![]() They prefer JS-based rules (with fallback to SQL when is not possible). Fixed: Wrong condition on component used when importing technique (16323). Each rule is automatically deployed to a detection engine, so all rules are centralized in a single repo. Rudder server and Rudder relay: Debian 8-9, RHEL/CentOS 7 (64 bits). They generalized the metadata for detections (independently from the system). This allow to provide README as mini-runbooks for specific detection groups. They created a repo with classified attack stages (loosely based on the MITRE Attack framework) and extended to include custom detections. Once you have a baseline, detecting anomalies is easier. Grab data in a timeframe and decorate them. They started building a baseline (average size of CLI commands) to detect anomalies. The second part of the presentation is about how to detect meaningful events and reduce alert fatigue. OSquery is cool but get better when you can correlate other data. They have a centralized notebook server (sensitive information can be protected) and use GitHub repos (collaborative peer review). Taking a practice from Data Science, they started using Jupiter Notebooks, writing libraries that codified the logic. generalize security for our environment.OSquery on servers managed by puppet, queries pushed through puppet and logs are stored in AWS S3 forwarded to Splunk. Osquery defines the following SQL tables for Docker components that will be useful for our audit: dockercontainers lists all containers that are not stopped nor killed on the host, dockerimages offers a view on all the images that are stored on the server and dockercontainerprocesses dives into a specific container to list all his running. OSquery on laptop managed using Chef, where logs are collected. centralize methodology for detection that everyone can activate without access to all machines and with reduced skill-set (less to learn = more effective).enable other teams who need information without access to security tools.eliminate need to recreate detection logic for different tools.OSquery usage of SQL relates easily to other business flow that have analytics valueīut that needs to play together with other elements.most tools have their GUI and query language.Every environment has different tools, sensors, logs and storage.Highly rewarding!Ĭhallenge at scale: creating a security ecosystem where OSquery is a critical component The talk present how OSquery fits into a global scale security effort both at laptop and server level. Want to know which processes are executing on a machine? Or how many users there are? Any intrusion detection rule you want to check?Īs such I was really interested in how OSquery can is leveraged in the real world for security monitoring at scale. ![]() This integrates very well with standard data analytics tooling and process, so is a powerful way to gather data at scale for review, analysis and alerting. I recently watched this talk from interest in OSquery started some years ago, as the premises are super cool: convert your system in a SQL database you can query with usual SQL syntax. The tools make low-level operating system analytics and monitoring both performant and intuitive. OSquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. Osquery doesn’t care if you deploy on a virtual machine or in the cloud.
0 Comments
Leave a Reply. |