Solutions
Device management
Remotely manage, and protect laptops and mobile devices.
Visibility & reporting
Real-time reports and diagnostics from every device.
Software management
Inventory, patch, and manage installed software.
Linux device management
Manage Linux devices with full visibility and control.
Infrastructure as code
See every change, undo any error, repeat every success.
Deployment
Run Fleet the way that fits your team.
Extend Fleet
Integrate your favorite tools with Fleet.
Customers
Pricing
Partners
More
Device management
Remotely manage, and protect laptops and mobile devices.
Infrastructure as code
See every change, undo any error, repeat every success.
Visibility & reporting
Real-time reports and diagnostics from every device.
Deployment
Run Fleet the way that fits your team.
Software management
Inventory, patch, and manage installed software.
Extend Fleet
Integrate your favorite tools with Fleet.
Linux device management
Manage Linux devices with full visibility and control.
Reports
A collection of optional reports you can run anytime. Contributions welcome over on GitHub.
Want to create your own? Our query robot can help.
Apple
Linux
Windows
Detects if Apple Intelligence has been enabled. Value = 1 is on, 0 is off.
Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.
List authorized_keys for each user on the system.
Get all software installed on a macOS computer, including apps, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
Retrieves the list of installed Safari Extensions for all users in the target system.
Lists all laptops with under-performing or failing batteries.
Get current users with active shell/console on the system and associated process
Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
Detect any processes that run with DYLD_INSERT_LIBRARIES environment variable
Local user accounts (including domain accounts that have logged on locally (Windows)).
Get Nmap scanner process, as well as its user, parent, and process details.
Docker containers Processes, can be used on normal systems or a kubenode.
Collects the local user accounts and their respective user group.
Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence.
Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
The query allows you to check macOS systems for local administrator accounts.
List ports that are listening on all interfaces, along with the process to which they are attached.
Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
Returns top 10 applications or processes hogging memory the most.
Returns servers with root login in the last 24 hours and the time the users were logged in.
Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely.
Returns applications that were opened within the last 24 hours starting with the last opened application.
Returns applications that are not in the `/Applications` directory
Returns applications that are subscription-based and have not been opened for the last 30 days. You can replace the list of applications with those specific to your use case.
Returns the operating system name and version on the device.
Reads the version numbers from the Malware Removal Tool (MRT) and built-in antivirus (XProtect) plists
Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications.
Attempt to discover Python environments (in cwd, path to the python binary, and process command line) from running python interpreters and collect Python packages from those environments.
Lists the currently enabled applications configured to handle mailto, http and ftp schemes.
Identifies certificates associated with Apple development signing and notarization. Replace ABCDEFG with your company's identifier.
Geolocate a host using the [ipapi.co](https://ipapi.co) in an emergency. Requires the curl table. [Learn more](https://fleetdm.com/guides/locate-assets-with-osquery).
Get the status of the Crowdstrike Falcon network content filter (as in "System Settings" > "Network > "Filters").
Get a list of installed VS Code extensions (requires osquery > 5.11.0).
List all table names in the schema of the currently installed version of osquery
Retrieves Model Context Protocol (MCP) client configurations from supported AI applications. Only global (not project-specific) configurations are returned. Supported applications: Cursor (macOS/Linux/Windows), Claude Desktop (macOS/Windows), Claude Code (macOS/Linux), VSCode (macOS/Linux/Windows), Windsurf (macOS), Gemini CLI (macOS/Linux/Windows), LMStudio (macOS/Linux/Windows)
Monitor integrity of sudoers configuration file for unauthorized modifications - ATT&CK T1548.003
Detect active reverse shell connections via bash TCP redirects - ATT&CK T1059
List shell_history for each users on the system - ATT&CK T1064,T1059,T1153,T1166,T1100,T1055,T1222,T1107,T1146,T1081,T1003,T1033,T1016,T1082,T1069,T1201,T1083,T1217,T1087
Returns the Listening port List - ATT&CK T1108,T1100,T1029,T1011,T1041,T1048,T1020,T1071,T1219
Returns the network connections from system processes - ATT&CK T1108,T1100,T1102,T1105,T1039,T1029,T1011,T1041,T1043,T1090,T1094,T1048,T1132,T1020,T1065,T1001,T1071,T1219,T1104,T1008
Check Returns possible Reverse Shells on system processes - ATT&CK T1108,T1100
Template: Monitor files in a custom directory. Replace /YOUR_DIRECTORY/ with the path to monitor - ATT&CK T1158,T1100
Lists files and directories under root directory - ATT&CK T1158,T1100
Lists files and directories under tmp directory - ATT&CK T1158,T1100
List running processes with non-empty command line. - ATT&CK T1059,T1108,T1166,T1100,T1064,T1107,T1003,T1033,T1016,T1082,T1057,T1201,T1083,T1217,T1087,T1072,T1002
Lists all logged in users - ATT&CK T1136,T1078,T1169,T1184,T1021
Lists all create and deleted account - ATT&CK T1136,T1078,T1184,T1021
Discover local system certificates for code signing and trust chain analysis - ATT&CK T1116,T1130
List running processes with user and path information - ATT&CK T1034,T1121,T1117,T1085
List running processes with path and command line. - ATT&CK T1034,T1121,T1117,T1085
Get all software installed on a Windows computer, including programs, browser plugins, and installed packages. Note that this does not include other running processes in the processes table.
Get current users with active shell/console on the system and associated process
Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
Local user accounts (including domain accounts that have logged on locally (Windows)).
Get Nmap scanner process, as well as its user, parent, and process details.
Detects devices that are potentially vulnerable to CVE-2021-1675 because the print spooler service is not disabled.
Collects the local user accounts and their respective user group.
Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence.
List ports that are listening on all interfaces, along with the process to which they are attached.
Looks for the TeamViewer service running on machines. This is often used when attackers gain access to a machine, running TeamViewer to allow them to access a machine.
Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
Checks for artifacts from the Floxif trojan on Windows machines.
Returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path order of execution, and the order in which files were executed.
Returns top 10 applications or processes hogging memory the most.
Returns servers with root login in the last 24 hours and the time the users were logged in.
Returns the operating system name and version on the device.
Selects the antivirus and signatures status from Windows Security Center.
Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications.
Geolocate a host using the [ipapi.co](https://ipapi.co) in an emergency. Requires the curl table. [Learn more](https://fleetdm.com/guides/locate-assets-with-osquery).
Get a list of installed VS Code extensions (requires osquery > 5.11.0).
List all table names in the schema of the currently installed version of osquery
Retrieves Model Context Protocol (MCP) client configurations from supported AI applications. Only global (not project-specific) configurations are returned. Supported applications: Cursor (macOS/Linux/Windows), Claude Desktop (macOS/Windows), Claude Code (macOS/Linux), VSCode (macOS/Linux/Windows), Windsurf (macOS), Gemini CLI (macOS/Linux/Windows), LMStudio (macOS/Linux/Windows)
Returns the Listening port List - ATT&CK T1108,T1100,T1029,T1011,T1041,T1048,T1020,T1071,T1219
Returns the network connections from system processes - ATT&CK T1108,T1100,T1102,T1105,T1039,T1029,T1011,T1041,T1043,T1090,T1094,T1048,T1132,T1020,T1065,T1001,T1071,T1219,T1104,T1008
List running processes with non-empty command line. - ATT&CK T1059,T1108,T1166,T1100,T1064,T1107,T1003,T1033,T1016,T1082,T1057,T1201,T1083,T1217,T1087,T1072,T1002
Lists all logged in users - ATT&CK T1136,T1078,T1169,T1184,T1021
Lists all create and deleted account - ATT&CK T1136,T1078,T1184,T1021
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1173,T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1173,T1086,T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1204
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Detect processes masquerading as legitimate Windows processes - ATT&CK T1034
Returns the content of the key HKCU_Control Panel_Desktop - ATT&CK T1180
Returns the content of the key HKCU_Software_Microsoft_WindowsNT_CurrentVersion_winlogon - ATT&CK T1004
Returns the content of the key HKCU_Software_Microsoft_Windows_CurrentVersion_Policies_Explorer_Run - ATT&CK T1060
Returns the content of the key HKEY_CURRENT_USER_Environment - ATT&CK T1037
Returns the content of the key HKCU_Software_Microsoft_Windows_CurrentVersion_Run - ATT&CK T1060
Returns the content of the key HKLM_Software_Microsoft_WindowsNT_CurrentVersion_winlogon - ATT&CK T1004
Returns the content of the key HKLM_Software_Microsoft_Windows_CurrentVersion_Policies_Explorer_Run - ATT&CK T1060
Returns the content of the key HKLM_Image_File_Execution_Options - ATT&CK T1015
Returns the content of the key HKLM_Software_Microsoft_WindowsNT_CurrentVersion_Windows for AppInit DLLs - ATT&CK T1103
Returns the content of the key HKLM_Software_Wow6432Node_Microsoft_WindowsNT_CurrentVersion_winlogon - ATT&CK T1004
Returns the content of the key HKLM_Software_Wow6432Node_Microsoft_WindowsNT_CurrentVersion_Windows for AppInit DLLs - ATT&CK T1103
Returns the content of the key HKLM_Software_Microsoft_WindowsNT_CurrentVersion_appcompatflags_custom for application shimming - ATT&CK T1138
Returns the content of the key HKLM_Software_Microsoft_WindowsNT_CurrentVersion_appcompatflags_installedsdb for application shimming - ATT&CK T1138
Returns the content of the key HKLM_SYSTEM_CurrentControlSet_Control_Lsa - ATT&CK T1131
Returns the content of the key HKLM_SOFTWARE_Microsoft_Netsh - ATT&CK T1128,S0108
Returns the content of the key HKLM_SYSTEM_CurrentControlSet_Service - ATT&CK T1058
Returns the content of the key HKU_Software_Microsoft_Windows_CurrentVersion_Run
InstallUtil Execute, InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries - ATT&CK T1118
PsExec Execute, is a free Microsoft tool that can be used to execute a program on another computer. - ATT&CK T1035,S0029
Monitor Windows Prefetch directory for execution artifacts - ATT&CK T1107
Schtasks Execute, usually used to create a scheduled task - ATT&CK T1053,S0110
Attrib Execute, usually used to modify file attributes - ATT&CK T1158
Bitsadmin Execute, Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM) - ATT&CK T1197,S0190
Monitor usage of Certutil.exe, a built-in command-line program to manage certificates that can be misused for malicious purposes - ATT&CK T1105,T1140,T1130,S0160
Command-Line Interface Execute, CMD execution - ATT&CK T1059
CMSTP Execute, The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. - ATT&CK T1191
Command-Line Interface Execute, Cscript execution starts a script so that it runs in a command-line environment. - ATT&CK T1216
Monitor usage of Esentutl, a built-in command-line program that can be used to copy NTDS.dit and dump Active Directory credentials - ATT&CK T1003.003
Mshta Execute, is a utility that executes Microsoft HTML Applications (HTA) - ATT&CK T1170
mstsc.exe Execute, usually used to perform a RDP Session - ATT&CK T1076
Net Execute, is used in command-line operations for control of users, groups, services, and network connections - ATT&CK T1126,T1087,T1201,T1069,S0039,T1018,T1007,T1124
Netsh Execute, Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system - ATT&CK T1128,T1063,S0108
Netstat Execute, is an operating system utility that displays active TCP connections, listening ports, and network statistics. - ATT&CK T1049,S0104
POWERSHELL Execute, is a powerful interactive command-line interface and scripting environment included in the Windows operating system - ATT&CK T1086
Reg Execute, Reg is a Windows utility used to interact with the Windows Registry. - ATT&CK T1214,T1012,T1063,S0075
Regedit Execute, is a Windows utility used to interact with the Windows Registry. - ATT&CK T1214
Detect regsvr32 DLL registration activity via prefetch artifacts - ATT&CK T1117
Runas Execute, Allows a user to run specific tools and programs with different permissions than the user's current logon provides. - ATT&CK T1134
SC.exe Execute, Service Control - Create, Start, Stop, Query or Delete any Windows SERVICE. . - ATT&CK T1007
Schtasks Execute, usually used to create a scheduled task - ATT&CK T1053,S0111
Systeminfo Execute, Systeminfo is a Windows utility that can be used to gather detailed information about a computer. - ATT&CK T1082,S0096
taskeng Execute, usually used to create a scheduled task - ATT&CK T1053
Tasklist Execute, usually used to list task - ATT&CK T1057,T1063,T1007,S0057
tscon.exe Execute, usually used to Terminal Services Console - ATT&CK T1076
Vssadmin Execute, usually used to execute activity on Volume Shadow copy
Whoami Execute, used to prints the effective username of the current user
Xcopy Execute, is used for copying multiple files or entire directory trees from one directory to another and for copying files across a network.
Snapshot Lists all internet explorer extensions - ATT&CK T1176
Lists all internet explorer extensions - ATT&CK T1176
Sophos Endpoint Protection service status change - ATT&CK T1089
Sophos Endpoint Protection service status change - ATT&CK T1089
Symantec Endpoint Protection service status change - ATT&CK T1089
Windows Defender service Status change - ATT&CK T1089
Windows Firewall service Status change - ATT&CK T1089
Windows Security Service Status change - ATT&CK T1089
Discover local system certificates for code signing and trust chain analysis - ATT&CK T1116,T1130
Check suspicious directory creation under AppData\Local - ATT&CK T1034,T1074,T1044
Check suspicious directory creation under %TEMP% or AppData\Local\Temp - ATT&CK T1034,T1074,T1044
Check suspicious directory creation under %APPDATA% or %\AppData\Roaming - ATT&CK T1034,T1074,T1044
Check suspicious directory creation under Roaming\Microsoft\Windows\Start Menu\Programs - ATT&CK T1060,T1023
Check suspicious directory creation under Roaming\Microsoft\Windows\Start Menu\Programs\Startup - ATT&CK T1060,T1023
Check suspicious directory creation under ProgramData\Microsoft\Windows\Start Menu - ATT&CK T1060,T1023
Check suspicious directory creation under ProgramData\Microsoft\Windows\Start Menu\Programs - ATT&CK T1060,T1023
Check suspicious directory creation under c:\windows - ATT&CK T1034,T1074,T1044
Check suspicious directory creation under c:\windows emp - ATT&CK T1034,T1074,T1044
Check suspicious file creation under AppData\Local - ATT&CK T1034,T1074,T1044
Check suspicious file creation under %TEMP% or AppData\Local\Temp - ATT&CK T1034,T1074,T1044
Check suspicious file creation under %APPDATA% or %\AppData\Roaming - ATT&CK T1034,T1074,T1044
Check suspicious file creation under ProgramData\Microsoft\Windows\Start Menu - ATT&CK T1060,T1023
Check suspicious file creation under ProgramData\Microsoft\Windows\Start Menu\Programs - ATT&CK T1060,T1023
Check suspicious file creation under Roaming\Microsoft\Windows\Start Menu\Programs - ATT&CK T1060,T1023
Check suspicious file creation under Roaming\Microsoft\Windows\Start Menu\Programs\Startup - ATT&CK T1060,T1023
Check suspicious file creation under c:\windows - ATT&CK T1034,T1074,T1044
Check suspicious file creation under c:\windows emp - ATT&CK T1034,T1074,T1044
Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled. - ATT&CK T1086,T1064
Lists all of the tasks in the Windows task scheduler - ATT&CK T1053
Lists all installed services configured to start automatically at boot - ATT&CK T1050
List running processes with path and command line. - ATT&CK T1034,T1121,T1117,T1085
Presence of authorized SSH keys may be unusual on laptops. Could be completely normal on servers, but may be worth auditing for unusual keys and/or changes.
List authorized_keys for each user on the system.
Get all software installed on a Linux computer, including browser plugins and installed packages. Note that this does not include other running processes in the processes table.
