Title
#general
t

Thomas Stromberg

10/20/2022, 1:49 PM
I'm proud to announce that we've open-sourced our detection & response rules for osquery: https://github.com/chainguard-dev/osquery-defense-kit - It contains 130+ production-ready queries we found useful for detecting malware & other anomalous behavior on our endpoints, designed with alerting in mind. PR's welcome 🙂
s

seph

10/20/2022, 2:50 PM
Nice! Really glad to see itl
2:52 PM
Looking through it a bit, I wonder if some of these should be using evented tables. https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/c2/unexpected-icmp-socket.sql for example — that’s going to bump into sampling timing issues. But the evented table
socket_events
, is darwin and linux only.
t

Thomas Stromberg

10/20/2022, 3:10 PM
That's absolutely correct. When I wrote many of these queries early in the summer, we didn't have working event tables for reasons I couldn't work out at the time. Most of the process based queries have been ported to events, but not only one of the c2 ones has so far (the event queries tend to end with
-events
).
3:11 PM
One thing I have bumped into is that many of our Linux machines don't seem to be populating the events tables still for reasons I haven't sorted out - even my own
s

seph

10/20/2022, 3:11 PM
Ha! I love that you’re ahead of me.
j

Juan Alvarez

10/20/2022, 3:52 PM
this is awesome, thanks!