{"id":23007704,"url":"https://github.com/agardnerit/osquery-queries","last_synced_at":"2026-01-11T05:51:03.566Z","repository":{"id":253034866,"uuid":"842263892","full_name":"agardnerIT/osquery-queries","owner":"agardnerIT","description":"Repository of sample queries for osquery. Submissions welcomed!","archived":false,"fork":false,"pushed_at":"2024-08-14T06:34:43.000Z","size":13,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-08T06:22:59.379Z","etag":null,"topics":["osquery"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/agardnerIT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-14T02:10:21.000Z","updated_at":"2024-08-14T06:34:46.000Z","dependencies_parsed_at":"2024-08-14T03:53:41.367Z","dependency_job_id":null,"html_url":"https://github.com/agardnerIT/osquery-queries","commit_stats":null,"previous_names":["agardnerit/osquery-queries"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agardnerIT%2Fosquery-queries","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agardnerIT%2Fosquery-queries/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agardnerIT%2Fosquery-queries/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/agardnerIT%2Fosquery-queries/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/agardnerIT","download_url":"https://codeload.github.com/agardnerIT/osquery-queries/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246838490,"owners_count":20842075,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["osquery"],"created_at":"2024-12-15T08:16:44.458Z","updated_at":"2026-01-11T05:51:03.561Z","avatar_url":"https://github.com/agardnerIT.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# osquery-queries\nRepository of sample queries for osquery. Submissions welcomed!\n\n## Log in to interactive mode\n\n```\nosqueryi\n```\n\n## Exit interactive mode\n\n```\n.exit\n```\n\n## See all available data (represented as tables)\n\n```\n.tables\n```\n\n## See the table layout for the `uptime` table\n\n```\n.schema uptime\n```\n\n## View system uptime\n\n```\nselect * from uptime;\n```\n\n## Find files across filesystem ending in .1234\n\n```\nSELECT filename, path FROM file WHERE directory LIKE '/%%' and filename LIKE '%.1234';\n```\n\n## Find files in a directory with \"too permissive\" permissions\n\n```\nSELECT filename, path, mode FROM file WHERE directory == '/tmp' and mode \u003e '0644';\n```\n\n## Find files in a directory bigger than X bytes\n\n```\nSELECT filename, path, mode, size FROM file WHERE directory == '/tmp' and size \u003e 5;\n```\n\n## See all non Apple Apps installed on MacOS\n\n```\nselect name from apps where bundle_identifier NOT LIKE 'com.apple.%%';\n```\n\n## Get battery percentage\n\n```\nselect percent_remaining from battery;\n```\n\n## Which packages are installed by homebrew and at which versions?\n\n```\nselect * from homebrew_packages;\n```\n\n## View non Apple kernel extensions\n\n```\nselect * from kernel_extensions where name NOT LIKE 'com.apple%';\n```\n\n## How much RAM and what type is in the system?\n\n```\nselect memory_type, size from memory_devices;\n```\n\n## Get system time\n\n```\nselect * from time;\n```\n\n## Find the process ID using a particular port\nEquivalent to `lsof -i :8888`\n\n```\nSELECT p.pid AS process_id, lp.port AS port FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.port = 8888;\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagardnerit%2Fosquery-queries","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fagardnerit%2Fosquery-queries","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fagardnerit%2Fosquery-queries/lists"}