Remember: some of these queries are designed for Linux, and others for OSX. Let’s get started running some queries that could be useful for a security team. Try it in the terminal above! You can also run the command by hitting the button at the top right hand corner! Even if you decide to use the osqueryd infrastructure, the osqueryi command line tool is a useful way to test and play around with queries. Osqueryi "select * from processes limit 3 " You can also type your query right after the osqueryi command to run it immediately and exit: Try typing osqueryi below, then running select * from processes Running the osqueryi command line tool will bring you to a “REPL”-like prompt where you can begin to run your queries. To get started, you should try the osqueryi tool. The downsides is that you will need some other infrastructure and tooling to aggregate the output of these queries (e.g., take the osquery output in syslog and store in ElasticSearch for analysis). This mode is extremely useful for detection use cases, when you are doing things like good state detection (e.g., did a new process start since the last check?) or regular behavioral checks for specific indicators of compromise (are any of these network connections suspicious?).
0 Comments
Leave a Reply. |