Get started Vitals Queries Policies Software OS settings Data tables

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

Linux

Windows

ChromeOS

appcompat_shims arp_cache authenticode autoexec azure_instance_metadata azure_instance_tags background_activities_moderator battery bitlocker_info carbon_black_info carves certificates chassis_info chocolatey_packages chrome_extension_content_scripts chrome_extensions cis_audit connectivity cpu_info cpuid cryptoinfo curl curl_certificate default_environment disk_info dns_cache drivers ec2_instance_metadata ec2_instance_tags etc_hosts etc_protocols etc_services file file_lines firefox_addons firefox_preferences fleetd_logs google_chrome_profiles groups hash hvci_status ie_extensions intel_me_info interface_addresses interface_details kernel_info kva_speculative_info listening_ports logged_in_users logical_drives logon_sessions mdm_bridge memory_devices npm_packages ntdomains ntfs_acl_permissions ntfs_journal_events

office_mru orbit_info os_version osquery_events osquery_extensions osquery_flags osquery_info osquery_packs osquery_registry osquery_schedule parse_ini parse_json parse_jsonl parse_xml patches physical_disk_performance pipes platform_info powershell_events

prefetch process_etw_events

process_memory_map process_open_sockets processes programs puppet_info puppet_logs puppet_state python_packages registry routes scheduled_tasks secureboot security_profile_info services shared_resources shellbags shimcache sntp_request ssh_configs startup_items system_info time tpm_info uptime user_groups user_ssh_keys userassist users video_info vscode_extensions winbaseobj windows_crashes windows_eventlog windows_events

windows_firewall_rules windows_optional_features windows_search windows_security_center windows_security_products windows_update_history windows_updates wmi_bios_info wmi_cli_event_consumers wmi_event_filters wmi_filter_consumer_binding wmi_script_event_consumers yara ycloud_instance_metadata

shared_resources

Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.

Column	Type	Description
allow_maximum	integer	Number of concurrent users for this resource has been limited. If True, the value in the MaximumAllowed property is ignored.
description	text	A textual description of the object
install_date	text	Indicates when the object was installed. Lack of a value does not indicate that the object is not installed.
maximum_allowed	bigint	Limit on the maximum number of users allowed to use this resource concurrently. The value is only valid if the AllowMaximum property is set to FALSE.
name	text	Alias given to a path set up as a share on a computer system running Windows.
path	text	Local path of the Windows share.
status	text	String that indicates the current status of the object.
type	bigint	Type of resource being shared. Types include: disk drives, print queues, interprocess communications (IPC), and general devices.
type_name	text	Human readable value for the 'type' column

Example

Network shares with loose access controls are common places that leak sensitive information. This query looks for shared drives on Windows systems that likely contain sensitive data, by listing all shared folders that have the word backup in their name. This does not include ADMIN$ type shares.

SELECT description,name,path FROM shared_resources WHERE type = 0 and name like '%backup%';

Notes

type_name is a human readable value of the type column. These values can include: "Disk Drive Admin", "IPC Admin", "Disk Drive"

Edit page

Questions?

Ask us anything