![]() SELECT pid, cmdline FROM docker_container_processes WHERE id = '$container_id' Gather information on running containers (docker) SELECT containers, containers_running, containers_paused, containers_stopped FROM docker_info SELECT name, path, pid FROM processes WHERE on_disk = 0 Ī well documented example to show running process where binary has been deleted from disk (common in malware) SELECT * FROM file WHERE path = '/etc/passwd' Retrieve certificate information using curl and dump json output to shell Osqueryi -json "SELECT * FROM curl_certificate WHERE hostname = ':443' " Show open socket / network connections similar to netstat Retrieve commands from process event table that match filter (audit events) SELECT * FROM process_events WHERE cmd_line LIKE 'nmap%' Show usb, hard drive changes and other hardware state changes SELECT md5 FROM hash WHERE path = '/etc/passwd' SELECT url, round_trip_time, response_code FROM curl WHERE url = '' Įxecute curl and report time / HTTP response code SELECT * FROM deb_packages WHERE name LIKE 'python3%' SELECT hostname, cpu_brand, cpu_physical_cores, cpu_logical_cores, physical_memory FROM system_info Get operating system type, version and architecture | 998 | 100 | 998 | 100 | lxd | | /var/snap/lxd/common/lxd | /bin/false | |Īnother example this time with fields selected and a LIMIT: osquery> select uid, username, directory from users LIMIT 5 | 2 | 2 | 2 | 2 | bin | bin | /bin | /usr/sbin/nologin | | | 1 | 1 | 1 | 1 | daemon | daemon | /usr/sbin | /usr/sbin/nologin | | | uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid | In the below query, we get a list of users (example has been snipped). Using SQL (sqlite is the basis for the SQL syntax) queries, we can query tables to gather information about the operating system. Interactive Shell for Immediate Testing (osqueryi)īefore doing any configuration, we can load the interactive shell to perform test queries. ~$ sudo add-apt-repository 'deb deb main'įollowing this installation the /etc/osquery location will be created for configuration files but these will not be populated at this stage. ~$ sudo apt-key adv -keyserver hkp://:80 -recv-keys $OSQUERY_KEY The regular system level apt upgrade will upgrade the package as required in the future. It will add the apt repository to the system and install the package. These steps can be used on Debian or Ubuntu based systems. If you are using Fedora or other Linux distros the initial steps are well documented. In this tutorial, we will focus on installation on Ubuntu from the official repository. It has straightforward installation steps for a variety of operating systems and Linux distributions. Exported Fieldsįor a full list of fields that can be returned in osquery results, see the Exported Fields reference in the Kibana documentation.Originally developed by Facebook, osquery is a well-supported and documented tool. This includes information about required privileges how to run, schedule, and save queries how to map osquery fields to ECS and other useful information about managing Osquery with this integration. Documentationįor information about using Osquery, see the Osquery Kibana documentation. Osquery results are stored in Elasticsearch, so that you can use the power of the stack to search, analyze, and visualize Osquery data. Save queries and build a library of queries for specific use cases.Schedule queries to capture OS state changes over time.View a history of past queries and their results.Run live queries for one or more agents.This integration adds an Osquery UI in Kibana where you can: With this integration, you can centrally manage Osquery deployments to Elastic Agents in your Fleet and query host data through distributed SQL. Quick start: Get application traces into the Elastic Stack.Quick start: Get logs, metrics, and uptime data into the Elastic Stack.See the integrations quick start guides to get started:
0 Comments
Leave a Reply. |