howdy, anyone tackled monitoring ssh-based activity with osquery on macos? in particular i'm looking to identify sftp/scp/smb activity. es_process_creation has some process based stuff which highlights good src/dst info, curious if anyone else has taken a different approach?
07/21/2022, 4:40 PM
Can you expand a bit on what you are looking for? More socket like things?
07/21/2022, 5:20 PM
at a high level, i think the goal is to audit user activity for instances where file sharing services such as nfs, smb, (s)ftp, scp are used on macOS endpoints to accomplish data movement