Why would a snapshot query be doubling up and tell...
# generalm
Mystery Incorporated
07/30/2021, 8:09 AMWhy would a snapshot query be doubling up and telling me that the things are both on and off at the same time???
s
seph
07/30/2021, 12:14 PM
osquery generally wouldn’t. You mentioned your query is
SELECT type,state FROM windows_security_productsseph
07/30/2021, 12:14 PM
Your screenshot looks like a SIEM post processing a log pipeline. I’d look to either your SIEM parsing rules, or your log pipeline;
seph
07/30/2021, 12:15 PM
Try to get logs from earlier to diagnose where your failiure is
m
Mystery Incorporated
07/31/2021, 12:48 AMHi @seph here is the JSON that is returned directly from osquery pre-processing into elastic:
{"snapshot":[{"state":"On","type":"Firewall"},{"state":"Off","type":"Firewall"},{"state":"On","type":"Antivirus"},{"state":"Off","type":"Antivirus"}],"action":"snapshot","name":"pack/Windows Base Pack/fw_av_snapshot","hostIdentifier":"xxx","calendarTime":"Fri Jul 30 06:19:03 2021 UTC","unixTime":1627625943,"epoch":0,"counter":0,"numerics":false,"decorations":{"company":"xxx","host_hostname":"xxx","username":"xxx"}}Mystery Incorporated
07/31/2021, 12:48 AM@seph it seems like osquery is reporting two conflicting states for the same query how can that be?????
s
seph
07/31/2021, 12:49 AM
Pretty weird. What's the scheduled query?
m
Mystery Incorporated
07/31/2021, 12:50 AMIt's just
SELECT type,state FROM windows_security_productsMystery Incorporated
07/31/2021, 12:52 AMIt would appear that it does not do it all the time however, as I can see some good looking results such as:
{"snapshot":[{"state":"On","type":"Firewall"},{"state":"On","type":"Antivirus"}],"action":"snapshot","name":"pack/Windows Base Pack/fw_av_snapshot","hostIdentifier":"xxx","calendarTime":"Sat Jul 31 00:43:39 2021 UTC","unixTime":1627692219,"epoch":0,"counter":0,"numerics":false,"decorations":{"company":"xxx","host_hostname":"xxxx"}}s
seph
07/31/2021, 12:55 AM
Does the osquery_schedule show exactly what you think the query is? If you
select *m
Mystery Incorporated
07/31/2021, 1:20 AM@seph where do I see. the osquery_shedule?
Mystery Incorporated
08/01/2021, 1:04 PMThis mystery has been solved Scooby.
Mystery Incorporated
08/01/2021, 1:05 PMTurns out user installed Bitdefender, and so it is reporting Bitdefender on, Microsoft Defender off
s
seph
08/01/2021, 1:05 PM
Would that have been visible in a
select *m
Mystery Incorporated
08/01/2021, 1:05 PMThat's what I did just now yea
Mystery Incorporated
08/01/2021, 1:06 PMI had to wait for the machine to come back online
s
seph
08/01/2021, 1:06 PM
great!
m
Mystery Incorporated
08/01/2021, 1:06 PMScreen Shot 2021-08-01 at 11.06.17 pm.png
Mystery Incorporated
08/01/2021, 1:07 PMI need to rethink how I'm alerting on that table in that case
10 Views