I saw some history of this in chats but nothing super recent

Question

I saw some history of this in chats but nothing super recent so will bring it up again Anyone successfully using OSQuery as part of meeting PCI lvl1 requirements Our environment is entirely linux and largely ephemeral so I figure FIM + tables such as listening sockets users processes snapshot and a few others being sent to SIEM + automated alerting should meet 11 5 `Change detection solutions such as file integrity monitoring FIM tools control changes additions and deletions of critical files and notify authorized personnel when these changes are detected ` Not so sure about 11 4 might need some work on our network level to meet that one thinking face Keen to hear peoples experience no sales pitches at this stage pls

seph · Answer

Kolide has customers doing SOC2 but that s not quite the same

seph · Answer

Some of this should be a conversation with your auditor You mention ephemeral and I assume VMs and in that context I d try to see if FIM can simply be excluded

seph · Answer

But generally speaking I think osquery can help meet a lot of the endpoint things but compliance is going to require a solid SIEM and audit trails What are you using there

seph · Answer

Generally I imagine people would help brainstorm specific requirements but it s a bit hard to speak for the whole standard

Daniel Cross · Answer

Thanks < seph> yeah so it s looking like a path of integrate threat intel + asset info + normal expected into SIEM and correlate We utilise logstash + opensearch as the core components of our SIEM OSQ logs out to journald which gets to opensearch Alerting upon FIM and various searches upon results from tables as a start

Daniel Cross · Answer

Totally agree too convo with auditor + specific requirements I m coming more from a position of the guy running the osq project while two teams over and one rung up people are conversing with auditors Trying to get ahead of things a bit