Hey @maxwhite and @Mathieu Marcotte! Happy to help. Seems like we are talking about two tables…

windows_eventlog

and

windows_events

. Let’s start with

windows_eventlog

. So we have disabled querying

windows_eventlog

in Kolide because there seems to be a bug in osquery that on many devices causes it to freeze and not recover until the system is rebooted. See issue https://github.com/kolide/launcher/issues/670. It’s possible this is no longer an issue and we can unblock this table, we will look into it! For the other table

windows_events

. Querying tables ending in

_events

in Live Query can lead to unexpected results. Sometimes by querying events this way you actually clear them out from the local agent. You can read more about the evented architecture in osquery here. https://osquery.readthedocs.io/en/stable/development/pubsub-framework/ Generally for evented tables, you want to use the Log Pipeline so that when the events table is queried, the results are captured and sent to a log destination. We wrote a post about this topic but for Windows file events. https://www.kolide.com/blog/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide. The steps should be similar!

In fact our main "project" was to query for the minimum required password length for a local (non-AD) account; The only way we found was to enable an audit that would be sent to the Events Viewer; Would-you have another way? Thank you!

Hello, I'm having an issue with Kolide launcher:

{"caller":"launcher.go:133","err":"launching osquery instance: starting instance: could not calculate osquery file paths: extension path does not exist: C:\\Program Files\\Kolide\\Launcher-launcher\\bin\\osquery-extension.exe: CreateFile C:\\Program Files\\Kolide\\Launcher-launcher\\bin\\osquery-extension.exe: El sistema no puede encontrar el archivo especificado.","level":"info","msg":"interrupted","ts":"2022-08-02T16:42:40.1333351Z"}

Here's my build command

.\build\package-builder.exe make --hostname <http://osquery.dpsit.gba.gob.ar:443|osquery.dpsit.gba.gob.ar:443> --enroll_secret ******** --targets windows-service-msi --insecure --output_dir .

Hi guys 👋 , QQ Given this: https://www.kolide.com/blog/new-inventory-windows-defender-and-xprotect-reports && given this issue is presently unsolved https://github.com/osquery/osquery/issues/6588 , I presume Kolide have opted to use file_events to intercept when the report file is generated (within

~Library/Logs/DiagnosticReports

), then an augeas lense to parse the json values to catch these reports ? I've been currently solution engineering something similar, appreciate may not be something you wish to comment on however 😅

Totally agree, some of the markups we see here are indefensible.

Hey folks! What's the best way to run a query from the command-line against Kolide's osqueryd? For instance, I'd like to be able to interactively use osqueryi with the Kolide configuration (eventing tables, table restrictions, augeas configs, etc.) for testing & taking timing measurements.

Any tips for debugging why events tables are not being populated on certain Linux machines? For example, The

socket_events

and

process_events

tables are populated on half of our Linux machines running Kolide, but not the other. It sort of follows Linux distribution boundaries: • Ubuntu: Yes! • Fedora: No • Arch: Mixed • NixOS: Mixed. One machine has data in

process_events

, the other doesn't. Both seem to only record

systemd-timesyncd

bind calls in

socket_events

One of the ones where none of the tables are populated is my personal machine, so I'm happy to investigate. Is it possible that the auditd rules installed by osquery could conflict with previously written configurations? I did check the output of

sudo journalctl -t launcher

but it didn't seem to give any indications.

FYI great video demo of this feature can be found on loom. https://www.loom.com/share/4056bd51b4d147d7869b9268b42490be

Before I open up a bug w/ osquery upstream, is there anything in Kolide's privacy-aware confiuration that might prevent

process_events.env_size

from being populated? I have a query to find short-lived setuid overflow attempts but the field is always NULL. I suspect it's a bug relating to env whitelisting, but wanted to save the osquery maintainers some hassle if it was a known Kolide-specific issue.

Hi there, I am trying to get the version of chrome and alert if it is below a certain version, latest at the moment. I try to use the examples for deb_packages, but I do not manage to get them run. Is there a good place for examples and learn Kolide SQL? Besides I really like kolide - thanks!

Are Corporate VPNs Really on the Way Out? A decade ago corporate VPNs were everywhere, but they're struggling to find their place in a cloud-based world.

@SoxIn4 has left the channel

Your Company's Bossware Could Get You in Legal Trouble Workplace surveillance tools are extremely popular. Some may also be illegal.

Kolide Announces Okta Device Trust Integration Kolide now integrates with Okta to block untrusted and non-compliant devices. Achieve 100% compliance through end-user driven remediation.

Hi All, I’ve been able to get Kolide’s Launcher and OSQuery ( for Security Onion) to load on a few Synology NAS units. Unsurprisingly the info is a bit sparse, with no reported operating system, limited hardware specs and serial number reported as ‘12345678’ My question is - are there any easy ways to get this data filled in? I don’t want to spend much more time on it, what I have will do for now…

Presenting the Sensitive Data Report We're shining a light on one of cybersecurity's biggest blind spots.

Why We're Removing the "Unlock Mac With Apple Watch" Check We're mothballing this check but sharing our original query for those who want it.

How to Use Kolide to Patch Vulnerable Macs How to use Kolide to rapidly patch recent high-severity macOS vulnerabilities CVE-2023-23514 and CVE-2023-23529.

@Brandon Kurtz has left the channel

The History, Evolution, and Controversies of Zero Trust Zero Trust is an idea with endless permutations. For security pros, that's a blessing and a curse.

Hello! We currently have a couple of users for which Kolide eats-up more than 1GB of RAM, up to 2.8GB; Are-you aware of any reason for this going on, would there be a memory leak somewhere? Thank you,

Malvertising on Google Ads: It's Hiding in Plain Site Criminals are disguising malware as popular software, so users need to think twice before clicking the download button.

Big Changes to Our macOS Agent We recently made a few critical updates to our agent for macOS: we started shipping an app bundle; we changed the Apple account that signs the binary and package; and lastly, the way to grant Kolide Full Disk Access has changed.

2023's Least and Most Secure Authentication Methods Passkeys, Dongles, or Biometrics? What's the right mix to build hacker-proof MFA?

Introducing the Kolide Desktop App We've launched a cross-platform desktop app to keep users informed about their device status

The Humans Behind Kolide: Sam Schuna The Humans Behind Kolide series features interview-style blog posts with the humans who build our product and make it work. Get a behind-the-scenes look at who we are and the culture at Kolide.

The Guide to Kolide's Okta Integration Here's how Kolide fits into Okta's authentication flow, and how Okta fits into Kolide's device security solution.

The Real-World Challenges of Patch Management IT teams spend much of their time and resources keeping employee devices patched. So why are they still constantly playing catch-up?

The Humans Behind Kolide: Harlie Hardage The Humans Behind Kolide series features interview-style blog posts with the humans who build our product and make it work. Get a behind-the-scenes look at who we are and the culture at Kolide.

Mac Patch Management Is an Urgent, Unsolved Problem IT teams don't have effective tools to update their Mac fleets, but waiting weeks is no longer an option.