The beauty is that these tables and the query language are mostly consistent across all your hosts. Common evidence locations exist as tables that you can explore using SQL. Seeing a system like a database means you can ask questions in the form of database queries. This provides three benefits to security analysts: Benefit #1: Simple questions, simple answers Osquery sees every endpoint device on your network as a database.
#Query osquery on another machine free#
Osquery is a free endpoint visibility tool originally developed by Facebook. A question as simple as “Did the malware execute after it was downloaded?” might require a combination of a dozen complicated and unmaintained open sources tools or a pricey commercial solution. The problem isn’t just the number of rabbit holes, its that each one requires a different tool to access and parse the data.
There are so many places to look: the registry, prefetch, disk artifacts, operating system logs…the list goes on. The truth is, investigating things on the host is overwhelming. If you answered no to any of those, then you aren’t alone. Would you be able to come to a conclusion about whether an attack has occurred? Would you be able to do it quickly? Would you be 100% certain about your determination? You have to rely exclusively on host-based evidence to figure out what’s happening.
The traffic is encrypted, so network data won’t be helpful. It’s sending out weird bursts of network traffic to an external host you don’t know anything about. A production server that doesn’t normally communicate over the internet is exhibiting suspicious characteristics.
0 kommentar(er)
