osx updates and patches. MAC OS. Not in the EAP but coming soon
SCHEMA
| content_type | string | Package content_type (optional) |
| name | string | Name of the registry value entry |
| package_id | string | Label packageIdentifiers |
| source | string | The Windows event source |
| time | long | Timestamp of the windows powershell event (unix epoch) |
| version | string | Plugin short version |
-- osx_updates_patch INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, content_type, name, package_id, source, time, version, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'osx_updates_patch'
We wont be able to test this until MAC starts filling the lake
