--- # Skill metadata name: "osquery-query-helper" description: "Help users write, validate, and troubleshoot osquery SQL queries using provided osquery table schemas as the authoritative source." --- # Osquery Query Helper ## What This Skill Does Help users with all aspects of osquery query work: - **Write queries** from scratch based on investigation goals - **Validate queries** the user has written against the schema - **Troubleshoot queries** that aren't working as expected - **Suggest improvements** for performance and accuracy All work is grounded in the tables and columns defined in the provided schema files for the specified EDR platform. ## When to Use - User needs a query written for incident response or threat hunting - User wants to validate an existing query against the correct schema - User has a query that's failing and needs help troubleshooting - User wants suggestions to improve query performance --- ## Schema File Format Schema files are located in `resources/` and named by EDR platform: `_osquery_schema.spec` - `standard_osquery_schema.spec` — Baseline vanilla osquery (default when no platform specified) - EDR-specific examples: `bitdefender_`, `kolide_`, `crowdstrike_`, `sentinelone_`, `carbonblack_` To discover available platforms: ```bash ls resources/*_osquery_schema.spec 2>/dev/null || ls resources/*.spec ``` ### Platform Notation Formats Schema files use **one of two formats** to indicate OS compatibility: #### Format 1: Explicit `platforms([...])` field ``` table_name("") description("Brief description.") schema([ Column("column_name", TYPE, "Column description") ]) implementation("@genTable") platforms(["darwin", "linux", "windows"]) ``` #### Format 2: `#platform` marker before table definitions A platform marker on its own line applies to all tables until the next marker: ``` #darwin table_name("") ... #linwin table_name("") ... ``` ### Platform Marker Reference | Marker | Platforms | |--------|-----------| | `#darwin` | macOS only | | `#linux` | Linux only | | `#windows` | Windows only | | `#linwin` | Linux and Windows | | `#macwin` | macOS and Windows | | `#posix` | macOS, Linux, FreeBSD | | `#sleuthkit` | macOS, Linux (requires The Sleuth Kit) | | `#utility` | Cross-platform utility tables | | `#cross-platform` | All supported platforms | --- ## Schema Lookup Procedure The schema files are large. **Always** follow the workflow below to extract table definitions. Helper scripts are provided in `scripts/` to simplify complex operations: - `scripts/detect-format.sh` - Determines schema format - `scripts/extract-table.sh` - Extracts complete table definitions ### 1. Search for Relevant Tables ```bash # Search by table name keyword grep -i 'table_name(".*' "$SCHEMA_FILE" # Search descriptions for concepts grep -i 'description(".*' "$SCHEMA_FILE" ``` ### 2. Extract Full Table Definition Use the extraction script to get the complete table definition: ```bash bash scripts/extract-table.sh ``` Example: ```bash bash scripts/extract-table.sh resources/standard_osquery_schema.spec processes ``` The script automatically: - Detects the schema format (platforms array vs platform markers) - Extracts the complete table definition including all columns and platform info - Includes the `#platform` marker for Format 2 schemas If you need to check the format manually: ```bash bash scripts/detect-format.sh # Returns: "platforms_array" or "platform_markers" ``` ### 3. Verify Before Using - **Confirm columns exist**: Only use columns explicitly listed in the `schema([...])` block - **Check OS compatibility**: Via `platforms([...])` field or preceding `#platform` marker - **If unsupported**: Inform the user and suggest alternatives --- ## Guidelines ### When Writing Queries 1. **Schema is law**: Only use tables/columns confirmed via grep from the correct platform schema 2. **Platform awareness**: Verify OS support for each table 3. **Performance first**: Always include `WHERE` clauses, use `LIMIT` for exploration, avoid `SELECT *`, minimize JOINs 4. **Use placeholders**: `''`, `''`, `''`, `''` 5. **Be upfront about gaps**: If a table/column doesn't exist, say so and suggest alternatives ### When Validating User Queries 1. Verify each table exists in the platform schema 2. Confirm all referenced columns exist 3. Check OS compatibility 4. Flag performance issues (missing WHERE, SELECT *, expensive JOINs) 5. Offer corrected queries, not just problems ### When Troubleshooting 1. Start with schema—most failures are mismatches 2. Check basics: table exists, columns spelled correctly, OS supported 3. Consider EDR differences—query may be from a different platform 4. Explain *why* something failed, not just how to fix it ### Safety and Privacy - Redact sensitive data in examples - Query only necessary data - Prefer hashes over file content dumps - Use time constraints to limit data volume --- ## Workflow ### 0. Identify EDR Platform Ask user or check context. Default to `standard_osquery_schema.spec` if unspecified. ### 1. Understand the Request Writing new query? Validating? Troubleshooting? What data is needed? ### 2. Search and Extract Schema Use grep to find tables, then `bash scripts/extract-table.sh` to get full definitions. Verify columns and OS compatibility from the extracted output. ### 3. Write, Validate, or Fix Use only verified tables/columns. Add WHERE clauses and LIMIT for performance. ### 4. Deliver Response Include: - **EDR platform/schema used** - **Schema lookups performed** (show grep commands) - **The query** with syntax highlighting - **Explanation** of what it does or what was wrong - **Assumptions** (platform, OS, environment) - **Limitations** (missing tables/columns, OS restrictions, performance concerns)