Skip to content

Commit 883a2ea

Browse files
tomsonpltomsonpl
committed
fix
1 parent 8df429d commit 883a2ea

File tree

2 files changed

+38
-39
lines changed

2 files changed

+38
-39
lines changed

packages/osquery_manager/artifacts_matrix.md

Lines changed: 37 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -21,52 +21,52 @@ This document tracks the coverage of forensic artifacts in Osquery.
2121

2222
## Core Forensic Artifacts Coverage
2323

24-
| # | Artifact || OS | Query | File | Implementation Notes |
25-
|---|----------|--|----|-------|------|----------------------------------------------------------------------------------------------------------------------------------|
26-
| 1 | AppCompatCache | ⚠️ | Win | - | - | shimcache table |
27-
| 2 | AmCache || Win | - | - | Not natively supported — PR #7261 was closed due to lack of a SQL constraint, leading to indeterminate runtime |
28-
| 3 | BITS Jobs Database | ⚠️ | Win | - | - | Not a native table, but can be queried via windows_eventlog |
29-
| 4 | Browser URL History | ⚠️ | Win | - | - | No native table. Can be supported via ATC custom tables |
24+
| # | Artifact || OS | Query | File | Implementation Notes |
25+
|---|----------|--|-------|-------|------|----------------------------------------------------------------------------------------------------------------------------------|
26+
| 1 | AppCompatCache | ⚠️ | Win | - | - | shimcache table |
27+
| 2 | AmCache || Win | - | - | Not natively supported — PR #7261 was closed due to lack of a SQL constraint, leading to indeterminate runtime |
28+
| 3 | BITS Jobs Database | ⚠️ | Win | - | - | Not a native table, but can be queried via windows_eventlog |
29+
| 4 | Browser URL History | ⚠️ | Win | - | - | No native table. Can be supported via ATC custom tables |
3030
| 4a | Browser URL History | ⚠️ | Linux | - | - | No native table. Can be supported via ATC custom tables |
31-
| 4b | Browser URL History | ⚠️ | Mac | - | - | No native table. Can be supported via ATC custom tables |
32-
| 5 | File Listing | ⚠️ | Win | - | - | file and hash tables |
31+
| 4b | Browser URL History | ⚠️ | Mac | - | - | No native table. Can be supported via ATC custom tables |
32+
| 5 | File Listing | ⚠️ | Win | - | - | file and hash tables |
3333
| 5a | File Listing | ⚠️ | Linux | - | - | file and hash tables |
34-
| 5b | File Listing | ⚠️ | Mac | - | - | file and hash tables |
35-
| 6 | Installed Services | ⚠️ | Win | - | - | services table |
34+
| 5b | File Listing | ⚠️ | Mac | - | - | file and hash tables |
35+
| 6 | Installed Services | ⚠️ | Win | - | - | services table |
3636
| 6a | Installed Services | ⚠️ | Linux | - | - | systemd table |
37-
| 6b | Installed Services | ⚠️ | Mac | - | - | launchd table |
38-
| 7 | Jumplists || Win | - | - | Not natively supported — PR #7260 closed due to OLE format complexity |
39-
| 8 | LNK files | ⚠️ | Win | - | - | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) |
40-
| 9 | ARP Cache (Enriched) || Win | arp_cache_elastic | [b2c3](kibana/osquery_saved_query/osquery_manager-b2c3d4e5-f6a7-11ef-89c6-331eb0db6d02.json) | Enriched ARP cache with local interface details (local IP, local MAC). Combines arp_cache with interface_details and interface_addresses tables. Equivalent to Windows.Network.ArpCache artifact. Includes ECS mappings for destination.ip, destination.mac, host.ip, host.mac, network.name, network.type |
41-
| 10 | Disks & Volumes | ⚠️ | Win | - | - | disk_info table |
37+
| 6b | Installed Services | ⚠️ | Mac | - | - | launchd table |
38+
| 7 | Jumplists || Win | - | - | Not natively supported — PR #7260 closed due to OLE format complexity |
39+
| 8 | LNK files | ⚠️ | Win | - | - | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) |
40+
| 9 | ARP Cache (Enriched) || All | arp_cache_elastic | [b2c3](kibana/osquery_saved_query/osquery_manager-b2c3d4e5-f6a7-11ef-89c6-331eb0db6d02.json) | Enriched ARP cache with local interface details (local IP, local MAC). Combines arp_cache with interface_details and interface_addresses tables. Equivalent to Windows.Network.ArpCache artifact. Includes ECS mappings for destination.ip, destination.mac, host.ip, host.mac, network.name, network.type |
