Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
demonbhao
11/11/2020, 9:11 AMHow do you improve the accuracy of alarm with osquery for host intrusion detection
The biggest problem I have encountered now is that I can't do the difference query. I only want to query the results of columns to change before generating the log, so as to alarm
As shown in the figure below, this is the problem I encountered. I set the one-hour interval to query the timing tasks running on the host, but columns did not change and the logs were generated (only the time was changed in the comparison between the two logs).
t
theopolis
11/12/2020, 12:42 AMThe epoch for the results is 0 for both of those logs. That may indicate an error but if definitely means the first result was not compared to the second.
It is possible something is deleting osquery’s storage, or the configuration and specific query have changed between the two times the query was executed.
d
demonbhao
11/12/2020, 2:22 AMDo you mean that osquery may not save the last query result record to the virtual table so that the next query will not be able to compare results?
And what does this epoch represent?And what does the action in the log represent?
t
theopolis
11/12/2020, 2:29 AMYes, epoch counts the number of times the specific scheduled query has been run. If you have a query in the schedule
SELECT * FROM system_infoSELECT * from system_info(err, sorry the counter is the field that increments each execution)
d
demonbhao
11/12/2020, 2:36 AMWell, I looked in my journal and found that the epoch was zero and I thought I needed to look at this place
Hi, I looked at the links but I haven't changed my query
I looked at logs in both test and production environments and found the results of epoch is 0
Where can I check the storage of osquery has been deleted?
Hello, I have checked the official documentation but still have no idea why the epoch in the osquery results log is 0
I checked that the query did not change and the log results would not be deleted and I was wondering why there was no difference query
My queries were all issued by Fleet, which was 3.3.0, and osquery, which was 4.5.1
Hi,@theopolis I hope you can see the following situation, thank you
t
theopolis
11/16/2020, 6:57 PMHey, I don't have a lot of time to help debug right now (sorry about that). The epoch staying 0 seems expected and supports the fact that you have not changed the query. Are you sure the query is not a
snapshot:trued
demonbhao
11/17/2020, 2:05 AMI'm sorry to interrupt your time.So this is my settings on Fleet
Thank you for your time
t
theopolis
11/20/2020, 1:36 AMCan you turn that to not ignore removals?
d
demonbhao
11/20/2020, 3:35 AMYES I changed to not Ignore removals the other day
The following observation log changes from columns. xxx to diffResults
A lot of diffResults appeared