I'm proud to announce that we've open-sourced our detection & response rules for osquery: https://github.com/chainguard-dev/osquery-defense-kit - It contains 130+ production-ready queries we found useful for detecting malware & other anomalous behavior on our endpoints, designed with alerting in mind. PR's welcome 🙂
That's absolutely correct. When I wrote many of these queries early in the summer, we didn't have working event tables for reasons I couldn't work out at the time.
Most of the process based queries have been ported to events, but not only one of the c2 ones has so far (the event queries tend to end with
-events
).
One thing I have bumped into is that many of our Linux machines don't seem to be populating the events tables still for reasons I haven't sorted out - even my own