I m proud to announce that we ve open sourced our detection

Question

I m proud to announce that we ve open sourced our detection amp response rules for osquery <https github com chainguard dev osquery defense kit> It contains 130+ production ready queries we found useful for detecting malware amp other anomalous behavior on our endpoints designed with alerting in mind PR s welcome slightly smiling face

seph · Answer

Nice Really glad to see itl

seph · Answer

Looking through it a bit I wonder if some of these should be using evented tables <https github com chainguard dev osquery defense kit blob main detection c2 unexpected icmp socket sql> for example that s going to bump into sampling timing issues But the evented table `socket events` is darwin and linux only

Thomas Stromberg · Answer

That s absolutely correct When I wrote many of these queries early in the summer we didn t have working event tables for reasons I couldn t work out at the time Most of the process based queries have been ported to events but not only one of the c2 ones has so far the event queries tend to end with ` events`

Thomas Stromberg · Answer

One thing I have bumped into is that many of our Linux machines don t seem to be populating the events tables still for reasons I haven t sorted out even my own

seph · Answer

Ha I love that you re ahead of me

Juan Alvarez · Answer

this is awesome thanks