Thomas Stromberg
10/12/2022, 7:22 PMecho query | osqueryi
today.
I found https://github.com/osquery/osquery/pull/2093 which added --pack
, but it appears to only run ones that are already defined as part of your config. As a workaround I was considering dynamically generating a JSON config file and passing it in via --config_path
, but it seems pretty hacky & the sort of thing that someone probably found a better solution for.Thomas Stromberg
10/12/2022, 7:24 PMThomas Stromberg
10/12/2022, 7:34 PMseph
seph
Thomas Stromberg
10/12/2022, 9:26 PMseph
Thomas Stromberg
10/12/2022, 9:52 PMjson.Marshal
function. For example, it trips up on queries which contain double quotes (escaped via \)Thomas Stromberg
10/13/2022, 12:44 PM{
"queries": {
"waldo": {
"query": "SELECT * FROM chrome_extensions WHERE name IN (\"Where's waldo?\", \"Google Docs Offline\");",
"interval": "3600"
}
}
}
seph
seph
seph
Thomas Stromberg
10/13/2022, 1:01 PMseph
seph
osquery> select 'hello''s';
+------------+
| 'hello''s' |
+------------+
| hello's |
+------------+
Thomas Stromberg
10/13/2022, 1:06 PMseph
seph
Thomas Stromberg
10/13/2022, 1:14 PMseph
seph
seph
Thomas Stromberg
10/13/2022, 1:24 PMosquery/packs
). Both as an idea of best practices, and as an idea of what data sources are relevant.
didn't find the detection queries to be that useful, but the incident-response
gave me additional ideas I hadn't considerde.seph
Thomas Stromberg
10/13/2022, 1:26 PMdetect/
are designed to be usable as a source of alerts. In fact, we use them that way. It does mean an insane amount of false-positive management though.Thomas Stromberg
10/13/2022, 1:26 PMseph
Mike Myers
10/13/2022, 3:16 PM