Osquery vs auditd5/30/2023 ![]() What chrome extensions are installed across my environment? Without having to run a Live Query or rebuild log output) Persistently browsable and enriched data via a feature we call Inventory (eg. The expansion of features include:Īutomatic Device to User Assignment (across all 3 platforms)īuilt-in notification functionality (including reaching out to end users with self-fix instructions) It seeks to improve upon each of those features and further refine their experiences (for example Live Query reports errors of malformed or incomplete queries per device). K2 still retains the core functionality of Fleet with access to osquery power-user tools such as: We incorporated a Slack application to alert your end users when their device is out of compliance, with detailed steps on how to remediate. This meant providing an avenue to notify and educate end-users on security best practices. K2 is a rewrite from the ground up, built around the desire to provide a Honest Security platform. K2 (Kolide) is a paid cloud-hosted SaaS platform for gathering detailed device information across all 3 major platforms. ![]() ![]() We offer no direct support for this product. Members of our team are active in the #kolide channel. Support for Fleet, Launcher, and osquery itself is available in the osquery Slack community. In addition, we leave it completely up to you to decide what data you find valuable, and what to do with that data. Fleet is a hands-on tool that requires you to setup and maintain your own servers. Used by itself, or in combination with Launcher, Fleet provides a web GUI for deploying and managing osquery to your fleet. Kolide Fleet is a fully open source osquery management tool. There is a common misconception that K2 is simply a hosted version of Kolide Fleet, but other than their mutual utilization of Launcher ( ) and osquery, they have little to no overlap in code. To that end, we've created two distinct platforms - Kolide Fleet and Kolide K2. Our goal has always been to make it easier to access the powerful data and insights osquery provides. We've preserved the FAQ below for posterity.Īt the heart of everything we do at Kolide is osquery. Worth looking at when user comes from new IP.Update November 4th, 2020: Kolide has officially retired Fleet. IPs – less unique IPs than you’d think.This works by routing some traffic through Texas so your location keeps jumping between Texas and aboard T-Mobile has feature that can travel abroad without paying roaming. Time awake – nobody is awake for 24 hours.This means the security team responds to less than 5 alerts a day. Instead of security team looking at all alerts, whole company is helping. If no reply in X hours, goes to Pagerduty. That way, know have phone and not just Slack account. Security bot posts to Slack asking user to type “acknowledge” on phone to confirm action. AlertCenter – have SecurityBot looking at alerts.Does queries on a timer against Elastic Search. ElastAlert – yelp project to pick up on ElasticSearch events.osquery – Facebook project for system monitoring using SQL.audisp – works with auditd to transform data.Run auditctl commands and kernel looks for matching events. Two weeks of data is about 2 terrabytes of logged data.steamstash/logstash -> Elastic search (Splunk is superior but costs more).Do table top red team exercises if not doing real ones.Canaries – need to validate monitoring, recording, etc.Confirm bulk actions in bulk not one at a time. And an insider with credentials has access The hypothetcial malicious insider – a former security team member has a lot of knowledge.“Zero days are not invisibility cloaks” – other boxes can pick up on it.The defender’s advantage – if the attackers don’t know what you are looking for/trip wire, they dont know what to avoid.Bad model – NetCool – train people to acknowledge all alerts and they miss things because bad habit.If it is mostly empty, things will get noticed when they are there. Want as little as possible on the dashboard. Goal – watch as many things as possible, but don’t be a dashboard.Credential theft is biggest/one of the biggest.They are done at that point and are showing off Don’t want hackers to tell you something strange is going on.Don’t want to find out from Brian Krebs that you’ve been breached.He is doing an experiment where red slides means don’t take pictures or tweet about the slide. Ryan was the first security employee at Slack. Gist is posted at (github login required)
0 Comments
Leave a Reply. |