| I've even tried auto-generating a query to filter against the current non-evented win process events table
that looks really cool! Did you manage to translate all the sysmon filtering primitives to SQL?
We can either go this way and provide a tool to convert sysmon configuration into SQL sentences so they can be used on osquery, OR we can think of supporting a common filtering language through configuration.
I explored the idea of building an open-source drop-in replacement of sysmon in the past (sysmonx
), where I implemented all of the sysmon filtering primitives. Most of these primitives were already provided by boost (see here
for examples), so the mimicking sysmon filtering shouldn't be complicated.
Another filtering language to consider would be the Event Query Language (EQL
) from Elastic. This filtering/threat-hunting language gained a lot of adoption in the security space as it was designed for security use cases. EQL syntax reference is here
One significant difference between these two filtering languages is that Sysmon filtering allows you to filter atomic events, and EQL allows you to express relationships between events. This is key if you want to capture suspicious behaviors rather than isolated events. An example of suspicious behavior will be winword.exe launching cmd.exe, and this cmd.exe instance is later running whoami.exe.
If we see that filtering through configuration is something we would like to support, I think it will be important to have a standard filtering mechanism that can be used across all of the evented tables.