Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
News Ask around Schedule a demo Share your story COMPANY The handbook What people are saying
Pricing Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

yara

click to open the table of contents
macOS logo Windows logo Linux logo

yara

Triggers one-off YARA query for files at the specified path. Requires one of sig_group, sigfile, or sigrule.

Column Type Description
count integer Number of YARA matches
matches text List of YARA matches
path text The path scanned
Required in WHERE clause
pid_with_namespace integer Pids that contain a namespace
Not returned in SELECT * FROM yara.
Only available on Linux
sig_group text Signature group used
sigfile text Signature file used
sigrule text Signature strings used
Not returned in SELECT * FROM yara.
sigurl text Signature url
Not returned in SELECT * FROM yara.
strings text Matching strings
tags text Matching tags

Example

Look for files under /root that match a Yara signature. This example uses the EICAR test file.

SELECT * FROM yara WHERE path like '/root/%%' AND sigrule IN (
  'rule eicar {
  strings:
  $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
  condition:
  all of them
}'
 ) AND matches='eicar';
Edit page

Questions?

Ask us anything
{{table.title}} evented table