variable_dict_from_osquery
Define a variable that contains key,value pairs (a dictionary) from an osquery query.
⚙️ Compatible targets: Linux
Parameters
Name | Documentation |
---|---|
prefix | The prefix of the variable name. This parameter is required. |
name | The variable to define, the full name will be prefix.name. This parameter is required. |
query | The query to execute (ending with a semicolon). This parameter is required. |
Outcome conditions
You need to replace ${name}
with its actual canonified value.
- ✅ Ok:
variable_dict_from_osquery_${name}_ok
- ☑️ Already compliant:
variable_dict_from_osquery_${name}_kept
- 🟨 Repaired:
variable_dict_from_osquery_${name}_repaired
- ☑️ Already compliant:
- ❌ Error:
variable_dict_from_osquery_${name}_error
Example
method: variable_dict_from_osquery
params:
query: VALUE
name: VALUE
prefix: VALUE
Documentation
To use the generated variable, you must use the form ${prefix.name[key]}
with each name replaced with the parameters of this method.
Be careful that using a global variable can lead to unpredictable content in case of multiple definition, which is implicitly the case when a technique has more than one instance (directive). Please note that only global variables are available within templates.
This method will define a dict variable from the output of an osquery query. The query will be executed at every agent run, and its result will be usable as a standard dict variable.
Setup
This method requires the presence of osquery on the target nodes. It won't install it automatically. Check the correct way of doing so for your OS.
Building queries
To learn about the possible queries, read the osquery schema for your osquery version.
You can test the queries before using them with the osqueryi
command, see the example below.
Examples
# To get the number of cpus on the machine
variable_dict_from_osquery("prefix", "var1", "select cpu_logical_cores from system_info;");
It will produce the dict from the output of:
osqueryi --json "select cpu_logical_cores from system_info;"
Hence something like:
[
{"cpu_logical_cores":"8"}
]
To access this value, use the ${prefix.var1[0][cpu_logical_cores]}
syntax.