representing the aggregate occurrence of character values in Powershell Events table, wherein character_frequencies is a list of doubles Currently this configuration is only used by Windows in the Powershell Provides feature vectors for osquery to leverage in simple statistical "windows-attacks": "C:\\Program Files\\osquery\\packs\\nf" "windows-hardening": "C:\\Program Files\\osquery\\packs\\nf", "ossec-rootkit": "/usr/share/osquery/packs/nf", "hardware-monitoring": "/usr/share/osquery/packs/nf", "vuln-management": "/usr/share/osquery/packs/nf", "osx-attacks": "/usr/share/osquery/packs/nf", "it-compliance": "/usr/share/osquery/packs/nf", "osquery-monitoring": "/var/osquery/packs/nf" Homebrew: /usr/local/share/osquery/packs There are several 'default' packs installed with 'make install' or via Add default osquery packs or install your own. "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1 " "SELECT uuid AS host_uuid FROM system_info ", Decorators are normal queries that append data to every query. "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='docker run -name redis-docker-performance-testing-1 -d docker-testing:1' ", "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='docker build -t docker-testing:1. "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='tar -zcvf garbage' ", "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='sh. The interval in seconds to run this query, not an exact interval. "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info ", This is a simple example query that outputs basic system information. This allows osquery to be launched with certain tables only. Comma-delimited list of table names to be enabled. This allows osquery to be launched without certain tables. Comma-delimited list of table names to be disabled. "database_path": "/var/osquery/osquery.db", A filesystem path for disk-based backing storage used for events and large numbers of queries that run a smaller or similar intervals. This is very helpful to prevent system performance impact when scheduling Splay the scheduled interval for queries. If a logging plugin is selected it will still write query results. Set 'disable_logging' to true to prevent writing any info, warning, error If the daemon uses the 'filesystem' logging retriever then the log_dir If neither of these things is true for you, please take a moment to read the Audit and Remediation Best Practices Guide before exploring the rest of this blog series.// The log directory stores info, warning, and errors. This blog series is intended for readers that have a basic understanding of SQLite and have an osquery test environment. By understanding how these queries are constructed, you will be empowered to extend this knowledge to solving other use cases, all while making your teams more efficient and effective in their roles. In this ongoing blog series, we will show how to construct advanced Audit and Remediation queries to meet use cases across IT Operations, Helpdesk Operations, Security, Incident Response, Compliance, and more. osquery can help teams with gathering information at scale across environments for IT and help desk operations, compliance and M
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |