Scheduled queries with the Threat prefix are identification of potential threats that may warrant investigation.
This identifies hidden users on OSX
SCHEMA
| shell | string | User's configured default shell |
| uid | long | The local user that owns the plugin |
| username | string | Username |
-- threat_osx_hidden_users INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, shell, uid, username, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'threat_osx_hidden_users'
We will need a MAC feeding the data lake to test
