2/3/2024 0 Comments Osquery server componentsWhat is the hardware configuration of the endpoint?.Windows OS endpoints have which KBs installed?.In addition, visibility will allow you to better understand the environment in order to answer questions such as: The visibility capability is critical not only for monitoring but also for making decisions when something is off track. Osquery can provide a very clear view, ensuring the state of the endpoints as well as whether they are working properly. As a consequence, some teams don’t know exactly which endpoints are in their environment, or even the physical configuration of each of them, what programs are running, or if the operating system updates are kept up to date. Visibility and MonitoringĪs already mentioned at the beginning of this article, a common problem in organizations is the low visibility of their endpoints. If it’s not quite clear yet, we will elaborate on these possibilities in the topics of monitoring and anomaly detection. These can be used minimally to improve the logs in a SIEM and build use cases. Now it may be easier to see the tool’s potential and what we can try to generate with the inputs from the results. And this is just the tip of the iceberg for what Osquery can do as a monitoring and anomaly detection tool. In the example shown above, you can see the result of a simple query that provides details of users ‘logged in’ to the operating system in question. Demo of a Query on ‘Logged On’ Users on Windows Operating System Next, we see a query referring to the table “logged_in_users,” representing users ‘logged in’ to the operating system. In Osquery, the tables correspond to a certain set of data representing components and OS states with the respective attributes of the objects. For example, with it, you can monitor the integrity of files, socket connections, running processes, and much more. This behavior opens up a huge range of query possibilities that can return valuable information about the system’s state. All this occurs through SQL queries, similar to what is done when a database is queried. Basically, it makes it possible to understand a particular operating system that is running and what is happening on a machine. ![]() Osquery is a tool that allows you to monitor the operating system and several of its attributes and configurations differently. The main problem is that we can’t always find low-cost tools to meet this need.įortunately, in the middle of 2014, Facebook released an open-source tool called Osquery that makes it possible to meet this need and can be used for monitoring security anomalies, checking compliance and security policies, performance analysis, or even in the response and analysis of a security incident. This happens because of the importance that a real-time view can provide for a company’s defensive security teams. It’s very common these days to want to have visibility into the technology assets or endpoints of a network, especially when there’s a concern with security and their respective monitoring.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |