While we're talking about it - what are people usi...
# fleetc
chrismsnz
04/03/2023, 9:29 PMWhile we're talking about it - what are people using to receive, work with, alert on, analyse etc. the osquery result logs? interested to hear what people are doing, or if there are any osquery-specific projects in that space since its not really in fleet's featureset
j
Jason
04/03/2023, 9:40 PMWe ship logs to https://coralogix.com/ - it's like a souped-up, managed ELK stack. Lots of folks use ELK
c
chrismsnz
04/03/2023, 10:03 PMyeah happy to do my own analysis in kibana etc but just wondering if there were other solutions out there
j
Jesus Santos
04/04/2023, 12:31 PMWe send logs to the fleet server (running on k8s), then export these logs to AWS S3 with FluentBit, from there we ingest this data do Databricks (basically a datalake platform), and from there we make the searches and use an in-house solution for alerting and deduplication of the results
k
Keith Swagler
04/04/2023, 1:19 PMSplunk for us
j
John Speno
04/04/2023, 1:22 PMELK here
j
Juan Alvarez
04/04/2023, 2:25 PMWe send the data to Devo via FleetDM
c
chrismsnz
04/04/2023, 7:54 PMthanks all, interesting spread
z
zwass
04/05/2023, 1:34 AM
Thank you all for sharing 🙂 We see a ton of Splunk and ELK, along with Snowflake (+ Panther), Devo, Sumo Logic, and Graylog. GCP also seems to recommend Fleet for osquery log ingestion with their Chronicle product, though we haven't yet seen it ourselves. We've also seen some use of SOAR platforms (particularly with the webhooks features on policies and vulnerabilities) -- Folks seem very pleased with Tines.
d
defensivedepth
04/06/2023, 5:39 PMSecurity Onion here, backend of Elastic Stack with custom Hunt, Dashboard & Alerting interfaces. Builtin integration & parsing for osquery logs.
2 Views