Schema
OpenVPN query
The following query should identify all assets with OpenVPN installed and last time it was used SELECT p.upt_hostname AS asset_name, MAX(p.upt_time) AS openvpn_last_accessed FROM socket_events se JOIN processes p on se.pid = p.pid WHERE se.pid > 0 ...
Top resource consuming queries for an asset
Top 10 wall_time consuming queries SQL Query SELECT name, query, wall_time, user_time, system_time, executions FROM osquery_schedule WHERE upt_asset_id = '<asset_id>' AND upt_day = <upt_day> ORDER BY wall_time DESC LIMIT 10; Top 10 Overall CPU time ...
Find Realtime queries executed in the last 24 hours
This article includes the query to find all the real time queries that were executed in the last 24 hours Query WITH queries AS (SELECT Json_extract_scalar(logs.api_body, '$.query') AS query, ...
Windows Disk Usage query
The article includes query to fetch the Windows Disk usage: Query SELCET DISTINCT upt_hostname, upt_time, device_id, size, free_space, size - free_space ...
upt_api_audit_logs table
Type : Global Platform : All upt_api_audit_logs table maintains an audit of all api calls performed on Uptycs portal. +----------------------+-------------------------------------------------------------------+ | name | description ...
Process_Open_Sockets v/s Socket_Events
This article explains the difference between socket information captured by Process_open_sockets and socket_events. The article is also applicable in case of processes i.e process information captured by table 'Processes' and table 'Process_events' ...
Query: Query for Processes Running on a Set of Machines (and not on Other Machines)
This article presents a sample Uptycs query to find processes that are running on a set of endpoints but not on a specific set of other endpoints. TABLE OF CONTENTS No headings available. Use Paragraph Format to add one. In this example we are ...
Windows Forensic Analysis queries
This article includes a list of queries to conduct forensic analysis on Windows systems. These are categorized into sections as - processes, services, file system activities, user login/session activities, network traffic. ...
Query to find the Process Tree
Query WITH pstree AS (SELECT 0 AS LEVEL, pid, name, parent, Cast(pid AS TEXT) AS ppid, name AS pparent FROM processes WHERE parent = 0 UNION ALL SELECT LEVEL + 1, t.pid, t.name, t.parent, pstree.ppid || ', ' || Cast(t.pid AS TEXT), pstree.pparent || ...
Tracing command execution back to a user across an ssh session
Some IT shops have sysadmins logging into a Jumpbox or Bastion host (with their individual id’s) then logging into production servers as root and running commands. In such a case it can be difficult to trace command execution back to the sysadmin who ...
Query to find Inbound / Outbound connections on Mac
Query WITH mac_assets AS (SELECT t.upt_asset_id FROM upt_asset_tags t WHERE t.key = 'upt-mac-edr') SELECT DISTINCT pos.upt_asset_id, ps.name, pos.pid, pos.local_address, pos.remote_address, pos.local_port, pos.remote_port, CASE WHEN pos.pid = lp.pid ...
Query to find Processes Running
Processes running between certain times Query SELECT * FROM windowed_processes p WHERE p.upt_add_time >= <TIMESTAMP> AND p.upt_add_time <= <TIMESTAMP>; Example All processes running between 2018-07-18 2:00 to 2018-08-18 3:00 SELECT * FROM ...
Query to find the Average CPU Load for the last 1 Hr.
Query SELECT upt_asset_id, Avg((100 - (Cast(cpu_idle AS DOUBLE)/Cast(cpu_total AS DOUBLE))*100)) AS avg_busy_percent , Avg((Cast(cpu_idle AS DOUBLE)/Cast(cpu_total AS DOUBLE))*100) AS idle_percent FROM upt_metrics WHERE upt_time >= localtimestamp - ...
High CPU Utilization Alert Query
Query WITH cpu_incremental AS ( SELECT upt_asset_id, upt_hostname, upt_time, cpu_idle - LAG(cpu_idle) OVER (PARTITION BY upt_asset_id ORDER BY upt_time) AS cpu_idle, cpu_total - LAG(cpu_total) OVER (PARTITION BY upt_asset_id ORDER BY upt_time) AS ...
Query to find Processes delta between last 2 weeks
Query WITH last_week_processes_cmds AS ( SELECT DISTINCT upt_asset_id, name, cmdline, path FROM processes WHERE upt_day >= Cast(Date_format(current_date - interval '14' day, '%Y%m%d') AS INTEGER) AND upt_day < Cast(Date_format(current_date - interval ...
Disk Usage Query (Linux and Darwin)
This article includes the query used to find out the disk usage of a mount point for a particular host: Query SELECT m.upt_asset_id, m.upt_time, m.path, Round(( ( m.blocks - m.blocks_available ) * m.blocks_size * 10e-10 ), 2) AS used_gigs FROM ...
Query to find the number of Osquery restarts in a day for all hosts
Following query, run on Global database, would provide details on number of osquery restarts in a day (GMT) Query SELECT upt_hostname, Count(0) FROM processes WHERE name LIKE 'osqueryd%' AND upt_added AND upt_day = Cast(Date_format(current_date - ...
Query for CVE-2020-1350 Vulnerability for Windows Domain Name Systems
Microsoft released an update on July 14 2020 for CVE-2020-1350 , a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a ...
Announcements
Release notes-Release 106069
June 2, 2022 XDR New Feature Global Threat Intelligence (GTI) Uptycs GTI feature for the Security/SOC analyst to identify threat indicators such as bad IP addresses or suspicious domains, along with evidential data and insightful information from various
Release notes-Release 105051
May 15, 2022 XDR Enhancements Support to attach global rule exceptions to event rules and alert rules automatically based on matching table name. For more information, see Global Rule Exceptions. Kubernetes Security Posture Management (KSPM) Enhancements
Release notes-Release 104065
April 29, 2022 SaaS New Feature Zero Trust Score Capability to specify severity for a compliance check per OS. When a compliance check runs on an endpoint, a zero trust score is calculated by the pass/fail status of the compliance check and the specified
Release notes-Release 103055
April 10, 2022 SaaS New Feature Exploit Tracker New dashboards to monitor Spring Shell and Spring Cloud vulnerabilities. For more information, see Exploit Tracker. Enhancements Bulk enable, disable, or delete Global Rule Exceptions. For more information,
Release notes-Release 102039
March 27, 2022 SaaS New Feature Managed Anti-virus (AV) Dashboard - Beta Managed AV dashboards to monitor Windows defender status and threat history of Windows endpoints. For more information, see Managed AV Dashboards. New Feature Disk Scans - Beta