Processes

osquery

Currently running programs, only the columns that are not constantly changing

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Currently running programs, only the columns that are not constantly changing
--
-- tags: postmortem often
-- platform: posix
SELECT
  pid,
  name,
  path,
  cmdline,
  state,
  cwd,
  root,
  uid,
  gid,
  euid,
  egid,
  suid,
  sgid,
  on_disk,
  start_time,
  parent,
  pgroup,
  threads,
  nice,
  cgroup_path
FROM
  processes

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit