Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

Linux

Windows

ChromeOS

yara

Triggers one-off YARA query for files at the specified path. Requires one of sig_group, sigfile, or sigrule.

Column	Type	Description
count	integer	Number of YARA matches. Note that `count` is a reserved word and should be wrapped in quotes when referencing this column in a query.
matches	text	List of YARA matches
path	text	The path scanned Required in `WHERE` clause
pid_with_namespace	integer	Pids that contain a namespace *Not returned in `SELECT FROM yara`. Only available on linux**
sig_group	text	Signature group used
sigfile	text	Signature file used
sigrule	text	Signature strings used *Not returned in `SELECT FROM yara`.**
sigurl	text	Signature url *Not returned in `SELECT FROM yara`.**
strings	text	Matching strings
tags	text	Matching tags

Example

Look for files under /root that match a Yara signature. This example uses the EICAR test file.

SELECT * FROM yara WHERE path like '/root/%%' AND sigrule IN (
  'rule eicar {
  strings:
  $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
  condition:
  all of them
}'
 ) AND matches='eicar';

Edit page

Questions?

Ask us anything

Solutions Device management Orchestration Software management Integrations Pricing

Documentation Support Docs API Release notes Get your license

Company About Trust Jobs Logos/artwork Why open source?

SOC2 Type 2