Update ioreg.yml (#25889)

Added example query. --------- Co-authored-by: Eric <[email protected]>
fleetdm · Jan 30, 2025 · af475c7 · af475c7
1 parent 4a8a054
commit af475c7
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/schema/osquery_fleet_schema.json b/schema/osquery_fleet_schema.json
@@ -12582,6 +12582,7 @@
     "platforms": [
       "darwin"
     ],
+    "examples": "Find HID Device Protocol data:\n\n```\n WITH protocols as (\n  SELECT \n   MAX (case WHEN key = \"USB Address\" THEN value END) as usb_address,\n   MAX (case WHEN key = \"bDeviceProtocol\" THEN value END) as protocol\n  from ioreg where r=true and c=\"IOUSBDevice\" group by parent\n) \nSELECT * FROM usb_devices join protocols using (usb_address)\n```",
     "columns": [
       {
         "name": "c",

diff --git a/schema/tables/ioreg.yml b/schema/tables/ioreg.yml
@@ -4,6 +4,18 @@ evented: false
 notes: This table is not a core osquery table. It is included as part of fleetd, the osquery manager from Fleet. Code based on work by [Kolide](https://github.com/kolide/launcher).
 platforms:
   - darwin
+examples: |-
+  Find HID Device Protocol data:
+
+  ```
+  WITH protocols as (
+    SELECT 
+     MAX (case WHEN key = "USB Address" THEN value END) as usb_address,
+     MAX (case WHEN key = "bDeviceProtocol" THEN value END) as protocol
+    from ioreg where r=true and c="IOUSBDevice" group by parent
+  ) 
+  SELECT * FROM usb_devices join protocols using (usb_address)
+  ```
 columns:
   - name: c
     description: List properties of objects with the given class.
@@ -48,4 +60,4 @@ columns:
   - name: query
     description: The query is printed in this column.
     type: text
-    required: false
+    required: false