hello everyone some have experience with osquery integration osquery #general

Join Slack

hello everyone, some have experience with osquery ...

# general

sebasveloso

09/24/2018, 3:33 PM

hello everyone, some have experience with osquery integration towards alienvault ossim (opensource, no-USM) ?

stefanmaerz

09/24/2018, 3:55 PM

you might have more responses if you describe what you've done/what you need.

stefanmaerz

09/24/2018, 3:55 PM

I have not used ossim. However I did get data into Splunk using the Splunk forwarder in conjunction with Fleet.

sebasveloso

09/24/2018, 5:45 PM

thanks for you response @stefanmaerz

sebasveloso

09/24/2018, 5:48 PM

I basically need to establish a transition from OSSEC to osquery. but ossim by default does not have a plugin

sebasveloso

09/24/2018, 5:49 PM

only USM (paid version) Alienvault ..

sebasveloso

09/24/2018, 8:20 PM

any ideas? @stefanmaerz

sebasveloso

09/24/2018, 8:20 PM

hehe

stefanmaerz

09/25/2018, 12:40 PM

Well. I know nothing about the ossim plugin. presumably it provides some means of ingesting a log file. So i suppose you could either: use that functionality on each osquery endpoint or aggregate the logs in a central place via syslog or fleet, then use that functionaly to ingest the log file.

stefanmaerz

09/25/2018, 12:47 PM

The other issue you might encounter is if the ossim plugin does any magic like text parsing or correlation or whatever. Osquery outputs JSON, which should be easy for a SIEM to parse

👍 1

sebasveloso

09/25/2018, 1:08 PM

thanks bro! @stefanmaerz

sebasveloso

09/25/2018, 1:09 PM

https://www.alienvault.com/blogs/security-essentials/using-custom-functions-in-usm-and-ossim-for-additional-parsing-of-log-data?utm_internal=forum

sebasveloso

09/25/2018, 1:09 PM

algo asi puede servir 😃

6 Views

Open in Slack

Previous Next