https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
f

fritz

08/23/2020, 3:38 PM
@MaxosxOsquery you can use the 
extended_attributes
table to look for 
where_froms
data
m

MaxosxOsquery

08/23/2020, 8:16 PM
Thanks let me check
Anyway to get the user_agent details like chrome, mailapp, or curl etc..?
m

Mike Myers

08/25/2020, 5:46 PM
Copy code
osquery> select * from extended_attributes WHERE path="/Users/mmyers/Downloads/developerID_application.cer" AND key="quarantine_agent";
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
| path                                                | directory               | key              | value  | base64 |
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
| /Users/mmyers/Downloads/developerID_application.cer | /Users/mmyers/Downloads | quarantine_agent | Safari | 0      |
+-----------------------------------------------------+-------------------------+------------------+--------+--------+
👍 1
m

Magneto

08/25/2020, 5:49 PM
you can also query the gatekeeper table, no?
f

fritz

08/25/2020, 6:29 PM
@Magneto Only if you have added an ATC config block for lsquarantineeventsv2 database
m

Magneto

08/25/2020, 6:29 PM
ahhhh, that's right
Powered by