span>
  
  <span class="pill kill-chain">columns.gid</span>
  
  <span class="pill kill-chain">columns.global_seq_num</span>
  
  <span class="pill kill-chain">columns.original_parent</span>
  
  <span class="pill kill-chain">columns.parent</span>
  
  <span class="pill kill-chain">columns.path</span>
  
  <span class="pill kill-chain">columns.pid</span>
  
  <span class="pill kill-chain">columns.platform_binary</span>
  
  <span class="pill kill-chain">columns.seq_num</span>
  
  <span class="pill kill-chain">columns.signing_id</span>
  
  <span class="pill kill-chain">columns.team_id</span>
  
  <span class="pill kill-chain">columns.time</span>
  
  <span class="pill kill-chain">columns.uid</span>
  
  <span class="pill kill-chain">columns.username</span>
  
  <span class="pill kill-chain">columns.version</span>
  
  <span class="pill kill-chain">counter</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">epoch</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">hostIdentifier</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">numerics</span>
  
  <span class="pill kill-chain">parent_process_id</span>
  
  <span class="pill kill-chain">process_current_directory</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">unixTime</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Tue Mar 29 13:03:51 2022 UTC","unixTime":1648559031,"epoch":0,"counter":82,"numerics":false,"columns":{"cdhash":"f63c5fbfcf1484b20aa4407a26e087fe3fe28146","child_pid":"","cmdline":"plutil --help ","cmdline_count":"2","cwd":"/Users/patrick","egid":"20","env":"TERM_SESSION_ID=w0t1p0:93AA9D79-7028-49F1-A93D-4EAEFB7BA6E3 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.OOwoeuT9LF/Listeners LC_TERMINAL_VERSION=3.3.7 COLORFGBG=15;0 ITERM_PROFILE=Default XPC_FLAGS=0x0 LANG=de_DE.UTF-8 PWD=/Users/patrick SHELL=/bin/zsh __CFBundleIdentifier=com.googlecode.iterm2 TERM_PROGRAM_VERSION=3.3.7 TERM_PROGRAM=iTerm.app PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin LC_TERMINAL=iTerm2 COLORTERM=truecolor COMMAND_MODE=unix2003 TERM=xterm-256color HOME=/Users/patrick TMPDIR=/var/folders/tc/m9brp20d1mvfgssff70501m40000gn/T/ USER=patrick XPC_SERVICE_NAME=0 LOGNAME=patrick ITERM_SESSION_ID=w0t1p0:93AA9D79-7028-49F1-A93D-4EAEFB7BA6E3 __CF_USER_TEXT_ENCODING=0x0:0:3 SHLVL=1 OLDPWD=/Users/patrick HISTTIMEFORMAT=%F %T  ZSH=/Users/patrick/.oh-my-zsh PAGER=less LESS=-R LSCOLORS=Gxfxcxdxbxegedabagacad _=/usr/bin/plutil ","env_count":"32","euid":"20","event_type":"exec","exit_code":"","gid":"20","global_seq_num":"440","original_parent":"2971","parent":"2971","path":"/usr/bin/plutil","pid":"6449","platform_binary":"1","seq_num":"154","signing_id":"com.apple.Foundation.plutil","team_id":"","time":"1648558927","uid":"501","username":"patrick","version":"4"},"action":"added"}

Source: GitHub | Version: 3