Skip to content

[Osquery_manager] Browser history artifact saved query #15898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 11 commits into from
Closed

[Osquery_manager] Browser history artifact saved query #15898

wants to merge 11 commits into from

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Nov 7, 2025
edited
Loading

Browser History Artifact

This PR adds a new osquery saved query for the Browser History artifact, providing comprehensive browser activity collection across all platforms using the Elastic osquery extension. The query automatically discovers and collects browsing history from Chrome, Edge, Firefox, and Safari without requiring ATC configuration.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 Browser History Windows, macOS, Linux browser_history_elastic b352f3c9 Collects browser history from all supported browsers across all platforms using the Elastic osquery extension

Queries by Platform

🪟🍎🐧 Cross-Platform - Browser History Collection

Description

This query leverages the Elastic osquery extension to collect browser history from all major browsers (Chrome, Edge, Firefox, Safari) across Windows, macOS, and Linux platforms. The extension automatically discovers browser profile locations and queries their history databases without requiring ATC (Automatic Table Construction) configuration.

The query returns the last 7 days of browsing activity, including:

  • Full URLs with domain extraction
  • Page titles and visit timestamps
  • Browser identification
  • User profiles
  • Navigation transition types

Detection Focus:

  • Data Exfiltration Detection: Identify suspicious file upload or cloud storage URLs
  • Credential Phishing: Detect visits to fake login pages or credential harvesting sites
  • Command & Control: Identify visits to known C2 infrastructure or suspicious domains
  • Insider Threat Monitoring: Track access to unauthorized resources or data repositories
  • Policy Compliance: Verify adherence to acceptable use policies

Result

Screenshot 2025-11-07 at 13 20 30

Returns browsing history entries with timestamps, URLs, page titles, browser names, user profiles, and navigation context for the past 7 days.

Platform

windows, darwin, linux (cross-platform)

Interval

3600 seconds (1 hour)

Query ID

browser_history_elastic

ECS Field Mappings

  • url.fullurl
  • event.actiontitle
  • user_agent.namebrowser
  • user.nameuser
  • url.domaindomain
  • event.categoryweb (static)
  • event.typeinfo (static)

SQL Query

-- Browser history from Elastic osquery extension
-- Supports: Chrome, Edge, Firefox, Safari
-- Returns last 7 days of browsing activity
SELECT
  datetime,
  url,
  title,
  browser,
  user,
  domain,
  transition_type
FROM browser_history
WHERE timestamp > (strftime('%s', 'now') - 604800)
ORDER BY timestamp DESC;

Requirements

⚠️ IMPORTANT: This query requires the Elastic osquery extension (osquerybeat). The standard osquery does not include the browser_history table.

efd6 and others added 5 commits November 7, 2025 07:51
@efd6
qualys_vmdr: add config option for query list length (#15890)
4485d0f
@github-actions
chore: update pkgs in .github/ISSUE_TEMPLATE/integration_*.yml (#15894)
bdf01ed 
Made with ❤️️ by updatecli

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@VihasMakwana @rdner
[windows/perfmon] - Expose match_by_parent_instance option for perfmon (
3125a17 
#15763)

Expose the "Perfmon Match By Parent Instance" option in Windows Perfmon (default=true). When unchecked, unique instance names are used for processes with the same name.

Co-authored-by: Denis <[email protected]>
@tomsonpl
browser history artifact
2da9455
@alaudazzi
Update the Oracle Integration documentation (#15839)
4aa233e 
* Align with doc guidelines

* Update changelog and manifest
@tomsonpl tomsonpl self-assigned this Nov 7, 2025
@tomsonpl tomsonpl added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager labels Nov 7, 2025
@tomsonpl tomsonpl closed this Nov 7, 2025
@tomsonpl
Copy link
Contributor Author

tomsonpl commented Nov 7, 2025

Closed, as apparently browser_history will be supported by extension ❤️

@tomsonpl tomsonpl reopened this Nov 7, 2025
w0rk3r and others added 4 commits November 7, 2025 05:51
@w0rk3r
[BugFix] PowerShell - Fix user.name, user.domain, and `script_blo…
ca5f737 
…ck_signature` (#15834)

* [BugFix] PowerShell - Fix `user.name`, `user.domain`, and `script_block_signature`

* Update packages/windows/changelog.yml

* add related.hosts

* ++
@TimBosman
network_traffic: use links panels on dashboards (#14849)
4e7efd9 
Migrate the network_traffic integration to use links panels on dashboards for
handling navigation links. Using this widget ensures that navigation styling is
consistent across integration dashboards and also prevents issues with breaking
links on serverless.

Relates #15868
@stefans-elastic
Update kafka docs (#15882)
58b5804 
* update kafka docs

* update PR id in changelog

* docs fix
@taylor-swanson
feat: Preserve event.original when errors occur in pipelines (#15803)
33de257 
- Added append processor to global on_failure to preserve event original
- Added append processor to default pipelines to preserve event original if error.message is set

Affects the following integrations:

- citrix_waf
- endace
- fortinet_fortiedr
- fortinet_fortigate
- fortinet_fortimail
- fortinet_fortimanager
- fortinet_fortiproxy
- goflow2
- hashicorp_vault
- hpe_aruba_cx
@tomsonpl tomsonpl changed the title [Do not merge] [Osquery_manager] Browser history artifact saved query [Osquery_manager] Browser history artifact saved query Nov 7, 2025
@elasticmachine
Copy link

elasticmachine commented Nov 7, 2025

💚 Build Succeeded

History

cc @tomsonpl

@tomsonpl tomsonpl changed the base branch from main to temporary-osquery-artifacts-branch November 7, 2025 16:25
@tomsonpl tomsonpl closed this Nov 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tomsonpl tomsonpl

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@tomsonpl @elasticmachine @efd6 @VihasMakwana @alaudazzi @w0rk3r @TimBosman @stefans-elastic @taylor-swanson