Channels
  • j

    Joe Bussing

    3 years ago
    I have a question for the group about OSQuery timestamps, in particular Im trying to understand the timestamps for respective command line entries in the shell_history table Sometimes I get data back that has an empty string for the
    time
    value. If 0 is the default why would this show as empty?
    ""
    This is causing problems for us because we are receiving alerts on command line events that realistically occurred more than 1 year ago and have already been worked and triaged, but we can't make that determination just by looking at the shell_history table. We have thought about using file integrity monitoring on shell_history files in order to get access to the file_events table data and combine the two tables to give an idea about the last time the shell_history file actually modified, but this seems like overkill and I was hoping someone might have a more elegant solution.
  • Mike Myers

    Mike Myers

    3 years ago
  • j

    Joe Bussing

    3 years ago
    thanks