{ "os_version": { "query": "select * from os_version;", "description": "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.", "purlType": "swid", "componentType": "operating-system" }, "safari_extensions": { "query": "select safari_extensions.* from users join safari_extensions using (uid);", "description": "Safari browser extension details for all users. This table requires Full Disk Access (FDA) permission.", "purlType": "swid", "componentType": "application" }, "chrome_extensions": { "query": "select chrome_extensions.* from users join chrome_extensions using (uid);", "description": "Retrieves the list of extensions for Chrome in the target system.", "purlType": "chrome-extension", "componentType": "application" }, "firefox_addons": { "query": "select firefox_addons.* from users join firefox_addons using (uid);", "description": "Retrieves the list of addons for Firefox in the target system.", "purlType": "swid", "componentType": "application" }, "vscode_extensions": { "query": "select vscode_extensions.* from users join vscode_extensions using (uid);", "description": "Lists all vscode extensions.", "purlType": "vscode-extension", "componentType": "application" }, "apps": { "query": "select * from apps;", "description": "macOS applications installed in known search paths (e.g., /Applications).", "purlType": "swid", "componentType": "application" }, "gatekeeper": { "query": "SELECT 'gatekeeper' as name, COALESCE(NULLIF(version, ''), opaque_version) as version, opaque_version as description, assessments_enabled, dev_id_enabled FROM gatekeeper;", "description": "macOS Gatekeeper policy status, including assessment enforcement and identified-developer allowance.", "purlType": "swid", "componentType": "data" }, "system_extensions": { "query": "select * from system_extensions;", "description": "macOS (>= 10.15) system extension table.", "purlType": "swid", "componentType": "application" }, "certificates": { "query": "SELECT * FROM certificates WHERE path != 'Other People';", "description": "List all certificates in the trust store.", "purlType": "swid", "componentType": "data" }, "users_snapshot": { "query": "SELECT username as name, uuid as version, description, directory, shell, uid, gid, is_hidden FROM users;", "description": "Local account inventory including hidden-user attributes on macOS.", "purlType": "swid", "componentType": "data" }, "logged_in_users_snapshot": { "query": "SELECT user as name, '' as version, type as description, pid, host, tty, time FROM logged_in_users;", "description": "Interactive and remote user sessions currently active on the host.", "purlType": "swid", "componentType": "data" }, "shell_history_snapshot": { "query": "SELECT users.username as name, '' as version, shell_history.command as description, shell_history.time, shell_history.history_file, shell_history.uid FROM users JOIN shell_history USING (uid);", "description": "User shell command history metadata for investigation support.", "purlType": "swid", "componentType": "data" }, "homebrew_packages": { "query": "SELECT * FROM homebrew_packages;", "description": "Homebrew formula and cask inventory including auto-update behavior.", "purlType": "swid", "componentType": "application" }, "npm_packages": { "query": "SELECT * FROM npm_packages;", "description": "Node packages installed on the system, including recursively discovered modern package manager layouts.", "purlType": "npm" }, "launchd_services": { "query": "SELECT name, label, path, program, run_at_load, keep_alive, disabled, username, groupname, stdout_path, stderr_path, start_interval, program_arguments, watch_paths, queue_directories, start_on_mount, working_directory, process_type FROM launchd;", "description": "LaunchAgents and LaunchDaemons configuration used for macOS persistence.", "purlType": "swid", "componentType": "application" }, "launchd_overrides": { "query": "SELECT label as name, key as version, value as description, uid, path FROM launchd_overrides;", "description": "Per-user launchd override state that can alter startup behavior.", "purlType": "swid", "componentType": "data" }, "alf": { "query": "SELECT 'alf' as name, global_state as version, version as description, allow_signed_enabled, firewall_unload, logging_enabled, logging_option, stealth_enabled FROM alf;", "description": "Application Layer Firewall (ALF) configuration and enforcement posture.", "purlType": "swid", "componentType": "data" }, "alf_exceptions": { "query": "SELECT path as name, state as version FROM alf_exceptions;", "description": "Firewall allow/block exception list for specific executables or bundle identifiers.", "purlType": "swid", "componentType": "data" }, "xprotect_entries": { "query": "SELECT * FROM xprotect_entries;", "description": "Built-in XProtect malware signature entries on macOS.", "purlType": "swid", "componentType": "data" }, "xprotect_meta": { "query": "SELECT identifier as name, min_version as version, type as description, developer_id FROM xprotect_meta;", "description": "XProtect browser extension/plugin policy metadata.", "purlType": "swid", "componentType": "data" }, "package_bom": { "query": "SELECT * FROM package_bom WHERE path IN (SELECT REPLACE(package_receipts.path, '.plist', '.bom') FROM package_receipts JOIN file ON file.path = REPLACE(package_receipts.path, '.plist', '.bom') WHERE package_receipts.path LIKE '%.plist' AND file.size <= 52428800);", "description": "macOS package bill of materials (BOM) file list.", "purlType": "swid", "componentType": "application" }, "package_install_history": { "query": "SELECT * FROM package_install_history;", "description": "macOS package install history.", "purlType": "swid", "componentType": "application" }, "package_receipts": { "query": "SELECT * FROM package_receipts;", "description": "macOS package receipt details.", "purlType": "swid", "componentType": "application" }, "running_apps": { "query": "SELECT * FROM running_apps;", "description": "macOS applications currently running on the host system.", "purlType": "swid", "componentType": "data" }, "sandboxes": { "query": "SELECT * FROM sandboxes;", "description": "macOS application sandboxes container details.", "purlType": "swid", "componentType": "data" }, "startup_items": { "query": "SELECT * FROM startup_items;", "description": "List all startup_items.", "purlType": "swid", "componentType": "data" }, "listening_ports": { "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;", "description": "List all processes and their listening_ports.", "purlType": "swid", "componentType": "application" }, "interface_addresses": { "query": "SELECT * FROM interface_addresses;", "description": "List all interface_addresses.", "purlType": "swid", "componentType": "data" }, "docker_container_ports": { "query": "SELECT * FROM docker_container_ports;", "description": "List all docker_container_ports.", "purlType": "swid", "componentType": "data" }, "docker_containers": { "query": "SELECT * FROM docker_containers;", "description": "List all docker_containers.", "purlType": "swid", "componentType": "data" }, "docker_networks": { "query": "SELECT * FROM docker_networks;", "description": "List all docker_networks.", "purlType": "swid", "componentType": "data" }, "docker_volumes": { "query": "SELECT * FROM docker_volumes;", "description": "List all docker_volumes.", "purlType": "swid", "componentType": "data" } }