Mac os running process info
SCHEMA
| cmdline | string | Process command line |
| egid | long | Effective group ID at process start |
| euid | long | Effective user ID at process start |
| gid | long | Group ID (unsigned) of the user running the process |
| name | string | Name of the registry value entry |
| parent | long | Process parent's PID |
| path | string | Full path to the value |
| pid | long | Process (or thread) ID |
| sha1 | string | SHA1 of the file now |
| sha256 | string | SHA256 of the file now |
| time | long | Timestamp of the windows powershell event (unix epoch) |
| uid | long | The local user that owns the plugin |
-- running_processes_osx_events INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, cmdline, egid, euid, gid, name, parent, path, pid, sha1, sha256, time, uid, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'running_processes_osx_events'
Once we have MAC we will test !!!
