Skip to content

[WIP] Osquerybeat - Amcache osquery Extension #46996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

[WIP] Osquerybeat - Amcache osquery Extension #46996

wants to merge 5 commits into from
+1,702 −302

Conversation

brian-mckinney
Copy link

@brian-mckinney brian-mckinney commented Oct 8, 2025
edited
Loading

Proposed commit message

Adds the amcache table to the osquery extension packaged with osquerybeat

See further discussion: https://github.com/elastic/endpoint-dev/issues/17096

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

None

Author's Checklist

  • [ ]

How to test this PR locally

  • build osquerybeat
    • cd x-pack\osquerybeat
    • make update
    • mage build
  • run osqueryi with the extension
    • osqueryi --extension osquery-extension.exe --allow_unsafe

Related issues

Use cases

Screenshots

image

Logs

@brian-mckinney brian-mckinney self-assigned this Oct 8, 2025
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 8, 2025
@botelastic
Copy link

botelastic bot commented Oct 8, 2025

This pull request doesn't have a Team:<team> label.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 8, 2025

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @brian-mckinney? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 12, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b amcache upstream/amcache
git merge upstream/main
git push upstream amcache

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@brian-mckinney brian-mckinney

Labels

enhancement needs_team Indicates that the issue/PR needs a Team:* label Osquerybeat

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brian-mckinney