Added Apple_IntelligencePlatform_Wifi rule (#37)

scudette · web-flow · commit 85f684500e7c · 2025-11-04T01:17:18.000+10:00
diff --git a/definitions/Apple_IntelligencePlatform_Wifi.yaml b/definitions/Apple_IntelligencePlatform_Wifi.yaml
@@ -0,0 +1,33 @@
+Name: IntelligencePlatform
+Author: Yogesh Khatri - @swiftForensics, CyberCX
+Description: |
+  Parses the views.db database, part of Apple Intelligence which
+  provides detailed connect/disconnect events on recent wifi
+  connections.
+
+Globs:
+  - "/Users/*/Library/IntelligencePlatform/Artifacts/internal/views.db"
+
+Categories:
+  - MacOS
+
+FilenameRegex: "views.db"
+
+SQLiteIdentifyQuery: |
+  SELECT count(*) AS `Check`
+  FROM sqlite_master
+  WHERE type='table' AND name='wifiContextEvents';
+SQLiteIdentifyValue: 1
+
+Sources:
+  - name: Wifi
+    SQL: |
+      SELECT behaviorType, behaviorIdentifier, timestamp
+      FROM wifiContextEvents ORDER BY timestamp
+    VQL: |
+      SELECT timestamp(cocoatime=timestamp) AS Timestamp,
+             behaviorType,
+             split(string=behaviorIdentifier, sep=':')[0] AS event,
+             split(string=behaviorIdentifier, sep=':')[1] AS network,
+             OSPath[1] AS User
+      FROM Rows
diff --git a/docs/content/docs/rules/index.json b/docs/content/docs/rules/index.json
@@ -1,4 +1,18 @@
 [
+  {
+   "Name": "IntelligencePlatform",
+   "Author": "Yogesh Khatri - @swiftForensics, CyberCX",
+   "Description": "Parses the views.db database, part of Apple Intelligence which\nprovides detailed connect/disconnect events on recent wifi\nconnections.\n",
+   "Categories": [
+    "MacOS"
+   ],
+   "Sources": [
+    {
+     "Name": "Wifi"
+    }
+   ],
+   "RawData": "Name: IntelligencePlatform\nAuthor: Yogesh Khatri - @swiftForensics, CyberCX\nDescription: |\n  Parses the views.db database, part of Apple Intelligence which\n  provides detailed connect/disconnect events on recent wifi\n  connections.\n\nGlobs:\n  - \"/Users/*/Library/IntelligencePlatform/Artifacts/internal/views.db\"\n\nCategories:\n  - MacOS\n\nFilenameRegex: \"views.db\"\n\nSQLiteIdentifyQuery: |\n  SELECT count(*) AS `Check`\n  FROM sqlite_master\n  WHERE type='table' AND name='wifiContextEvents';\nSQLiteIdentifyValue: 1\n\nSources:\n  - name: Wifi\n    SQL: |\n      SELECT behaviorType, behaviorIdentifier, timestamp\n      FROM wifiContextEvents ORDER BY timestamp\n    VQL: |\n      SELECT timestamp(cocoatime=timestamp) AS Timestamp,\n             behaviorType,\n             split(string=behaviorIdentifier, sep=':')[0] AS event,\n             split(string=behaviorIdentifier, sep=':')[1] AS network,\n             OSPath[1] AS User\n      FROM Rows\n"
+  },
   {
    "Name": "iMessage",
    "Author": "x64-julian",
@@ -536,6 +550,6 @@
      "Name": "UserActivityLogging"
     }
    ],
-   "RawData": "Name: Windows Search Service\n\nDescription: |\n  Analysis of the Windows search index database. See\n  https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/\n\nCategories:\n  - Windows\n\nFilenameRegex: \"Windows.edb\"\nGlobs:\n  - C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Windows.edb\n\nSources:\n- name: SystemIndex_Gthr\n  Preamble: |\n    LET MatchingFiles = SELECT OSPath FROM Rows\n\n    LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64b\"))\n\n    LET FormatTime(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\"))\n\n    LET FormatSize(T) = parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT ScopeID, DocumentID, SDID,\n          FormatTimeB(T=LastModified) AS LastModified,\n          FileName\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_Gthr\")\n    })\n    WHERE LastModified \u003e DateAfter AND LastModified \u003c DateBefore\n      AND FileName =~ FilterRegex\n\n- name: SystemIndex_GthrPth\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT Scope, Parent, Name\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_GthrPth\")\n    })\n    WHERE Name =~ FilterRegex\n\n- name: SystemIndex_PropertyStore\n  Preamble: |\n    LET X = scope()\n\n    -- The PropertyStore columns look like\n    -- \u003crandom\u003e-ProperName so we strip the\n    -- random part off to display it properly.\n    LET FilterDict(Dict) = to_dict(item={\n      SELECT split(sep_string=\"-\", string=_key)[1] || _key AS _key, _value\n      FROM items(item=Dict)\n    })\n\n    LET PropStore(OSPath) = SELECT *,\n       FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,\n       FormatSize(T=X.System_Size) AS System_Size,\n       FormatTime(T=X.System_DateModified) AS System_DateModified,\n       FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,\n       FormatTime(T=X.System_DateCreated) AS System_DateCreated\n    FROM foreach(row={\n       SELECT *, FilterDict(Dict=_value) AS _value\n       FROM items(item={\n         SELECT * FROM parse_ese(file=OSPath, table=\"SystemIndex_PropertyStore\")\n      })\n    }, column=\"_value\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT *\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: SystemIndex_PropertyStore_Highlights\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT WorkID,\n          System_Search_GatherTime,\n          System_Size,\n          System_DateModified,\n          System_DateCreated,\n          X.System_FileOwner AS System_FileOwner,\n          X.System_ItemPathDisplay AS System_ItemPathDisplay,\n          X.System_ItemType AS System_ItemType,\n          X.System_FileAttributes AS System_FileAttributes,\n          X.System_Search_AutoSummary AS System_Search_AutoSummary\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: BrowsingActivity\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.ItemPathDisplay AS ItemPathDisplay,\n          X.Activity_ContentUri AS Activity_ContentUri,\n          X.Activity_Description AS Activity_Description\n       FROM PropStore(OSPath=OSPath)\n       WHERE Activity_ContentUri\n    })\n\n- name: UserActivityLogging\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,\n           FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,\n           FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,\n           X.ActivityHistory_AppId AS ActivityHistory_AppId\n       FROM PropStore(OSPath=OSPath)\n       WHERE ActivityHistory_AppId\n    })\n    WHERE ActivityHistory_StartTime \u003e DateAfter\n      AND ActivityHistory_StartTime \u003c DateBefore\n"
+   "RawData": "Name: Windows Search Service\n\nDescription: |\n  Analysis of the Windows search index database. See\n  https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/\n\nCategories:\n  - Windows\n\nFilenameRegex: \"Windows..db\"\nGlobs:\n  - \"C:\\\\ProgramData\\\\Microsoft\\\\Search\\\\Data\\\\Applications\\\\Windows\\\\Windows.*db\"\n\nSources:\n- name: SystemIndex_Gthr\n  Preamble: |\n    LET MatchingFiles = SELECT OSPath FROM Rows\n\n    LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64b\"))\n\n    LET FormatTime(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\"))\n\n    LET FormatSize(T) = parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT ScopeID, DocumentID, SDID,\n          FormatTimeB(T=LastModified) AS LastModified,\n          FileName\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_Gthr\")\n    })\n    WHERE LastModified \u003e DateAfter AND LastModified \u003c DateBefore\n      AND FileName =~ FilterRegex\n\n- name: SystemIndex_GthrPth\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT Scope, Parent, Name\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_GthrPth\")\n    })\n    WHERE Name =~ FilterRegex\n\n- name: SystemIndex_PropertyStore\n  Preamble: |\n    LET X = scope()\n\n    -- The PropertyStore columns look like\n    -- \u003crandom\u003e-ProperName so we strip the\n    -- random part off to display it properly.\n    LET FilterDict(Dict) = to_dict(item={\n      SELECT split(sep_string=\"-\", string=_key)[1] || _key AS _key, _value\n      FROM items(item=Dict)\n    })\n\n    LET PropStore(OSPath) = SELECT *,\n       FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,\n       FormatSize(T=X.System_Size) AS System_Size,\n       FormatTime(T=X.System_DateModified) AS System_DateModified,\n       FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,\n       FormatTime(T=X.System_DateCreated) AS System_DateCreated\n    FROM foreach(row={\n       SELECT *, FilterDict(Dict=_value) AS _value\n       FROM items(item={\n         SELECT * FROM parse_ese(file=OSPath, table=\"SystemIndex_PropertyStore\")\n      })\n    }, column=\"_value\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT *\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: SystemIndex_PropertyStore_Highlights\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT WorkID,\n          System_Search_GatherTime,\n          System_Size,\n          System_DateModified,\n          System_DateCreated,\n          X.System_FileOwner AS System_FileOwner,\n          X.System_ItemPathDisplay AS System_ItemPathDisplay,\n          X.System_ItemType AS System_ItemType,\n          X.System_FileAttributes AS System_FileAttributes,\n          X.System_Search_AutoSummary AS System_Search_AutoSummary\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: BrowsingActivity\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.ItemPathDisplay AS ItemPathDisplay,\n          X.Activity_ContentUri AS Activity_ContentUri,\n          X.Activity_Description AS Activity_Description\n       FROM PropStore(OSPath=OSPath)\n       WHERE Activity_ContentUri\n    })\n\n- name: UserActivityLogging\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,\n           FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,\n           FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,\n           X.ActivityHistory_AppId AS ActivityHistory_AppId\n       FROM PropStore(OSPath=OSPath)\n       WHERE ActivityHistory_AppId\n    })\n    WHERE ActivityHistory_StartTime \u003e DateAfter\n      AND ActivityHistory_StartTime \u003c DateBefore\n"
   }
  ]

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,18 @@`
`1`	`1`	`[`
	`2`	`+ {`
	`3`	`+ "Name": "IntelligencePlatform",`
	`4`	`+ "Author": "Yogesh Khatri - @swiftForensics, CyberCX",`
	`5`	`+ "Description": "Parses the views.db database, part of Apple Intelligence which\nprovides detailed connect/disconnect events on recent wifi\nconnections.\n",`
	`6`	`+ "Categories": [`
	`7`	`+ "MacOS"`
	`8`	`+ ],`
	`9`	`+ "Sources": [`
	`10`	`+ {`
	`11`	`+ "Name": "Wifi"`
	`12`	`+ }`
	`13`	`+ ],`
	`14`	+ "RawData": "Name: IntelligencePlatform\nAuthor: Yogesh Khatri - @swiftForensics, CyberCX\nDescription: \|\n Parses the views.db database, part of Apple Intelligence which\n provides detailed connect/disconnect events on recent wifi\n connections.\n\nGlobs:\n - \"/Users//Library/IntelligencePlatform/Artifacts/internal/views.db\"\n\nCategories:\n - MacOS\n\nFilenameRegex: \"views.db\"\n\nSQLiteIdentifyQuery: \|\n SELECT count() AS `Check`\n FROM sqlite_master\n WHERE type='table' AND name='wifiContextEvents';\nSQLiteIdentifyValue: 1\n\nSources:\n - name: Wifi\n SQL: \|\n SELECT behaviorType, behaviorIdentifier, timestamp\n FROM wifiContextEvents ORDER BY timestamp\n VQL: \|\n SELECT timestamp(cocoatime=timestamp) AS Timestamp,\n behaviorType,\n split(string=behaviorIdentifier, sep=':')[0] AS event,\n split(string=behaviorIdentifier, sep=':')[1] AS network,\n OSPath[1] AS User\n FROM Rows\n"
