[Osquery_manager] disk info artifact saved query

[tomsonpl]

Disks & Volumes Artifact

The Disks & Volumes artifact provides comprehensive visibility into physical storage hardware across Windows, Linux, and macOS systems. This information is essential for asset inventory, hardware verification, and forensic investigations involving storage device analysis, removable media detection, and system baseline comparisons.

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
10	Disks & Volumes	✅	Windows	disk_info_windows_elastic	d8a1b2c3	Physical disk hardware inventory via WMI
10a	Disks & Volumes	✅	Linux	disk_info_linux_macos_elastic	e9f2c3d4	Block devices with mount information
10b	Disks & Volumes	✅	macOS	disk_info_linux_macos_elastic	e9f2c3d4	Block devices with mount information

Queries by Platform

---

🪟 Windows - Physical Disk Hardware Inventory

Description

Retrieve physical disk hardware information on Windows systems including manufacturer, model, serial number, size, and interface type. Useful for asset inventory and hardware verification.

Detection Focus:

• Hardware asset inventory and tracking
• Removable storage device detection
• System baseline comparison for forensic analysis
• Disk serial number verification for chain of custody

Result

Query results will show all physical disks with their hardware identifiers, manufacturers, models, serial numbers, partition counts, and sizes in both bytes and human-readable GB format.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

disk_info_windows_elastic

ECS Field Mappings

Static Values:

• event.category → ["host"]
• event.type → ["info"]
• event.module → osquery
• event.dataset → osquery.disk_info
• host.os.type → windows
• tags → ["osquery", "inventory", "disk", "windows"]

Field Mappings:

• host.disk.device.name → device_name
• host.disk.device.serial_number → serial
• host.disk.device.vendor → vendor
• host.disk.device.model → model
• host.disk.device.type → device_type

SQL Query

-- Windows physical disk hardware inventory
-- Source: disk_info table (WMI Win32_DiskDrive)
-- Use case: Asset inventory, hardware verification
SELECT
    disk_index,
    name AS device_name,
    id,
    pnp_device_id,
    type AS device_type,
    manufacturer AS vendor,
    hardware_model AS model,
    serial,
    description,
    partitions,
    disk_size,
    -- Convert to human-readable size
    ROUND(disk_size / 1073741824.0, 2) AS disk_size_gb
FROM disk_info;

---

🐧 Linux / 🍎 macOS - Block Device Inventory with Mount Information

Description

Retrieve physical disk hardware information on Linux and macOS systems. Filters out loop devices, snap mounts, and virtual filesystems to show only real storage devices. Cross-platform equivalent to Windows disk_info query.

Detection Focus:

• Physical storage device enumeration
• Mount point and filesystem analysis
• Storage utilization monitoring
• Removable media and external drive detection
• Virtual machine disk identification

Result

Query results will show block devices with vendor, model, type, UUID, size, mount points, filesystem types, usage percentages, and available space. Automatically filters noise from snap packages, virtual filesystems, and system mounts.

Platform

linux,darwin

Interval

3600 seconds (1 hour)

Query ID

disk_info_linux_macos_elastic

ECS Field Mappings

Static Values:

• event.category → ["host"]
• event.type → ["info"]
• event.module → osquery
• event.dataset → osquery.disk_info
• tags → ["osquery", "inventory", "disk", "linux", "macos"]

Field Mappings:

• host.disk.device.name → device_name
• host.disk.device.vendor → vendor
• host.disk.device.model → model
• host.disk.device.type → device_type
• file.path → mount_point

SQL Query

-- Linux/macOS physical disk inventory
-- Source: block_devices + mounts tables
-- Filters out: loop devices, snap mounts, disk images, virtual filesystems
SELECT
    bd.name AS device_name,
    bd.vendor,
    bd.model,
    bd.type AS device_type,
    bd.uuid,
    ROUND((bd.size * bd.block_size) / 1073741824.0, 2) AS size_gb,
    m.path AS mount_point,
    m.type AS filesystem_type,
    CASE
        WHEN m.blocks > 0 THEN
            ROUND(100.0 * (m.blocks - m.blocks_free) / m.blocks, 2)
        ELSE NULL
    END AS usage_percent,
    ROUND((m.blocks_available * m.blocks_size) / 1073741824.0, 2) AS available_gb
FROM block_devices bd
LEFT JOIN mounts m ON (
    m.device LIKE '%' || bd.name || '%'
    OR m.device_alias LIKE '%' || bd.name || '%'
)
WHERE bd.name != ''
  AND bd.type != ''
  -- Filter out loop devices (snap packages on Linux)
  AND bd.name NOT LIKE 'loop%'
  AND bd.name NOT LIKE '/dev/loop%'
  -- Filter out disk images only (keep Virtual Interface for VMs)
  AND bd.type != 'Disk Image'
  -- Filter out squashfs (snap), devtmpfs, tmpfs, overlay
  AND COALESCE(m.type, '') NOT IN ('squashfs', 'devtmpfs', 'tmpfs', 'overlay', 'autofs')
  -- Filter out snap mount paths
  AND COALESCE(m.path, '') NOT LIKE '/snap/%'
  -- Filter out macOS system asset paths
  AND COALESCE(m.path, '') NOT LIKE '/System/Library/Assets%'
  -- Only show primary mount points (avoid duplicates)
  AND (
    m.path IS NULL
    OR m.path IN ('/', '/boot', '/boot/efi', '/home', '/var', '/tmp', '/opt')
    OR m.path LIKE '/Volumes/%'
    OR m.path LIKE '/mnt/%'
    OR m.path LIKE '/media/%'
  );

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: f4ab450

History

• 💚 Build #34811 succeeded b4d5493