Get started Vitals Queries Policies Software OS settings Data tables

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

Linux

Windows

ChromeOS

appcompat_shims arp_cache authenticode autoexec azure_instance_metadata azure_instance_tags background_activities_moderator battery bitlocker_info carbon_black_info carves certificates chassis_info chocolatey_packages chrome_extension_content_scripts chrome_extensions cis_audit connectivity cpu_info cpuid cryptoinfo curl curl_certificate default_environment disk_info dns_cache drivers ec2_instance_metadata ec2_instance_tags etc_hosts etc_protocols etc_services file file_lines firefox_addons firefox_preferences fleetd_logs google_chrome_profiles groups hash hvci_status ie_extensions intel_me_info interface_addresses interface_details kernel_info kva_speculative_info listening_ports logged_in_users logical_drives logon_sessions mdm_bridge memory_devices npm_packages ntdomains ntfs_acl_permissions ntfs_journal_events

office_mru orbit_info os_version osquery_events osquery_extensions osquery_flags osquery_info osquery_packs osquery_registry osquery_schedule parse_ini parse_json parse_jsonl parse_xml patches physical_disk_performance pipes platform_info powershell_events

prefetch process_etw_events

process_memory_map process_open_sockets processes programs puppet_info puppet_logs puppet_state python_packages registry routes scheduled_tasks secureboot security_profile_info services shared_resources shellbags shimcache sntp_request ssh_configs startup_items system_info time tpm_info uptime user_groups user_ssh_keys userassist users video_info vscode_extensions winbaseobj windows_crashes windows_eventlog windows_events

windows_firewall_rules windows_optional_features windows_search windows_security_center windows_security_products windows_update_history windows_updates wmi_bios_info wmi_cli_event_consumers wmi_event_filters wmi_filter_consumer_binding wmi_script_event_consumers yara ycloud_instance_metadata

patches

The patches osquery table lists Windows security patch updates.

Column	Type	Description
caption	text	Short description of the patch.
csname	text	The name of the host the patch is installed on.
description	text	Fuller description of the patch.
fix_comments	text	Additional comments about the patch.
hotfix_id	text	The KB ID of the patch.
install_date	text	Indicates when the patch was installed. Lack of a value does not indicate that the patch was not installed.
installed_by	text	The system context in which the patch as installed.
installed_on	text	The date when the patch was installed.

Example

Basic query:

SELECT * FROM patches;

This query determines if a specific hotfix patch is installed:

SELECT * FROM patches WHERE hotfix_id='kb5037663';

Notes

Microsoft creates a support page per hotfix patch. Support pages can be discovered by doing a web browser search for the hotfix ID string (e.g., KB5037663).

Microsoft documentation for KB5037663

The patches table does not include updates that are applied via Windows Installer / Microsoft Standard Installer packages (.msi) or updates downloaded directly from Windows Update (e.g., Service Packs).

Windows Installer

Edit page