From adef97e54236490c3ceb2c298bd3d037ce924eb8 Mon Sep 17 00:00:00 2001 From: Brock Walters <153771548+nonpunctual@users.noreply.github.com> Date: Tue, 16 Sep 2025 18:21:55 -0400 Subject: [PATCH 1/2] Create system_profiler.yml Updated explanation & example queries. --- schema/tables/system_profiler.yml | 92 +++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 schema/tables/system_profiler.yml diff --git a/schema/tables/system_profiler.yml b/schema/tables/system_profiler.yml new file mode 100644 index 00000000000..c1b9fba0da2 --- /dev/null +++ b/schema/tables/system_profiler.yml @@ -0,0 +1,92 @@ +name: system_profiler +description: |- + The macOS system_profiler binary reports on the hardware and software configuration of a Mac. It can generate detailed, plain text, XML or json reports which can be exported from the Terminal or generated as .spx files and read by the macOS System Information.app based on "data types". +examples: |- + + Collect Mac Activation Lock Status: + + ``` + SELECT json_extract (value,'$.activation_lock_status') + FROM system_profiler + WHERE data_type='SPHardwareDataType'; + ``` + + Collect Mac Hardware UUID (platform_uuid): + + ``` + SELECT json_extract (value,'$.platform_UUID') + FROM system_profiler + WHERE data_type='SPHardwareDataType'; + ``` + + Collect Mac Serial Number: + + ``` + SELECT json_extract (value,'$.serial_number') + FROM system_profiler + WHERE data_type='SPHardwareDataType'; + ``` + +notes: |- + + The system_profiler binary is a rich source of macOS data which can be used in many ways to enhance Mac management. + + Not all System Profiler data types are available via the system_profiler osquery table. Some data types are legacy & others are OS version-specific. + + The following data types are available from the system_profiler binary as of macOS 26: + + - SPParallelATADataType + - SPUniversalAccessDataType + - SPSecureElementDataType + - SPApplicationsDataType + - SPAudioDataType + - SPBluetoothDataType + - SPCameraDataType + - SPCardReaderDataType + - SPiBridgeDataType + - SPDeveloperToolsDataType + - SPDiagnosticsDataType + - SPDisabledSoftwareDataType + - SPDiscBurningDataType + - SPEthernetDataType + - SPExtensionsDataType + - SPFibreChannelDataType + - SPFirewallDataType + - SPFontsDataType + - SPFrameworksDataType + - SPDisplaysDataType + - SPHardwareDataType + - SPInstallHistoryDataType + - SPInternationalDataType + - SPNetworkLocationDataType + - SPLogsDataType + - SPManagedClientDataType + - SPMemoryDataType + - SPNVMeDataType + - SPNetworkDataType + - SPPCIDataType + - SPParallelSCSIDataType + - SPPowerDataType + - SPPrefPaneDataType + - SPPrintersSoftwareDataType + - SPPrintersDataType + - SPConfigurationProfileDataType + - SPRawCameraDataType + - SPLegacySoftwareDataType + - SPSASDataType + - SPSerialATADataType + - SPSPIDataType + - SPSmartCardsDataType + - SPSoftwareDataType + - SPStartupItemDataType + - SPStorageDataType + - SPSyncServicesDataType + - SPThunderboltDataType + - SPUSBHostDataType + - SPNetworkVolumeDataType + - SPAirPortDataType +columns: # (required) + - name: # (required) string - The name of the column + description: # (required) string - The column's description. Note: this field supports Markdown + type: # (required) string - the column's data type + required: # (required) boolean - whether or not this column is required to query this table. From 22332704fbf50da63850db9869bdfbc1517da2fb Mon Sep 17 00:00:00 2001 From: Eric Date: Tue, 16 Sep 2025 18:17:30 -0500 Subject: [PATCH 2/2] Update schema/tables/system_profiler.yml --- schema/tables/system_profiler.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/schema/tables/system_profiler.yml b/schema/tables/system_profiler.yml index c1b9fba0da2..4d52faf644a 100644 --- a/schema/tables/system_profiler.yml +++ b/schema/tables/system_profiler.yml @@ -85,8 +85,3 @@ notes: |- - SPUSBHostDataType - SPNetworkVolumeDataType - SPAirPortDataType -columns: # (required) - - name: # (required) string - The name of the column - description: # (required) string - The column's description. Note: this field supports Markdown - type: # (required) string - the column's data type - required: # (required) boolean - whether or not this column is required to query this table.