Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Thomas Stromberg
10/20/2022, 1:49 PMI'm proud to announce that we've open-sourced our detection & response rules for osquery: https://github.com/chainguard-dev/osquery-defense-kit - It contains 130+ production-ready queries we found useful for detecting malware & other anomalous behavior on our endpoints, designed with alerting in mind. PR's welcome 🙂
s
seph
10/20/2022, 2:50 PMNice! Really glad to see itl
Looking through it a bit, I wonder if some of these should be using evented tables.
https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/c2/unexpected-icmp-socket.sql for example — that’s going to bump into sampling timing issues.
But the evented table
socket_eventst
Thomas Stromberg
10/20/2022, 3:10 PMThat's absolutely correct. When I wrote many of these queries early in the summer, we didn't have working event tables for reasons I couldn't work out at the time.
Most of the process based queries have been ported to events, but not only one of the c2 ones has so far (the event queries tend to end with
-eventsOne thing I have bumped into is that many of our Linux machines don't seem to be populating the events tables still for reasons I haven't sorted out - even my own
s
seph
10/20/2022, 3:11 PMHa! I love that you’re ahead of me.
j
Juan Alvarez
10/20/2022, 3:52 PMthis is awesome, thanks!