是否可以将描述或其他自定义字段添加到查询结果日志中?

Is it possible to add the description or other custom field to query result log?

我有以下计划查询结合 TLS 插件记录器。

"vssadmin.exe": {
        "query": "select * from file WHERE directory = 'C:\Windows\Prefetch\' and filename like '%vssadmin%';",
        "interval": 600,
        "description": "Vssadmin Execute, usaullay used to execute activity on Volume Shadow copy",
        "platform": "windows"
    },

我想将描述字段添加到这个特定查询的结果输出日志中,这样我就可以用它来将我的查询映射到一个框架。不幸的是,所提供的文档并未说明此类选项。是否可以将描述或其他自定义字段添加到记录的输出中?

像这样?

用 MITRE ATT&CK ID 标记你的#osquery queries/logs,如下所示:

SELECT username,shell, 'T1136' AS attckID FROM users;