Skip to content

[Osquery] OSQuery DFIR Saved Queries #3659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Aug 16, 2022
Merged

[Osquery] OSQuery DFIR Saved Queries #3659

merged 18 commits into from
Aug 16, 2022

Conversation

@w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jul 6, 2022

What does this PR do?

Adds DFIR-related saved queries to the OSQuery manager integration

@w0rk3r w0rk3r added Team:Asset Mgt Security Assets Management team [elastic/security-asset-management] >enhancement v8.4.0 labels Jul 6, 2022
@w0rk3r w0rk3r self-assigned this Jul 6, 2022
@elasticmachine
Copy link

elasticmachine commented Jul 6, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-08-12T13:56:43.443+0000

  • Duration: 13 min 25 sec

Test stats 🧪

Test Results
Failed 0
Passed 15
Skipped 0
Total 15

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

tomsonpl
tomsonpl requested changes Jul 21, 2022
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left one comment, besides that - LGTM from Asset management :)

melissaburpo
melissaburpo reviewed Jul 25, 2022
View reviewed changes
Copy link
Contributor

@melissaburpo melissaburpo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just had one small suggested change to update the id.

Also, a question: should we add ECS mappings for any fields returned in the results? I tried testing the query to see what the results look like, but I wasn't able to run it successfully - I suspect that's because in its current form the query has some extra formatting for the json version of the saved object.

@w0rk3r
Copy link
Contributor Author

w0rk3r commented Jul 25, 2022
edited
Loading

@melissaburpo did it returned any error? Because it will return null if no exceptions exist

Screenshot of the result on my Windows Server:
image

@melissaburpo
Copy link
Contributor

melissaburpo commented Jul 25, 2022

The issue was that I tried to copy/paste the query directly from the PR to try running it, so it had some syntax issues (like the \nr characters).

Thanks for sharing the screenshot though, that helps! Looking at the results, I don't think there are any ECS mappings needed for the defender_exclusions query, so that helps to answer that question. Appreciate it!

@w0rk3r w0rk3r marked this pull request as ready for review August 9, 2022 21:14
@w0rk3r w0rk3r requested a review from a team as a code owner August 9, 2022 21:14
@w0rk3r w0rk3r requested a review from tomsonpl August 9, 2022 21:14
@w0rk3r
Copy link
Contributor Author

w0rk3r commented Aug 10, 2022

Here are a few screenshots on the queries returning the desired results:

defender_exclusions_windows_elastic

image

posh_logging_windows_elastic

image

unsigned_services_vt_windows_elastic

image

unsigned_processes_vt_windows_elastic

image

unsigned_startup_items_vt_windows_elastic

image

unsigned_dlls_on_system_folders_vt_windows_elastic

image

winbaseobj_mutex_search_windows_elastic

image

executables_or_drivers_in_temp_folder_vt_windows_elastic

image

wdigest_uselogoncredential_windows_elastic

image

Let me know if I can help with anything around these ;)

@elasticmachine
Copy link

elasticmachine commented Aug 12, 2022

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (0/0) 💚
Files 100.0% (0/0) 💚 2.857
Classes 100.0% (0/0) 💚 2.857
Methods 33.333% (1/3) 👎 -55.881
Lines 100.0% (0/0) 💚 9.347
Conditionals 100.0% (0/0) 💚

@w0rk3r w0rk3r requested a review from tomsonpl August 15, 2022 19:12
tomsonpl
tomsonpl approved these changes Aug 15, 2022
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tomsonpl
Copy link
Contributor

tomsonpl commented Aug 16, 2022
edited
Loading

@w0rk3r I think you can merge it. Let's then test the integration on staging before going on production :)
Great work! Thanks for adding more saved queries 🥇

@w0rk3r w0rk3r merged commit 87394c4 into main Aug 16, 2022
@tomsonpl
Copy link
Contributor

tomsonpl commented Aug 16, 2022

https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Fintegrations/detail/main/1201/pipeline/ this is a job triggered from this PR. Let's see what happens next 🤞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@melissaburpo melissaburpo melissaburpo left review comments

@tomsonpl tomsonpl tomsonpl approved these changes

Assignees

@w0rk3r w0rk3r

Labels

>enhancement Team:Asset Mgt Security Assets Management team [elastic/security-asset-management] v8.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@w0rk3r @elasticmachine @melissaburpo @tomsonpl