Get current users with active shell/console on the system and associated process
Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
Identify SSH keys created without a passphrase which can be used in Lateral Movement (MITRE. TA0008)
Detect any processes that run with LD_PRELOAD environment variable
Local user accounts (including domain accounts that have logged on locally (Windows)).
Domain Joined environments normally have root or other service only accounts and users are SSH-ing using their Domain Accounts.
Get Nmap scanner process, as well as its user, parent, and process details.
Docker containers Processes, can be used on normal systems or a kubenode.
Collects the local user accounts and their respective user group.
Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching a process to mask presence.
Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
List ports that are listening on all interfaces, along with the process to which they are attached.
Watches for the backdoored Python packages installed on the system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
Returns top 10 applications or processes hogging memory the most.
Returns servers with root login in the last 24 hours and the time the users were logged in.
Returns a list of active processes and the Jar paths which are using Log4j. Version numbers are usually within the Jar filename. Note: This query is resource intensive and has caused problems on systems with limited swap space. Test on some systems before running this widely.
Returns the operating system name and version on the device.
Selects the clamd and freshclam processes to ensure AV and its updater are running
Retrieves metadata about TLS certificates for servers listening on the local machine. Enables mTLS adoption analysis and cert expiration notifications.
Attempt to discover Python environments (in cwd, path to the python binary, and process command line) from running python interpreters and collect Python packages from those environments.
Geolocate a host using the [ipapi.co](https://ipapi.co) in an emergency. Requires the curl table. [Learn more](https://fleetdm.com/guides/locate-assets-with-osquery).
Get a list of installed VS Code extensions (requires osquery > 5.11.0).
List all table names in the schema of the currently installed version of osquery
Retrieves Model Context Protocol (MCP) client configurations from supported AI applications. Only global (not project-specific) configurations are returned. Supported applications: Cursor (macOS/Linux/Windows), Claude Desktop (macOS/Windows), Claude Code (macOS/Linux), VSCode (macOS/Linux/Windows), Windsurf (macOS), Gemini CLI (macOS/Linux/Windows), LMStudio (macOS/Linux/Windows)
Monitor integrity of sudoers configuration file for unauthorized modifications - ATT&CK T1548.003
Detect active reverse shell connections via bash TCP redirects - ATT&CK T1059
List shell_history for each users on the system - ATT&CK T1064,T1059,T1153,T1166,T1100,T1055,T1222,T1107,T1146,T1081,T1003,T1033,T1016,T1082,T1069,T1201,T1083,T1217,T1087
Detect loading, unloading, and manipulating modules on Linux systems - ATT&CK T1215
Returns the Listening port List - ATT&CK T1108,T1100,T1029,T1011,T1041,T1048,T1020,T1071,T1219
Returns the network connections from system processes - ATT&CK T1108,T1100,T1102,T1105,T1039,T1029,T1011,T1041,T1043,T1090,T1094,T1048,T1132,T1020,T1065,T1001,T1071,T1219,T1104,T1008
Check Returns possible Reverse Shells on system processes - ATT&CK T1108,T1100
Template: Monitor files in a custom directory. Replace /YOUR_DIRECTORY/ with the path to monitor - ATT&CK T1158,T1100
Lists files and directories under all home user directories - ATT&CK T1158,T1100
Lists files and directories under root directory - ATT&CK T1158,T1100
Lists files and directories under tmp directory - ATT&CK T1158,T1100
Lists files and directories under web server directory - ATT&CK T1158,T1100
List running processes with non-empty command line. - ATT&CK T1059,T1108,T1166,T1100,T1064,T1107,T1003,T1033,T1016,T1082,T1057,T1201,T1083,T1217,T1087,T1072,T1002
Lists all logged in users - ATT&CK T1136,T1078,T1169,T1184,T1021
Lists all create and deleted account - ATT&CK T1136,T1078,T1184,T1021
Discover local system certificates for code signing and trust chain analysis - ATT&CK T1116,T1130
List running processes with user and path information - ATT&CK T1034,T1121,T1117,T1085
List running processes with path and command line. - ATT&CK T1034,T1121,T1117,T1085
SOC2 Type 2
