Thomas Stromberg
10/12/2022, 7:22 PMecho query | osqueryi
today.
I found https://github.com/osquery/osquery/pull/2093 which added --pack
, but it appears to only run ones that are already defined as part of your config. As a workaround I was considering dynamically generating a JSON config file and passing it in via --config_path
, but it seems pretty hacky & the sort of thing that someone probably found a better solution for.seph
Thomas Stromberg
10/12/2022, 9:26 PMseph
Thomas Stromberg
10/13/2022, 12:44 PM{
"queries": {
"waldo": {
"query": "SELECT * FROM chrome_extensions WHERE name IN (\"Where's waldo?\", \"Google Docs Offline\");",
"interval": "3600"
}
}
}
seph
Thomas Stromberg
10/13/2022, 1:01 PMseph
osquery> select 'hello''s';
+------------+
| 'hello''s' |
+------------+
| hello's |
+------------+
Thomas Stromberg
10/13/2022, 1:06 PMseph
Thomas Stromberg
10/13/2022, 1:14 PMseph
Thomas Stromberg
10/13/2022, 1:24 PMosquery/packs
). Both as an idea of best practices, and as an idea of what data sources are relevant.
didn't find the detection queries to be that useful, but the incident-response
gave me additional ideas I hadn't considerde.seph
Thomas Stromberg
10/13/2022, 1:26 PMdetect/
are designed to be usable as a source of alerts. In fact, we use them that way. It does mean an insane amount of false-positive management though.seph
Mike Myers
10/13/2022, 3:16 PM