Solutions
Device management
Remotely manage, and protect laptops and mobile devices.
Orchestration
Automate tasks across devices, from app installs to scripts.
Software management
Inventory, patch, and manage installed software.
Extend Fleet
Integrate your favorite tools with Fleet.
Customers
Stripe + Fleet
Stripe consolidates multiple tools with Fleet.
Foursquare + Fleet
Foursquare quickly migrates to Fleet for device management.
What people are saying
Stories from the Fleet community.
More
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
windows_eventlog
Table for querying all recorded Windows event logs.
Column | Type | Description |
---|---|---|
channel | text | Source or channel of the event Required in WHERE clause |
computer_name | text | Hostname of system where event was generated |
data | text | Data associated with the event |
datetime | text | System time at which the event occurred |
eventid | integer | Event ID of the event |
keywords | text | A bitmask of the keywords defined in the event |
level | integer | Severity level associated with the event |
pid | integer | Process ID which emitted the event record |
provider_guid | text | Provider guid of the event |
provider_name | text | Provider name of the event |
task | integer | Task value associated with the event |
tid | integer | Thread ID which emitted the event record |
time_range | text | System time to selectively filter the events Not returned in SELECT * FROM windows_eventlog . |
timestamp | text | Timestamp to selectively filter the events Not returned in SELECT * FROM windows_eventlog . |
xpath | text | The custom query to filter events Required in WHERE clause Not returned in SELECT * FROM windows_eventlog . |
Tracking user account changes is a key part of both detection & incident response. This query lists all Windows Eventlogs from the Security channel with an EventID of 4720 - A user account was created. There are many other relevant EventIDs that should be monitored as well:
SELECT datetime,computer_name,data FROM windows_eventlog WHERE eventid=4720 AND channel='Security'
This is not an evented table - instead, it pulls directly from the local system's existing eventlogs.
The information returned in the data
column will be JSON formatted, which will require additional parsing.