OS Query

Details
Content
Dependencies
Version History

Run OS query on a linux system.

Automations

Name	Description
OSQueryLoggedInUsers	Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.
OSQueryUsers	Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.
OSQueryProcesses	Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.
OSQueryBasicQuery	Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/
OSQueryOpenSockets	Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path `<>` '' or remote_address `<>` '';' instead.

Automations

Name	Description
OSQueryUsers	Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.
OSQueryLoggedInUsers	Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.
OSQueryBasicQuery	Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/
OSQueryOpenSockets	Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path `<>` '' or remote_address `<>` '';' instead.
OSQueryProcesses	Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	May 13, 2025

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryOpenSockets

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryBasicQuery

Scripts

OSQueryOpenSockets

PUBLISHER

PLATFORMS

INFO

DISCLAIMER