41+
| 10 | Disks & Volumes | ⚠️ | Win | - | - | disk_info table |
4242
| 10a | Disks & Volumes | ⚠️ | Linux | - | - | disk_info table |
43-
| 10b | Disks & Volumes | ⚠️ | Mac | - | - | disk_info table |
44-
| 11 | Network Interfaces & IP Configuration | ⚠️ | Win | - | - | interface_details, interface_addresses, interface_ipv6 |
43+
| 10b | Disks & Volumes | ⚠️ | Mac | - | - | disk_info table |
44+
| 11 | Network Interfaces & IP Configuration | ⚠️ | Win | - | - | interface_details, interface_addresses, interface_ipv6 |
4545
| 11a | Network Interfaces & IP Configuration | ⚠️ | Linux | - | - | interface_details, interface_addresses, interface_ipv6 |
46-
| 11b | Network Interfaces & IP Configuration | ⚠️ | Mac | - | - | interface_details, interface_addresses, interface_ipv6 |
47-
| 12 | NTFS USN Journal | ⚠️ | Win | - | - | ntfs_journal_events table |
48-
| 13 | Open Handles || Win | - | - | PR #7835 open; external extension available: EclecticIQ ext |
46+
| 11b | Network Interfaces & IP Configuration | ⚠️ | Mac | - | - | interface_details, interface_addresses, interface_ipv6 |
47+
| 12 | NTFS USN Journal | ⚠️ | Win | - | - | ntfs_journal_events table |
48+
| 13 | Open Handles || Win | - | - | PR #7835 open; external extension available: EclecticIQ ext |
4949
| 13a | Open Handles || Linux | - | - | PR #7835 open; external extension available: EclecticIQ ext |
50-
| 13b | Open Handles || Mac | - | - | PR #7835 open; external extension available: EclecticIQ ext |
51-
| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
50+
| 13b | Open Handles || Mac | - | - | PR #7835 open; external extension available: EclecticIQ ext |
51+
| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
5252
| 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
53-
| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
54-
| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table |
55-
| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table |
56-
| 17 | Process Listing | ⚠️ | Win | - | - | processes table |
53+
| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
54+
| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table |
55+
| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table |
56+
| 17 | Process Listing | ⚠️ | Win | - | - | processes table |
5757
| 17a | Process Listing | ⚠️ | Linux | - | - | processes table |
58-
| 17b | Process Listing | ⚠️ | Mac | - | - | processes table |
59-
| 18 | Registry | ⚠️ | Win | - | - | registry table |
58+
| 17b | Process Listing | ⚠️ | Mac | - | - | processes table |
59+
| 18 | Registry | ⚠️ | Win | - | - | registry table |
6060
| 19 | Shell History | ⚠️ | Linux | - | - | shell_history table |
61-
| 19a | Shell History | ⚠️ | Mac | - | - | shell_history table |
62-
| 20 | Shellbags | ⚠️ | Win | - | - | shellbags table |
63-
| 21 | Tasks | ⚠️ | Win | - | - | scheduled_tasks table |
61+
| 19a | Shell History | ⚠️ | Mac | - | - | shell_history table |
62+
| 20 | Shellbags | ⚠️ | Win | - | - | shellbags table |
63+
| 21 | Tasks | ⚠️ | Win | - | - | scheduled_tasks table |
6464
| 21a | Tasks | ⚠️ | Linux | - | - | scheduled_tasks table |
65-
| 21b | Tasks | ⚠️ | Mac | - | - | scheduled_tasks table |
66-
| 22 | User Assist | ⚠️ | Win | - | - | userassist table |
67-
| 23 | WMI Config & Used Apps | ⚠️ | Win | - | - | wmi_cli_event_consumers, wmi_script_event_consumers |
68-
| 24 | WMI Providers & Filters | ⚠️ | Win | - | - | wmi_event_filters, wmi_filter_consumer_binding |
69-
| 25 | MFT || Win | - | - | Not natively supported. Available via Trail of Bits extension |
65+
| 21b | Tasks | ⚠️ | Mac | - | - | scheduled_tasks table |
66+
| 22 | User Assist | ⚠️ | Win | - | - | userassist table |
67+
| 23 | WMI Config & Used Apps | ⚠️ | Win | - | - | wmi_cli_event_consumers, wmi_script_event_consumers |
68+
| 24 | WMI Providers & Filters | ⚠️ | Win | - | - | wmi_event_filters, wmi_filter_consumer_binding |
69+
| 25 | MFT || Win | - | - | Not natively supported. Available via Trail of Bits extension |
7070

