Title
#general
Mystery Incorporated

Mystery Incorporated

07/30/2021, 8:09 AM
Why would a snapshot query be doubling up and telling me that the things are both on and off at the same time???
s

seph

07/30/2021, 12:14 PM
osquery generally wouldn’t. You mentioned your query is
SELECT type,state FROM windows_security_products
That should produce two rows, each with two columns.
12:14 PM
Your screenshot looks like a SIEM post processing a log pipeline. I’d look to either your SIEM parsing rules, or your log pipeline;
12:15 PM
Try to get logs from earlier to diagnose where your failiure is
Mystery Incorporated

Mystery Incorporated

07/31/2021, 12:48 AM
Hi @seph here is the JSON that is returned directly from osquery pre-processing into elastic:
{"snapshot":[{"state":"On","type":"Firewall"},{"state":"Off","type":"Firewall"},{"state":"On","type":"Antivirus"},{"state":"Off","type":"Antivirus"}],"action":"snapshot","name":"pack/Windows Base Pack/fw_av_snapshot","hostIdentifier":"xxx","calendarTime":"Fri Jul 30 06:19:03 2021 UTC","unixTime":1627625943,"epoch":0,"counter":0,"numerics":false,"decorations":{"company":"xxx","host_hostname":"xxx","username":"xxx"}}
12:48 AM
@seph it seems like osquery is reporting two conflicting states for the same query how can that be?????
s

seph

07/31/2021, 12:49 AM
Pretty weird. What's the scheduled query?
Mystery Incorporated

Mystery Incorporated

07/31/2021, 12:50 AM
It's just
SELECT type,state FROM windows_security_products
set as a snapshot query and told to run every 112 seconds
12:52 AM
It would appear that it does not do it all the time however, as I can see some good looking results such as:
{"snapshot":[{"state":"On","type":"Firewall"},{"state":"On","type":"Antivirus"}],"action":"snapshot","name":"pack/Windows Base Pack/fw_av_snapshot","hostIdentifier":"xxx","calendarTime":"Sat Jul 31 00:43:39 2021 UTC","unixTime":1627692219,"epoch":0,"counter":0,"numerics":false,"decorations":{"company":"xxx","host_hostname":"xxxx"}}
s

seph

07/31/2021, 12:55 AM
Does the osquery_schedule show exactly what you think the query is? If you
select *
do the other columns hint at anything?
Mystery Incorporated

Mystery Incorporated

07/31/2021, 1:20 AM
@seph where do I see. the osquery_shedule?
1:04 PM
This mystery has been solved Scooby.
1:05 PM
Turns out user installed Bitdefender, and so it is reporting Bitdefender on, Microsoft Defender off
s

seph

08/01/2021, 1:05 PM
Would that have been visible in a
select *
?
Mystery Incorporated

Mystery Incorporated

08/01/2021, 1:05 PM
That's what I did just now yea
1:06 PM
I had to wait for the machine to come back online
s

seph

08/01/2021, 1:06 PM
great!
Mystery Incorporated

Mystery Incorporated

08/01/2021, 1:06 PM
1:07 PM
I need to rethink how I'm alerting on that table in that case