Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
Zach Zeid
05/20/2020, 12:30 PMwhat is the implication of setting
removed: falseso my understanding is that if I have
removed: falset
terracatta
05/20/2020, 1:28 PMremoved false is only relevant for differential queries, it causes only "added" rows to be emitted to the log and will not report rows that are removed. This is useful when you don't really care about tracking when existing rows are removed from the result set when the queries is run over time.
z
Zach Zeid
05/20/2020, 1:29 PMwhat is an example of a differential query?
something like
select * from process;t
terracatta
05/20/2020, 1:34 PMyeah
any query can be run in differential mode
z
Zach Zeid
05/20/2020, 1:35 PMso if I had that query it would essentially just tell me when new processes are created?
t
terracatta
05/20/2020, 1:35 PMright, and if you have removed: false you would not see when they were stopped
this is useful if you only need the output to see if certain programs are running, but don't care if certain programs are NOT running
z
Zach Zeid
05/20/2020, 1:36 PMand if I didn't have the query I'd see both
addedremovedt
terracatta
05/20/2020, 1:37 PMright
z
Zach Zeid
05/20/2020, 1:37 PMAwesome, that's incredibly helpful, thank you!
t
terracatta
05/20/2020, 1:37 PMare you the same Zach Zeid that worked at Mandiant/FEYE? If so, it's Jason Meller, not sure if you remember me.
z
Zach Zeid
05/20/2020, 1:37 PMoh snap! what's up!
t
terracatta
05/20/2020, 1:38 PMHaha, I was like, no way two people have an awesome double Z name like that.
z
Zach Zeid
05/20/2020, 1:39 PMWe're a rare kind for sure 😄
t
terracatta
05/20/2020, 1:40 PMAnyway, the osquery docs are actually super good at explaining this stuff. https://osquery.readthedocs.io/en/latest/deployment/logging/ is worth a read
z
Zach Zeid
05/20/2020, 1:41 PMThat's what I was reading, I wanted to make sure I was understanding it correctly. Right now, we're doing snapshots, but want to move towards a more "continuous" monitoring with osquery.
t
terracatta
05/20/2020, 1:43 PMWhat a lot of people do is they continue to use snapshots (they just run them much less frequently) but also use diffs as well for the same queries on a more frequent schedule. That way when you emit results to wherever (splunk, ELK) you can still see the full results in the log output every 4 or 6 hours, if you want to be sure of the current state, but the diff covers you for incremental changes in-between those snapshots.
z
Zach Zeid
05/20/2020, 1:45 PMif I don't include either
removed: falsesnapshot: truet
terracatta
05/20/2020, 1:45 PMyes, diff is the default, and by default it will show both add/remove events
z
Zach Zeid
05/20/2020, 1:50 PMExcellent, that's good to know, thanks!