osquery sqlite functions

osquery extends SQLite's built in functions to provide you more tools to identify IOCs, do basic data processing client side, or access other core osquery functionality in a more natural manner. Here is a complete list of all the osquery custom functions.

base64 commands

• to_base64 - Take a field and base64 encode it.
• from_base64 - Take a field and base64 decode it. If decode fails then return the empty string.
• to_base64_conditional - Take a field and base64 encode it only if it contains non ASCII characters.

Hashing functions

• md5 - Hash a field using the MD5 algorithm.
• sha1 - Hash a field using the SHA1 algorithm.
• sha256 - Hash a field using the SHA256 algorithm.

carving

• carve - Takes a set of paths and carves them using the configured carving infrastructure. See article on screenshot auditing for more details.

String processing

• split - Takes a string, delimiter, and number (i). Splits the string using the delimiter and returns the ith element.
• regex_split - Takes a string, regex and number (i). Splits the string on regex matches and returns the ith element.
• inet_aton - Convert an IPv4 string address to decimal.