How to identify threats if you have no logs (introducing OSQuery & Fleet)
Ғылым және технология
It’s inevitable that security logs will have gaps - either due to benign system errors, or due to attackers intentionally disabling logging to help cover their tracks. So what can we do to plug the holes in our visibility left by imperfect logging? In this video we’ll be exploring how to use OSQuery to make point-in-time assessments of key security properties, without having to depend on logs.
References:
OSQuery schema explorer: osquery.io/schema
OSQuery documentation: osquery.readthedocs.io
Timecodes:
0:00 Introduction
0:43 Events vs. Queries
2:43 A simple query
3:23 Searching for specific IOCs
4:11 Custom queries and joining tables
5:07 Setup: Server
5:29 Setup: OSQuery agents on Windows
6:04 Setup: OSQuery agents via GPO
6:30 Setup: OSQuery agents on Linux
7:01 Some useful OSQuery tables
7:55 Final thoughts
Credits:
Intro/Outro Music: Render - Prism: • Render - Prism [Creati... (via Argofox: / argofox )
Diagram icons designed by OpenMoji (openmoji.org/) CC BY-SA 4.0
Пікірлер: 13
Love seeing osquery and Fleet on here!
Really smooth, calm and clean video as always. Keep going.
This is by far one of the best infosec channels ive found! I love that you show not only how to exploit things, but detecting them and defending too. Everything is so clear, and easy to follow along with and understand. Please do keep making videos when you can! These are so valuable to the community.
This channel is underrated! Keep up the great work.
You're the best, thanks!
Excellent video as always
you doing a great job, thanks
Amazing content on this channel. Thank you Andy. This channel need more subscribers
Great content as always, 👏👏👏
@SonNguyen-uf2wp
2 жыл бұрын
tôi tưởng mỗi tôi là người việt duy nhất xem kênh này :))
Amazing channel!! We need more like this. Thank You.
What if the attacker disables the osquery agent