Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi all.. Can someone share good Macos osquery use cases?

Uptycs has an on-demand webinar specifically on focused MacOS  … <https://www.uptycs.com/register-for-our-webinar-osquery-and-macos-security-best-practices>

That question is a bit broad to answer simple. What kind of thing are you looking for?

I think most of this slack has macOS by default. So there’s a good chance anything you see here is macOS

Kolide (my employer) tends to publish some pretty indepth blog posts about things. <https://blog.kolide.com/>

Im looking for somd osquery use cases specifically to macosx.. For example select * FROM signature s JOIN launchd d ON d.program_arguments = s.path where d.name like 'com.apple.%' AND signed=0 AND d.run_at_load=1

The above look for com.apple name app without signed

<@U017GV5C6AE> It appears based on your question that you are looking for DFIR style macOS queries? Osquery is a relatively unopinionated tool that gives you broad visibility into various endpoint state and metadata. You could look for:
• unencrypted hard disks
• misconfigured firewalls
• unsigned kernel extensions
• etc. etc.
You need to ask yourself what goals you are trying to accomplish and then we can better answer if osquery can satisfy your needs, rather than someone trying to enumerate every potential capability.

Here you can find a collection of queries recommended by Palantir several years ago: <https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/MacOS/osquery.conf>

Yes, you're correct.. Im looking for the  use cases that cannot be covered by the latest EDR tools and more of threat hunting perspective .. Let me have a look at the plantir

Several EDR tools use osquery under the hood. 

Yes, but is there any set of query for performing threat hunting on Macos..

Previously, the project came with a set of queries as part of the osquery package. However, the community &amp; maintainers felt that providing a baseline of queries provides a false-sense of security. The power of osquery, among many, is the community has continuously extended its features by tailoring for its company use-cases, and a proven record by thread hunters to manually find malware.

I don’t recall but QueryCon and Osquery@Scale conferences might have presentations focused on MacOS

You’re thinking of <https://github.com/osquery/osquery/tree/master/packs> ?

I assumed they were removed based on conversations during office hours.

There’s an issue somewhere… There’s general interest in removing them, or moving them to their own repo. But still shipping them in a release.

<@U017GV5C6AE> we've written close to 200 of them at work, many are bespoke to us but in general OSX works by operating a series of interlocking frameworks that all leave cmdline histories

my advice to you is to setup a VM and do shady stuff, pull osx malware from virustotal, etc, and look at osquery output

for example, there are queries that can use mdfind which is stoplight, so you get the equivalent of system wide "grep". Or like, we have a query that checks if gatekeeper / SIP are enabled

I found some macosx osquery in carbon lack community forum. <https://community.carbonblack.com/t5/Query-Exchange/idb-p/query_exchange/label-name/Mac|https://community.carbonblack.com/t5/Query-Exchange/idb-p/query_exchange/label-name/Mac>