Secured protected virtual processes #7121

nickcollier · 2021-05-21T19:07:07Z

Find processes that are secured (IUM), protected or virtual on Windows #7120

theopolis · 2021-05-22T17:23:34Z

specs/processes.table

@@ -32,6 +32,9 @@ schema([
 ])
 extended_schema(WINDOWS, [
    Column("is_elevated_token", INTEGER, "Process uses elevated token yes=1, no=0"),
+    Column("is_secure_process", INTEGER, "Process is secure (IUM) yes=1, no=0"),


Nitpick and for general consistency I prefer if we avoid the is_ prefix for column names. This is because the column type implies the verb. Could we name this secure_process, etc?

We can change the is_elevated_token to just elevated_token as well?

I was trying to be consistent following is_elevated_token 😄
I've changed them all as suggested now.

nickcollier added 2 commits May 21, 2021 16:34

Find processes that are secured (IUM), protected or virtual on Windows

f9f3dea

Code formatting

3944d8c

nickcollier requested review from a team as code owners May 21, 2021 19:07

theopolis added virtual tables Windows labels May 22, 2021

theopolis requested changes May 22, 2021

View reviewed changes

Remove is_ prefix from columns

a8ca182

theopolis approved these changes May 22, 2021

View reviewed changes

theopolis merged commit d7439de into osquery:master May 25, 2021

theopolis added the API change label May 25, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secured protected virtual processes #7121

Secured protected virtual processes #7121

nickcollier commented May 21, 2021

theopolis May 22, 2021

nickcollier May 22, 2021

Secured protected virtual processes #7121

Secured protected virtual processes #7121

Conversation

nickcollier commented May 21, 2021

theopolis May 22, 2021

Choose a reason for hiding this comment

nickcollier May 22, 2021

Choose a reason for hiding this comment