How do you improve the accuracy of alarm with osquery for ho osquery #general

How do you improve the accuracy of alarm with osqu...

demonbhao

11/11/2020, 9:11 AM

How do you improve the accuracy of alarm with osquery for host intrusion detection The biggest problem I have encountered now is that I can't do the difference query. I only want to query the results of columns to change before generating the log, so as to alarm As shown in the figure below, this is the problem I encountered. I set the one-hour interval to query the timing tasks running on the host, but columns did not change and the logs were generated (only the time was changed in the comparison between the two logs).

theopolis

11/12/2020, 12:42 AM

The epoch for the results is 0 for both of those logs. That may indicate an error but if definitely means the first result was not compared to the second.

theopolis

11/12/2020, 12:44 AM

It is possible something is deleting osquery’s storage, or the configuration and specific query have changed between the two times the query was executed.

demonbhao

11/12/2020, 2:22 AM

Do you mean that osquery may not save the last query result record to the virtual table so that the next query will not be able to compare results? And what does this epoch represent?And what does the action in the log represent?

theopolis

11/12/2020, 2:29 AM

Yes, epoch counts the number of times the specific scheduled query has been run. If you have a query in the schedule

SELECT * FROM system_info

then change that query to

SELECT * from system_info

the results will be invalidated and the epoch will restart at 0. The action indicates if the row was observed as added (newly observed) or removed (no longer existing). This page goes into some detail about these metadata fields: https://osquery.readthedocs.io/en/latest/deployment/logging/#schedule-results

theopolis

11/12/2020, 2:30 AM

(err, sorry the counter is the field that increments each execution)

demonbhao

11/12/2020, 2:36 AM

Well, I looked in my journal and found that the epoch was zero and I thought I needed to look at this place

demonbhao

11/12/2020, 2:59 AM

Hi, I looked at the links but I haven't changed my query I looked at logs in both test and production environments and found the results of epoch is 0 Where can I check the storage of osquery has been deleted?

demonbhao

11/13/2020, 10:22 AM

Hello, I have checked the official documentation but still have no idea why the epoch in the osquery results log is 0 I checked that the query did not change and the log results would not be deleted and I was wondering why there was no difference query My queries were all issued by Fleet, which was 3.3.0, and osquery, which was 4.5.1

demonbhao

11/16/2020, 3:50 AM

Hi，@theopolis I hope you can see the following situation, thank you

theopolis

11/16/2020, 6:57 PM

Hey, I don't have a lot of time to help debug right now (sorry about that). The epoch staying 0 seems expected and supports the fact that you have not changed the query. Are you sure the query is not a

snapshot:true

query? I am not sure what this looks like in the Fleet UI but a snapshot-type query skips the differential comparison.

demonbhao

11/17/2020, 2:05 AM

I'm sorry to interrupt your time.So this is my settings on Fleet Thank you for your time

theopolis

11/20/2020, 1:36 AM

Can you turn that to not ignore removals?

demonbhao

11/20/2020, 3:35 AM

YES I changed to not Ignore removals the other day The following observation log changes from columns. xxx to diffResults A lot of diffResults appeared

3 Views

Open in Slack

Previous Next