![]() ![]() representing the aggregate occurrence of character values in Powershell Events table, wherein character_frequencies is a list of doubles Currently this configuration is only used by Windows in the Powershell Provides feature vectors for osquery to leverage in simple statistical "windows-attacks": "C:\\Program Files\\osquery\\packs\\nf" "windows-hardening": "C:\\Program Files\\osquery\\packs\\nf", "ossec-rootkit": "/usr/share/osquery/packs/nf", "hardware-monitoring": "/usr/share/osquery/packs/nf", "vuln-management": "/usr/share/osquery/packs/nf", "osx-attacks": "/usr/share/osquery/packs/nf", "it-compliance": "/usr/share/osquery/packs/nf", "incident-response": "/usr/share/osquery/packs/nf", "osquery-monitoring": "/var/osquery/packs/nf" Homebrew: /usr/local/share/osquery/packs There are several 'default' packs installed with 'make install' or via Add default osquery packs or install your own. "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1 " "SELECT uuid AS host_uuid FROM system_info ", Decorators are normal queries that append data to every query. "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='docker run -name redis-docker-performance-testing-1 -d docker-testing:1' ", "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='docker build -t docker-testing:1. "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='tar -zcvf garbage' ", "query": "select pid, cmdline, user_time, system_time, total_size, disk_bytes_read, disk_bytes_written from processes where cmdline='sh. The interval in seconds to run this query, not an exact interval. "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info ", This is a simple example query that outputs basic system information. This allows osquery to be launched with certain tables only. Comma-delimited list of table names to be enabled. This allows osquery to be launched without certain tables. Comma-delimited list of table names to be disabled. "database_path": "/var/osquery/osquery.db", ![]() A filesystem path for disk-based backing storage used for events and large numbers of queries that run a smaller or similar intervals. This is very helpful to prevent system performance impact when scheduling Splay the scheduled interval for queries. If a logging plugin is selected it will still write query results. Set 'disable_logging' to true to prevent writing any info, warning, error If the daemon uses the 'filesystem' logging retriever then the log_dir The log directory stores info, warning, and errors. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |