Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

anyone know how to collect dns requests made?

I think you are referring to this <https://www.uptycs.com/blog/investigating-threat-alerts-with-osquery-understanding-threat-surface-risk|blog post by Uptycs> which has the following table: `dns_lookup_events`.

I think that table is only available on Uptyc’s Osquery agent only, I don’t see that table listed on the open source version of Osquery: <https://osquery.io/schema/4.7.0/>

However, if your on a Windows platform you can enumerate the DNS cache with the *`dns_cache`* table.

We've experimented with catching DNS on Linux using an extension: <https://github.com/trailofbits/osquery-extensions/tree/master/network_monitor>

I think being able to timebox a DNS record to an IP would heavily enrich the process connections table extremely well. I don't know the resource increase by passively monitoring interfaces but from an investigation standpoint this is one of my biggest gaps in a zero trust environment (e.g. I don't have bottleneck egress)

Zeek is also a great NSM agent that has several solutions with combining data to osquery

IMO zeek is a purpose built for this type of network style monitoring they also have <https://github.com/zeek/zeek-agent> which can actually augment the network data with process info from osquery

Love zeek but fill that is overkill for this request

i would love to see `dns_lookup_events` and `http_event` built into native osquery. in a remote world w/ covid, having that data come from the endpoint and not tied to a specific office or physical location, is huge.

even when most people were in an office, i’d much rather gather this data from the endpoint.
“welp, all the post exploitation activity happened when they were at home so none of our C2 alerts fired”

That would be amazing teto have those two. Anyone looked at what the lift would be?

On Windows, We have it thru an extension: <https://github.com/polylogyx/osq-ext-bin>