The following screenshot shows the list of queries that we created.įigure 11. We built a list of queries that we will be discussing in the sections below. Next, we’ll discuss how we can manage our osquery instances using Kolide Fleet to perform certain queries to inform our threat-hunting exercise. Kolide hosts manager dashboard with list-view online host The screenshot above shows a grid view of the online host, and the one below shows a list view of the online host.įigure 10. There are two main ways that we can list or have an overview of the available hosts. Kolide hosts manager dashboard with grid-view online host This is shown in the screenshot below:įigure 9.
Any asset in green means it has reached Kolide and is live. Once the application is served and the instance in which osquery has been installed has reached Kolide, it should appear online within the dashboard. Running osquery for the instance to come online We launched our osquery instance as shown below:įigure 8.
Osquery packs install#
See below:ĭo not forget to run your osquery, or else once inside the Fleet management console, your osquery install will appear offline. You should then be able to navigate to your fleet server either on localhost or using the server IP address if you have managed to set it up within your network of osquery hosts. This is a unique, randomly generated key that you will need to provide before the application can be served. Notice that for every instance that you serve the application, you will be required to provide a unique –auth_jwt_key. Traffic streaming from served application The output below shows traffic as the application is being run.įigure 6. Once the server is running, you should be able to see the following on your terminal where you started the server from. Generating the server.cert fileĪfter you are done with the above steps, you can now serve the application using the command shown below: The command and output are shown below:įigure 4. In this step we are generating the signed certificate. The command and output are shown below:įigure 3. In the step below, we generate a certificate signing request file. The command used and output is shown below:įigure 2. In this step, we are generating the private key to the certificate. Once complete, you should get a message reading “Migrations Completed.” We, however, need to generate some self-signed certificates by following the three steps given below: This can be done using the command “fleet prepare db” as shown below: Running the Fleetīefore you can run Kolide, you need to ensure that you have prepared the database. For instance, just like in SQL, osquery allows you to perform joins, limits and aggregates within your queries. The extensiveness of the queries that you can use depend on how conversant and comfortable you are using SQL. The web interface makes it very easy to use Kolide if you already understand SQL syntax and have interacted with osquery. The following are some of the things that you can be able to query: With Kolide, you can manage your fleet of osquery hosts more easily through a web interface. We can also create query packs and build schedules. Using Fleet, we can be able to query multiple hosts on-demand. Thank you for reading the second SecurityOnion article.Kolide Fleet is a flexible control server that can be used to manage osquery fleets. We will just edit the filename to calc.exe, nothing more :) Go to playbook, create a new play and load a sample sysmon play In this case we will build a new Sigma rule from scratch. Let’s check if the events collected by OsQuery will also trigger an playbook alarm. Those results can help us to track the machine state before it went offline. Searching with “pack_windows-pack” we found results of the queries that are running in an interval. Now, let’s wait a couple of minutes for logs to aggregate. SaveĪdd our host to the pack target, save and that’s all
Osquery packs windows#
Waay down below on the right, there’s an edit buttonĬhange the interval to 180 seconds, logging to differential and we want it only on windows hosts. Go to packs, select the preconfigured windows pack
Osquery packs Offline#
Those are bunches of queries ran at specified interval (and shipped to Elasticsearch) which allows us to see them even in a machine is offline in contrast to live queries working only on online machines. This is the time the packs are kicking in. This querry will show us (and ship to elasticsearch) all of the windows events matched from launcher.flags file to SecurityOnion.
0 kommentar(er)
