Title
#fleet
t

Tudor

08/19/2021, 12:44 AM
Hi all, I'm wondering if anyone might know/ or have any working use cases/ queries that would send these events to our SIEM when monitoring an endpoint using Fleetdm 1. Successful log on attempts 2. Failed log on attempts 3. When an application is opened/ run on Mac, Windows, or Linux 4. When installing/ updating a new application 5. Taking a screenshot of confidential doc/ powerpoint/ material (log entry could include document title, document metadata, endpoint/ user info, stored location)
Mystery Incorporated

Mystery Incorporated

08/19/2021, 4:48 AM
yea I'm doing a bunch of these with osquery queries
4:49 AM
look up how to read the Windows Event log for e.g. and then just query for the event codes you want like 4625 for invalid login
puffycid

puffycid

08/19/2021, 11:22 PM
I haven't used osquery/fleetdm for monitoring before but some ideas you could try (for monitoring/investigating): 1. Logs would probably be best, either
windows_eventlog
or
windows_events
. Linux would likely use
syslog_events
. macOS probably unified access logs (ual)? (https://github.com/osquery/osquery/pull/7259) 2. Same as above, logs would likely be the best way to get this info 3. For monitoring/investigating executed programs u could try: • Linux perhaps:
bash_history
,
process_events
, and
syslog_events
. • macOS perhaps:
bash_history
,
process_events
, and ual • Windows perhaps:
shimcache
,
userassist
,
prefetch
,
background_activities_moderator
,
windows_eventlog
4. This one may be a little tricky to monitor but some ideas: • macOS:
apps
,
homebrew_packages
,
package_install_history
, maybe UAL?, maybe
bash_history
? • Linux:
deb_packages
,
rpm_packages
,maybe
syslog_events
?, maybe
bash_history
? • Windows:
programs
,
registry
, maybe
windows_eventlog
? 5. This one is a little difficult, im not aware of anyway to monitor when a screenshot is taken. But some ideas if want to monitor important files or investigate if a file was opened: Windows: ◦
office_mru
will show office documents that are opened by a user ◦
shellbags
will show directories accessed by a user, ◦
shortcuts
will show files accessed, ◦ maybe (hopefully) in the future
jumplists
(https://github.com/osquery/osquery/pull/7260) will show files accessed, ◦ browser history on windows systems will also sometimes record files that are opened, but browser history is not supported on osquery u could also try file monitoring on windows for screenshots (ex: "screenshot_%") but that will probably be noisy u could also try querying for installed 3rd part screenshot utilities hope this helps a bit