You could write a “bash_reverse_shell” query and generate an alert anytime that event appears, or you could just collect all process information and write the reverse shell detection logic in Splunk/ELK/Graylog and do the detection and alerting logic there.
Osquery slack how to#
There is a no such thing as a “one size fits all” osquery configuration - you need to see for yourself what data is available to query and make your own decisions about what to collect and how to respond to it.Īlso consider how you plan on generating alerts based off of the data you’re collecting. osquery doesn’t function like a traditional HIDS/IPS in the sense that those types of products generally fire “alerts” when something looks suspicious.
Osquery is most useful when you’ve planned out what data you want to be collecting ahead of time.Īs tempting as it can be to run tools in stock configurations, much more value will be derived from doing some homework around the data you collect and potential alerts that can be built around that data. In addition to scheduling queries against aspects of your operating system, osquery has built in functionality to monitor file integrity, audit network connections and processes, and even log hardware device changes in near-realtime. Osquery for Security was aimed at people who are new to osquery, but this post will dive deeper into some of the more advanced and less known features that osquery has to offer.
0 kommentar(er)
