Based on the above extension, a new community version of the platform is released today and available at: https://github.com/eclecticiq/eiq-er-ce

To know more about the additional visibility features in the extension: https://blog.eclecticiq.com/catch-em-deletes-increasing-visibility-not-the-cost

Good Morning. When looking in the extension log I can see references to a cert and attempted connections to a management server. Can this be disabled as we are not using that functionality of this extension.

I am also experiencing the race condition mentioned on git where filtered events get collected. Is there a way to reduce this, at times the amount of logs collected causes the extension to crash. And it seems even after allowing time for the race condition to correct I see events that should have been filtered being collected by the extension.

Is there any other logging location for the extension other than

plgx-win-extension

. I have been getting what appears to be resource exhaustion. I start the extension and it collects logs for about 1 minute then stops collecting. tailing the extension log I can see it reapplying the event filters and re-reading the config then eventually show the error below. Is there a place I can find more logs on this issue so I can try to fix it.

In case you wish to deploy osquery+agent without a manager (e.g. thru a script on local or remote systems or in a sandbox prior to detonating a malware), here is a script that will enable you to do so. https://github.com/eclecticiq/osq-ext-bin/tree/master/install

Thanks @lvferdi for your continued testing and reporting the issues. A new release of the extension has been posted with instruction on how to adjust the agent log depth (which can significantly help on query performances). https://github.com/eclecticiq/osq-ext-bin

I will install today and reply with results.

Ty

Looking forward

Hey Team, we have been load testing with osquery and this extension and it seems that using this extension makes osquery run and peak with a much higher cpu% than our normal osquery configurations. We were wondering if this normally makes osquery use a lot more cpu% or if this could just be resolved with tweaking our configs.

@Shane Sanborn, any improvements with your testing? Is there any logs you can share, if not.

Afternoon polylogyx team, just wanted to say the newly released agent has been rock solid. With the right filters to reduce overly noisy sources I have been able to get the agent to run error free for over a week with no errors from the extension. File_Events seemed to be one of the biggest offenders but I got that dialed in. Thanks for the great agent.

@lvferdi, thanks for the kind words. And a minor correction. We are now "EclecticIQ" team 🙂

Announcing the new release of our extension which has additional monitoring (e.g. named pipes) and a cool new feature that integrates the extension with 'desktop search'. This allows to use OSquery's SQL syntax to search for files on the desktop and overcomes the limitation of 'file' table. https://github.com/eclecticiq/osq-ext-bin

And also published the new version of our full Osquery management solution, Endpoint Response (ER) 4.0 Community Edition : https://github.com/eclecticiq/eiq-er-ce

We created a table in our extension that helps monitor log files. The blog describes on how the table can be used to monitor for IIS logs https://medium.com/eclecticiq/using-log-parsing-to-stop-microsoft-iis-backdoor-attacks-3bd6081dc47d

In the last release of extension, we added a feature to index the disk to make file searches easier on the disk (over and above what 'file' table provides) thru a new table. If interested on how it helps with threat hunt: https://medium.com/eclecticiq/hunting-emotet-made-easy-with-eclecticiq-endpoint-response-caef410772c8

If you were looking for some info on comparison between sysmon's filters and the filters usage in the extension, we published a bit of details on that: https://blog.eclecticiq.com/comparing-sysmon-and-eclecticiq-endpoint-response-event-filters

PolyMon is a windows desktop tool that wraps osquery and the extension to make it easier to use with a front end and some analytics. A new version of the same has been posted here: https://github.com/eclecticiq/eiq-polymon/ Invite everyone to try and share the feedback, if possible. 🙏👍

👋 Hello, team!

Hi. I am using the version v4.0.0.0 release. Regarding win_registry_events - I have been trying to get registry change detection to work. I want to monitor some additional keys. I have tried test cases monitoring/creating/deleting registry keys in areas where is is supposed to monitor and I never see the changes logged as win_registry_events. I must be missing something. I am running Windows 10 Pro, US-EN, 22H2, 19045.2486. For the sake of simplicity, I want to monitor HKEY_CURRENT_USER\Keyboard LayoutHKEY_CURRENT_USER\Keyboard Layout. I have followed the pattern but it does not show a win_registry_events in the log.

Thanks!

@Jams has left the channel

Hey Team, does this extension no longer exist since I can't seem to find the repo anymore?

Hi, the extension has been moved as a part of corporate re-org to a diff organisation

It is unclear at the moment if they wish to continue on the project

That’s unfortunate to hear. Hope it’s a good move for the core team.

@Ronald Cardoso has left the channel