	`15`	`+ },`
`2`	`16`	`{`
`3`	`17`	`"Name": "iMessage",`
`4`	`18`	`"Author": "x64-julian",`
`@@ -536,6 +550,6 @@`
`536`	`550`	`"Name": "UserActivityLogging"`
`537`	`551`	`}`
`538`	`552`	`],`
`539`		- "RawData": "Name: Windows Search Service\n\nDescription: \|\n Analysis of the Windows search index database. See\n https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/\n\nCategories:\n - Windows\n\nFilenameRegex: \"Windows.edb\"\nGlobs:\n - C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Windows.edb\n\nSources:\n- name: SystemIndex_Gthr\n Preamble: \|\n LET MatchingFiles = SELECT OSPath FROM Rows\n\n LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(\n filename=T, accessor=\"data\", struct=\"uint64b\"))\n\n LET FormatTime(T) = timestamp(winfiletime=parse_binary(\n filename=T, accessor=\"data\", struct=\"uint64\"))\n\n LET FormatSize(T) = parse_binary(\n filename=T, accessor=\"data\", struct=\"uint64\")\n\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT ScopeID, DocumentID, SDID,\n FormatTimeB(T=LastModified) AS LastModified,\n FileName\n FROM parse_ese(file=OSPath, table= \"SystemIndex_Gthr\")\n })\n WHERE LastModified \u003e DateAfter AND LastModified \u003c DateBefore\n AND FileName =~ FilterRegex\n\n- name: SystemIndex_GthrPth\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT Scope, Parent, Name\n FROM parse_ese(file=OSPath, table= \"SystemIndex_GthrPth\")\n })\n WHERE Name =~ FilterRegex\n\n- name: SystemIndex_PropertyStore\n Preamble: \|\n LET X = scope()\n\n -- The PropertyStore columns look like\n -- \u003crandom\u003e-ProperName so we strip the\n -- random part off to display it properly.\n LET FilterDict(Dict) = to_dict(item={\n SELECT split(sep_string=\"-\", string=_key)[1] \|\| _key AS _key, _value\n FROM items(item=Dict)\n })\n\n LET PropStore(OSPath) = SELECT ,\n FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,\n FormatSize(T=X.System_Size) AS System_Size,\n FormatTime(T=X.System_DateModified) AS System_DateModified,\n FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,\n FormatTime(T=X.System_DateCreated) AS System_DateCreated\n FROM foreach(row={\n SELECT , FilterDict(Dict=_value) AS _value\n FROM items(item={\n SELECT * FROM parse_ese(file=OSPath, table=\"SystemIndex_PropertyStore\")\n })\n }, column=\"_value\")\n\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT \n FROM PropStore(OSPath=OSPath)\n })\n WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: SystemIndex_PropertyStore_Highlights\n VQL: \|\n SELECT FROM foreach(row=MatchingFiles, query={\n SELECT WorkID,\n System_Search_GatherTime,\n System_Size,\n System_DateModified,\n System_DateCreated,\n X.System_FileOwner AS System_FileOwner,\n X.System_ItemPathDisplay AS System_ItemPathDisplay,\n X.System_ItemType AS System_ItemType,\n X.System_FileAttributes AS System_FileAttributes,\n X.System_Search_AutoSummary AS System_Search_AutoSummary\n FROM PropStore(OSPath=OSPath)\n })\n WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: BrowsingActivity\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT X.ItemPathDisplay AS ItemPathDisplay,\n X.Activity_ContentUri AS Activity_ContentUri,\n X.Activity_Description AS Activity_Description\n FROM PropStore(OSPath=OSPath)\n WHERE Activity_ContentUri\n })\n\n- name: UserActivityLogging\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,\n FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,\n FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,\n X.ActivityHistory_AppId AS ActivityHistory_AppId\n FROM PropStore(OSPath=OSPath)\n WHERE ActivityHistory_AppId\n })\n WHERE ActivityHistory_StartTime \u003e DateAfter\n AND ActivityHistory_StartTime \u003c DateBefore\n"
	`553`	+ "RawData": "Name: Windows Search Service\n\nDescription: \|\n Analysis of the Windows search index database. See\n https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/\n\nCategories:\n - Windows\n\nFilenameRegex: \"Windows..db\"\nGlobs:\n - \"C:\\\\ProgramData\\\\Microsoft\\\\Search\\\\Data\\\\Applications\\\\Windows\\\\Windows.db\"\n\nSources:\n- name: SystemIndex_Gthr\n Preamble: \|\n LET MatchingFiles = SELECT OSPath FROM Rows\n\n LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(\n filename=T, accessor=\"data\", struct=\"uint64b\"))\n\n LET FormatTime(T) = timestamp(winfiletime=parse_binary(\n filename=T, accessor=\"data\", struct=\"uint64\"))\n\n LET FormatSize(T) = parse_binary(\n filename=T, accessor=\"data\", struct=\"uint64\")\n\n VQL: \|\n SELECT FROM foreach(row=MatchingFiles, query={\n SELECT ScopeID, DocumentID, SDID,\n FormatTimeB(T=LastModified) AS LastModified,\n FileName\n FROM parse_ese(file=OSPath, table= \"SystemIndex_Gthr\")\n })\n WHERE LastModified \u003e DateAfter AND LastModified \u003c DateBefore\n AND FileName =~ FilterRegex\n\n- name: SystemIndex_GthrPth\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT Scope, Parent, Name\n FROM parse_ese(file=OSPath, table= \"SystemIndex_GthrPth\")\n })\n WHERE Name =~ FilterRegex\n\n- name: SystemIndex_PropertyStore\n Preamble: \|\n LET X = scope()\n\n -- The PropertyStore columns look like\n -- \u003crandom\u003e-ProperName so we strip the\n -- random part off to display it properly.\n LET FilterDict(Dict) = to_dict(item={\n SELECT split(sep_string=\"-\", string=_key)[1] \|\| _key AS _key, _value\n FROM items(item=Dict)\n })\n\n LET PropStore(OSPath) = SELECT ,\n FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,\n FormatSize(T=X.System_Size) AS System_Size,\n FormatTime(T=X.System_DateModified) AS System_DateModified,\n FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,\n FormatTime(T=X.System_DateCreated) AS System_DateCreated\n FROM foreach(row={\n SELECT , FilterDict(Dict=_value) AS _value\n FROM items(item={\n SELECT * FROM parse_ese(file=OSPath, table=\"SystemIndex_PropertyStore\")\n })\n }, column=\"_value\")\n\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT \n FROM PropStore(OSPath=OSPath)\n })\n WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: SystemIndex_PropertyStore_Highlights\n VQL: \|\n SELECT FROM foreach(row=MatchingFiles, query={\n SELECT WorkID,\n System_Search_GatherTime,\n System_Size,\n System_DateModified,\n System_DateCreated,\n X.System_FileOwner AS System_FileOwner,\n X.System_ItemPathDisplay AS System_ItemPathDisplay,\n X.System_ItemType AS System_ItemType,\n X.System_FileAttributes AS System_FileAttributes,\n X.System_Search_AutoSummary AS System_Search_AutoSummary\n FROM PropStore(OSPath=OSPath)\n })\n WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: BrowsingActivity\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT X.ItemPathDisplay AS ItemPathDisplay,\n X.Activity_ContentUri AS Activity_ContentUri,\n X.Activity_Description AS Activity_Description\n FROM PropStore(OSPath=OSPath)\n WHERE Activity_ContentUri\n })\n\n- name: UserActivityLogging\n VQL: \|\n SELECT * FROM foreach(row=MatchingFiles, query={\n SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,\n FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,\n FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,\n X.ActivityHistory_AppId AS ActivityHistory_AppId\n FROM PropStore(OSPath=OSPath)\n WHERE ActivityHistory_AppId\n })\n WHERE ActivityHistory_StartTime \u003e DateAfter\n AND ActivityHistory_StartTime \u003c DateBefore\n"
`540`	`554`	`}`
`541`	`555`	`]`