OS Query

Details
Content
Dependencies
Version History

Run OS query on a linux system.

Automations

Name	Description
OSQueryBasicQuery	Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/
OSQueryOpenSockets	Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';' instead.
OSQueryLoggedInUsers	Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.
OSQueryProcesses	Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.
OSQueryUsers	Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.

Automations

Name	Description
OSQueryBasicQuery	Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/
OSQueryOpenSockets	Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';' instead.
OSQueryLoggedInUsers	Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.
OSQueryProcesses	Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.
OSQueryUsers	Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.

Required Content Packs (2)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (39)

Pack Name	Pack By
FortiGate	By: Cortex XSOAR
Palo Alto Networks PAN-OS EDL Management (Deprecated)	By: Cortex XSOAR
Signal Sciences WAF	By: Cortex XSOAR
Kenna	By: Cortex XSOAR
VirusTotal - Private API (Deprecated)	By: VirusTotal
Rapid7 InsightVM	By: Cortex XSOAR
Cisco Umbrella Investigate	By: Cortex XSOAR
Image OCR	By: Cortex XSOAR
Developer Tools	By: Cortex XSOAR
EWS	By: Cortex XSOAR
GenericSQL	By: Cortex XSOAR
CrowdStrike Falcon Intelligence Sandbox	By: Cortex XSOAR
Cisco ASA	By: Cortex XSOAR
F5 Silverline	By: Cortex XSOAR
CVE Search	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Akamai WAF	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Sophos XG Firewall	By: Cortex XSOAR
VulnDB	By: Cortex XSOAR
Google Maps	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
ARIAPacketIntelligence	By: ARIA Cybersecurity Solutions
Cisco Firepower	By: Cortex XSOAR
ThreatX	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Slack	By: Cortex XSOAR
Cisco Secure Cloud Analytics (Stealthwatch Cloud)	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Zscaler Internet Access	By: Cortex XSOAR
Remote Access	By: Cortex XSOAR
Cylance Protect	By: Cortex XSOAR
Check Point Firewall	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

1.0.6 - 3649843 (September 13, 2022)

Scripts

OSQueryLoggedInUsers

Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.

OSQueryOpenSockets

Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path <> '' or remote_address <> '';' instead.

OSQueryProcesses

Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.

OSQueryUsers

Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.

Related pull requests:
- 21035
- 21234

Download

1.0.5 - 3612694 (September 7, 2022)

Scripts

OSQueryBasicQuery

Updated the Docker image to: demisto/python3:3.10.6.33415.

Related pull requests:
- 21003

Download

1.0.4 - R2146019 (December 21, 2021)

Scripts

OSQueryOpenSockets

Updated the Docker image to: demisto/python:2.7.18.24398.

OSQueryProcesses

Updated the Docker image to: demisto/python:2.7.18.24398.

OSQueryUsers

Updated the Docker image to: demisto/python:2.7.18.24398.

Download

1.0.3 - 2130530 (December 18, 2021)

Scripts

OSQueryBasicQuery

Updated the Docker image to: demisto/python:2.7.18.24398.

OSQueryLoggedInUsers

Updated the Docker image to: demisto/python:2.7.18.24398.

Download

1.0.2 - 7567740 (September 12, 2021)

Scripts

OSQueryBasicQuery

Updated the Docker image to: demisto/python:2.7.18.24066.

OSQueryLoggedInUsers

Updated the Docker image to: demisto/python:2.7.18.24066.

OSQueryOpenSockets

Updated the Docker image to: demisto/python:2.7.18.24066.

OSQueryProcesses

Updated the Docker image to: demisto/python:2.7.18.24066.

OSQueryUsers

Updated the Docker image to: demisto/python:2.7.18.24066.

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	September 13, 2022

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.