Skip to content

[Osquery_manager] Browser History artifact saved query #15904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] Browser History artifact saved query #15904

wants to merge 1 commit into from

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Nov 7, 2025

Browser History Artifact

This PR adds a new osquery saved query for the Browser History artifact, providing comprehensive browser activity collection across all platforms using the Elastic osquery extension. The query automatically discovers and collects browsing history from Chrome, Edge, Firefox, and Safari without requiring ATC configuration.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 Browser History Windows, macOS, Linux browser_history_elastic b352f3c9 Collects browser history from all supported browsers across all platforms using the Elastic osquery extension

Queries by Platform

🪟🍎🐧 Cross-Platform - Browser History Collection

Description

This query leverages the Elastic osquery extension to collect browser history from all major browsers (Chrome, Edge, Firefox, Safari) across Windows, macOS, and Linux platforms. The extension automatically discovers browser profile locations and queries their history databases without requiring ATC (Automatic Table Construction) configuration.

The query returns the last 7 days of browsing activity, including:

  • Full URLs with domain extraction
  • Page titles and visit timestamps
  • Browser identification
  • User profiles
  • Navigation transition types

Detection Focus:

  • Data Exfiltration Detection: Identify suspicious file upload or cloud storage URLs
  • Credential Phishing: Detect visits to fake login pages or credential harvesting sites
  • Command & Control: Identify visits to known C2 infrastructure or suspicious domains
  • Insider Threat Monitoring: Track access to unauthorized resources or data repositories
  • Policy Compliance: Verify adherence to acceptable use policies

Result

Screenshot 2025-11-07 at 13 20 30

Returns browsing history entries with timestamps, URLs, page titles, browser names, user profiles, and navigation context for the past 7 days.

Platform

windows, darwin, linux (cross-platform)

Interval

3600 seconds (1 hour)

Query ID

browser_history_elastic

ECS Field Mappings

  • url.fullurl
  • event.actiontitle
  • user_agent.namebrowser
  • user.nameuser
  • url.domaindomain
  • event.categoryweb (static)
  • event.typeinfo (static)

SQL Query

-- Browser history from Elastic osquery extension
-- Supports: Chrome, Edge, Firefox, Safari
-- Returns last 7 days of browsing activity
SELECT
  datetime,
  url,
  title,
  browser,
  user,
  domain,
  transition_type
FROM browser_history
WHERE timestamp > (strftime('%s', 'now') - 604800)
ORDER BY timestamp DESC;

Requirements

⚠️ IMPORTANT: This query requires the Elastic osquery extension (osquerybeat). The standard osquery does not include the browser_history table.

@tomsonpl tomsonpl self-assigned this Nov 7, 2025
@tomsonpl tomsonpl marked this pull request as ready for review November 7, 2025 16:29
@tomsonpl tomsonpl requested a review from a team as a code owner November 7, 2025 16:29
@tomsonpl tomsonpl requested review from gergoabraham and pzl and removed request for a team November 7, 2025 16:29
@elasticmachine
Copy link

elasticmachine commented Nov 7, 2025

💚 Build Succeeded

cc @tomsonpl

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager labels Nov 7, 2025
ferullo
ferullo reviewed Nov 7, 2025
View reviewed changes
...manager/kibana/osquery_saved_query/osquery_manager-b352f3c9-c630-47ec-83bb-5887fe0bb874.json
"attributes": {
"created_at": "2025-11-07T00:00:00.000Z",
"created_by": "elastic",
"description": "Collects browser history from all supported browsers across all platforms using the Elastic osquery extension. IMPORTANT: Requires the Elastic osquery extension (osquerybeat). Automatically discovers and queries Chrome, Edge, Firefox, and Safari browser histories without ATC configuration. Returns URL history with visit timestamps, page titles, browser names, user profiles, and navigation context. Works on Windows, macOS, and Linux.",
Copy link
Contributor

@ferullo ferullo Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does a user need to know about the extension or would it make more sense to just say it requires Agent 9.3.0+?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferullo ferullo ferullo left review comments

@pzl pzl Awaiting requested review from pzl pzl is a code owner automatically assigned from elastic/security-defend-workflows

@gergoabraham gergoabraham Awaiting requested review from gergoabraham gergoabraham is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

@tomsonpl tomsonpl

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tomsonpl @elasticmachine @ferullo @andrewkroh