Channels
  • n

    n0b00de

    3 months ago
    Can temp tables be created in a fleet queries?
  • zwass

    zwass

    3 months ago
    Yes that should be possible! Are you running into any issue? Also, I'm curious what your use case for this is?
  • n

    n0b00de

    3 months ago
    @zwass We were brainstorming ideas and temp tables came up for a possible solution for the problem we are facing, we want to run about 70 different queries and we didn’t want to run OR statements for each query. What would you recommend for this ex. if I wanted to detect what av/xdr an endpoint had, how can I write a query looking for the top 30 av/xdr products.
  • zwass

    zwass

    3 months ago
    What would you be looking for in that query? Perhaps something like
    select name, cmdline, path, pid from processes where name in ('carbonblackagent', 'cylanceagent', 'crowdstrikeagent')
    ?
    (replacing those strings with the actual process names you'd be looking for.
  • Michal Nicpon

    Michal Nicpon

    3 months ago
    If you want to use temporary tables, this seems to work
    drop table if exists x;
    create temp table x (
      name varchar(255)
    );
    insert into x (name) values ('clamd');
    
    SELECT * FROM processes p join x on p.name = x.name;
    I think you need to drop temporary tables because osquery keeps a single sqlite db connection option. It would fail next time the query runs if you don't clean up.
  • zwass

    zwass

    3 months ago
    IIRC sqlite also supports
    CREATE TABLE... IF NOT EXISTS