7171
---
7272

@@ -178,7 +178,7 @@ While some artifacts are not directly available, the existing queries provide st
178178
- ❌ MFT (Not Available - Use NTFS USN Journal as alternative or Trail of Bits extension)
179179

180180
### Network/C2 Indicators
181-
- ✅ ARP Cache Enriched (Windows: arp_cache + interface_details + interface_addresses tables with joins, includes ECS mappings)
181+
- ✅ ARP Cache (arp_cache + interface_details + interface_addresses tables with joins, includes ECS mappings)
182182
- ⚠️ Network Interfaces & IP Configuration (All platforms: interface_details, interface_addresses, interface_ipv6)
183183

184184
### System Information

packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-b2c3d4e5-f6a7-11ef-89c6-331eb0db6d02.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,7 @@
4949
],
5050
"id": "arp_cache_elastic",
5151
"interval": "3600",
52-
"platform": "windows",
53-
"query": "-- ARP Cache with Local Interface Information\n-- Provides complete network neighbor context by joining ARP cache with interface details\n-- Source: arp_cache + interface_details + interface_addresses tables\n-- Equivalent to Windows.Network.ArpCache artifact\n\nWITH arp_entries AS (\n SELECT \n a.address AS RemoteAddress,\n a.mac AS RemoteMACAddress,\n a.interface AS InterfaceName,\n CASE \n WHEN a.permanent = '1' THEN 'Persistent'\n ELSE 'Active'\n END AS Store,\n CASE\n WHEN a.address LIKE '%:%' THEN 'ipv6'\n ELSE 'ipv4'\n END AS AddressFamily\n FROM arp_cache a\n),\nlocal_interfaces AS (\n SELECT \n id.interface,\n id.mac AS LocalMAC,\n ia.address AS LocalAddress\n FROM interface_details id\n LEFT JOIN interface_addresses ia ON id.interface = ia.interface\n WHERE id.mac IS NOT NULL\n AND ia.address IS NOT NULL\n)\nSELECT \n ae.RemoteAddress,\n ae.RemoteMACAddress,\n ae.InterfaceName,\n ae.Store,\n ae.AddressFamily,\n li.LocalAddress,\n li.LocalMAC\nFROM arp_entries ae\nLEFT JOIN local_interfaces li ON ae.InterfaceName = li.interface\nORDER BY ae.InterfaceName, ae.RemoteAddress;",
52+
"query": "-- ARP Cache with Local Interface Information\n-- Provides complete network neighbor context by joining ARP cache with interface details\n-- Source: arp_cache + interface_details + interface_addresses tables\n-- Equivalent to Windows.Network.ArpCache artifact\n\nWITH arp_entries AS (\n SELECT \n a.address AS RemoteAddress,\n a.mac AS RemoteMACAddress,\n a.interface AS InterfaceName,\n CASE \n WHEN a.permanent = '1' THEN 'Persistent'\n ELSE 'Active'\n END AS Store,\n CASE\n WHEN a.address LIKE '%:%' THEN 'ipv6'\n ELSE 'ipv4'\n END AS AddressFamily\n FROM arp_cache a\n),\nlocal_interfaces AS (\n SELECT \n id.interface,\n id.mac AS LocalMAC,\n ia.address AS LocalAddress\n FROM interface_details id\n LEFT JOIN interface_addresses ia ON id.interface = ia.interface\n WHERE id.mac IS NOT NULL\n AND ia.address IS NOT NULL\n)\nSELECT \n ae.RemoteAddress,\n ae.RemoteMACAddress,\n ae.InterfaceName,\n ae.Store,\n ae.AddressFamily,\n li.LocalAddress,\n li.LocalMAC\nFROM arp_entries ae\nLEFT JOIN local_interfaces li ON ae.InterfaceName = li.interface\nORDER BY ae.InterfaceName, ae.RemoteAddress;", "platform": "linux,darwin,windows",
5453
"updated_at": "2025-11-07T00:00:00.000Z",
5554
"updated_by": "elastic"
5655
},

0 commit comments

Comments
 (0)