osquery sqlite functions

osquery extends SQLite's built in functions to provide you more tools to identify IOCs, do basic data processing client side, or access other core osquery functionality in a more natural manner. Here is a complete list of all the osquery custom functions.

base64 commands

  • to_base64 - Take a field and base64 encode it.
  • from_base64 - Take a field and base64 decode it. If decode fails then return the empty string.
  • to_base64_conditional - Take a field and base64 encode it only if it contains non ASCII characters.

Hashing functions

  • md5 - Hash a field using the MD5 algorithm.
  • sha1 - Hash a field using the SHA1 algorithm.
  • sha256 - Hash a field using the SHA256 algorithm.

carving

  • carve - Takes a set of paths and carves them using the configured carving infrastructure. See article on screenshot auditing for more details.

String processing

  • split - Takes a string, delimiter, and number (i). Splits the string using the delimiter and returns the ith element.
  • regex_split - Takes a string, regex and number (i). Splits the string on regex matches and returns the ith element.
  • inet_aton - Convert an IPv4 string address to decimal.