Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mystery Incorporated
07/30/2021, 8:09 AMWhy would a snapshot query be doubling up and telling me that the things are both on and off at the same time???
s
seph
07/30/2021, 12:14 PMosquery generally wouldn’t. You mentioned your query is
SELECT type,state FROM windows_security_productsYour screenshot looks like a SIEM post processing a log pipeline. I’d look to either your SIEM parsing rules, or your log pipeline;
Try to get logs from earlier to diagnose where your failiure is
m
Mystery Incorporated
07/31/2021, 12:48 AMHi @seph here is the JSON that is returned directly from osquery pre-processing into elastic:
{"snapshot":[{"state":"On","type":"Firewall"},{"state":"Off","type":"Firewall"},{"state":"On","type":"Antivirus"},{"state":"Off","type":"Antivirus"}],"action":"snapshot","name":"pack/Windows Base Pack/fw_av_snapshot","hostIdentifier":"xxx","calendarTime":"Fri Jul 30 06:19:03 2021 UTC","unixTime":1627625943,"epoch":0,"counter":0,"numerics":false,"decorations":{"company":"xxx","host_hostname":"xxx","username":"xxx"}}@seph it seems like osquery is reporting two conflicting states for the same query how can that be?????
s
seph
07/31/2021, 12:49 AMPretty weird. What's the scheduled query?
m
Mystery Incorporated
07/31/2021, 12:50 AMIt's just
SELECT type,state FROM windows_security_productsIt would appear that it does not do it all the time however, as I can see some good looking results such as:
{"snapshot":[{"state":"On","type":"Firewall"},{"state":"On","type":"Antivirus"}],"action":"snapshot","name":"pack/Windows Base Pack/fw_av_snapshot","hostIdentifier":"xxx","calendarTime":"Sat Jul 31 00:43:39 2021 UTC","unixTime":1627692219,"epoch":0,"counter":0,"numerics":false,"decorations":{"company":"xxx","host_hostname":"xxxx"}}s
seph
07/31/2021, 12:55 AMDoes the osquery_schedule show exactly what you think the query is? If you
select *m
Mystery Incorporated
07/31/2021, 1:20 AM@seph where do I see. the osquery_shedule?
This mystery has been solved Scooby.
Turns out user installed Bitdefender, and so it is reporting Bitdefender on, Microsoft Defender off
s
seph
08/01/2021, 1:05 PMWould that have been visible in a
select *m
Mystery Incorporated
08/01/2021, 1:05 PMThat's what I did just now yea
I had to wait for the machine to come back online
s
seph
08/01/2021, 1:06 PMgreat!
m
Mystery Incorporated
08/01/2021, 1:06 PMI need to rethink how I'm alerting on that table in that case