I'm proud to announce that we've open-sourced our ...
# generalt
Thomas Stromberg
10/20/2022, 1:49 PMI'm proud to announce that we've open-sourced our detection & response rules for osquery: https://github.com/chainguard-dev/osquery-defense-kit - It contains 130+ production-ready queries we found useful for detecting malware & other anomalous behavior on our endpoints, designed with alerting in mind. PR's welcome 🙂
s
seph
10/20/2022, 2:50 PM
Nice! Really glad to see itl
seph
10/20/2022, 2:52 PM
Looking through it a bit, I wonder if some of these should be using evented tables.
https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/c2/unexpected-icmp-socket.sql for example — that’s going to bump into sampling timing issues.
But the evented table
socket_eventst
Thomas Stromberg
10/20/2022, 3:10 PMThat's absolutely correct. When I wrote many of these queries early in the summer, we didn't have working event tables for reasons I couldn't work out at the time.
Most of the process based queries have been ported to events, but not only one of the c2 ones has so far (the event queries tend to end with
-eventsThomas Stromberg
10/20/2022, 3:11 PMOne thing I have bumped into is that many of our Linux machines don't seem to be populating the events tables still for reasons I haven't sorted out - even my own
s
seph
10/20/2022, 3:11 PM
Ha! I love that you’re ahead of me.
j
Juan Alvarez
10/20/2022, 3:52 PMthis is awesome, thanks!
8 Views