Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
alessandrogario
05/03/2020, 11:07 AMbut I'm not sure how it would look like to fetch data from a file
s
SK
05/03/2020, 11:18 AMHey @alessandrogario thanks for your response. With this commit will there be a possibility to input a file? To run the queries on?
And just saw https://github.com/osquery/osquery/commit/b8a1c68afd2678988fc311c7a4e692f90d111bec, will this mean that the windows_events table will parse the data returned correctly and make it possible to like make smarter queries based on the data in the event?
a
alessandrogario
05/03/2020, 1:25 PMThere is no support for receiving data from files, but this PR can make it possible if a good interface is found
I don't know how this interface would look like, but it's something like
osqueryi --publisher_data=somethingThis is just a silly example, I think that in order to get this kind of usage approved, the interface should be generic enough so that it can be applied to all publishers
Does it make sense to implement it, given that it would only work for event-based tables and everything else (such a
processesusersA design, documented in a blueprint issue, should be proposed so that people can discuss about it
s
SK
05/03/2020, 1:52 PMThe use case would be to be able to replay attacks to improve detection based on Windows events. But you are right the use case is not that generic. Maybe I need to find a way to re-ingest the data in the Windows Events logs.
a
alessandrogario
05/03/2020, 1:57 PMThe proper way to make this work is to have osquery work on a memory dump, so that non-evented tables will take data from there
while evented tables replay pre-recorded data
this is not easy to implement though
s
SK
05/03/2020, 2:42 PMYes might be an interesting approach, but will try to get a way to replay evtx files in a VM see what can be done that way.
Is my assumption correct in this? https://osquery.slack.com/archives/C0FHNQ2N6/p1588504795114900?thread_ts=1588504070.114600&cid=C0FHNQ2N6