OS Query

Details
Content
Dependencies
Version History

Run OS query on a linux system.

Automations

Name	Description
OSQueryProcesses	Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.
OSQueryLoggedInUsers	Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.
OSQueryUsers	Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.
OSQueryOpenSockets	Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path `<>` '' or remote_address `<>` '';' instead.
OSQueryBasicQuery	Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/

Automations

Name	Description
OSQueryBasicQuery	Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/
OSQueryOpenSockets	Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path `<>` '' or remote_address `<>` '';' instead.
OSQueryUsers	Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.
OSQueryProcesses	Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.
OSQueryLoggedInUsers	Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (3)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	July 8, 2025

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

PUBLISHER

PLATFORMS

INFO

DISCLAIMER