Title
#general
d

DG

04/07/2020, 4:52 PM
Been wondering for a while - since i know osqpery is meant to be turned to what you ultimately want for it (why waste resources) - but is there a best of breed most people adopt? I am thinking the SwiftOnSecurity Sysmon XML equivalent for osquery? This the info "most" want, now have your system alert on it.
4:53 PM
I have spent time looking at other peoples flag files, but ultimately verbose is te only flag I am really avoiding as it becomes an ingress nightmare for me. Over 200mb/hr per system.
Stefano Bonicatti

Stefano Bonicatti

04/07/2020, 5:01 PM
Yeah
--verbose
flag is only meant to be a debugging flag, not to keep in production
d

DG

04/07/2020, 5:02 PM
yea but i see it DAMN near every config i google, and then mentioned again on the alessandrogario post.. so thanks for validating its removal - feel like i must be doing 1% correct : )
Stefano Bonicatti

Stefano Bonicatti

04/07/2020, 5:03 PM
I cannot speak for other cases but Alessandro was trying to investigate on an issue, so it's useful in that context
zwass

zwass

04/07/2020, 5:04 PM
Typically you are only interested in the status logs as far as they are telling you that there is an issue generating results. This means you would typically want verbose off, as it generates orders of magnitude more status logs for the same results.
s

seph

04/07/2020, 5:18 PM
What everyone said. IMO verbose is for debugging 🙂
5:18 PM
(When I notice debug oriented log noise in the info logs, I PR them to the verbose ones)
5:20 PM
TBH I think the flags are kinda boring. I think there’s a better question around what the query schedule/configs are. And that seems very nebulous. Threat hunting is different than metrics gathering is different than security monitoring is different than compliance… Each vendor seems to have their own take. There’s space for a solid community effort here, but it’s a lot of work to maintain
d

DG

04/07/2020, 5:36 PM
Very good way of saying it & Thank you @seph @zwass @Stefano Bonicatti
5:37 PM
I have been just trying to tune the ingress, get data, and forward to Splunk to decide what to alert / dashboard later.
5:38 PM
I am going in with a mindset the query packs will get the info - but its true the agents have to be started in a way to get that info - so it might be a try for now - adjust for later as i discover the goal I am aiming for
s

seph

04/07/2020, 5:38 PM
The be honest, I think the packs are crap.
5:39 PM
https://github.com/osquery/foundation/issues/28 came out of office hours and a couple of big slack threads.
d

DG

04/07/2020, 5:39 PM
I have been downloading and adjust them from DFIR blogs, or do you mean out of box ones specificaly, or the nature of upstream aggregation?
s

seph

04/07/2020, 5:40 PM
All the public packs I’m aware of (and often even queries) are not very good. Sometimes out of date. Sometimes performance impacting. Sometimes useless….
5:40 PM
The idea of aggregation is great, tho.
d

DG

04/07/2020, 5:41 PM
ah ok - so use them if i need to but like you said - if i can classify my tasks and metrics, I should focus on what i know i want?
5:41 PM
Thanks for that github post it is insightful
s

seph

04/07/2020, 5:41 PM
The distributed packs? I’d avoid them unless you understand and know what a query is doing.
5:41 PM
I should focus on what i know i want
Yes, that
d

DG

04/07/2020, 5:42 PM
So is there a recommended reading point to start with?
s

seph

04/07/2020, 5:42 PM
I don’t have one. I’m sorry.
d

DG

04/07/2020, 5:42 PM
No worries, i appreciate it as you said, its broad and there is many directions, so I dont feel their is a specific source, but always worth asking
s

seph

04/07/2020, 5:43 PM
Totally.
defensivedepth

defensivedepth

04/07/2020, 7:15 PM
@DG Alot of my scheduled queries have come from specific visibility gaps I have in my environment - This blog post covers a recent one: https://defensivedepth.com/2019/12/16/detecting-internet-exposed-services-that-shouldnt-be/
d

DG

04/07/2020, 7:16 PM
Thank you i also referenced this in my building docs
7:16 PM
i know things changed but it hlped me piece the process together
defensivedepth

defensivedepth

04/07/2020, 7:17 PM
ah ya, I need to get that updated. Will put it on the docket for this week 🙂
d

DG

04/07/2020, 7:18 PM
Awsome since i am still using the old MSI method, have yet to find a cpack MSI