Asset query

Zercurity uses Facebook’s Osquery to provide the ability for Users to remotely interrogate Assets using SQL.

You can ask almost any question you like, structured as an SQL query. The results of the query are returned in a table. Take the following example:

SELECT pid, name FROM processes ORDER BY pid DESC LIMIT 5;

The query will return all the current running processes on each asset with their respective process id (pid) and process name. Ordered by their process id and limited to the first 5 results.

+-------+----------------------+
| pid   | name                 |
+-------+----------------------+
| 21629 | ReportCrash          |
| 21597 | syncdefaultsd        |
| 21580 | osqueryi             |
| 21511 | Google Chrome Helper |
| 21430 | Google Chrome Helper |
+-------+----------------------+

You can find more information about Osquery’s table /osquery_3.3.0/schema/index here. There you a complete list of all the table definitions that Osquery supports.

For some examples and inspiration of the type of queries, you can run check out some of the examples we’ve provided down below Osquery examples. Or you can check out the Osquery packs guide here.