![]() By having centralized management, we can have efficient monitoring for hundreds of endpoints through the queries made to Osquery. Full view of endpoints that have Osquery installed īelow is a screenshot of FleetDM with its interface demonstrating interesting initial details regarding the endpoints: Page of hosts with Osquery connected to FleetDM Details page of a selected host in the FleetDM interfaceĬom a centralização do gerenciamento, podemos ter um monitoramento eficiente para centenas de endpoints, através das consultas realizadas ao Osquery.Here FleetDM, formerly Kolide, will help with visibility management and monitoring.įleetDM facilitates the management of Osquery-enabled endpoints by enabling and providing in a centralized way: The fact is that Osquery doesn’t provide a server or even a GUI (an acronym for Graphical User Interface) for easy management. While Osquery brings the necessary visibility into endpoints so that it can assist Information Security or IT teams and can provide a robust query mechanism to expose information, this is usually not enough for it to be used in proper monitoring. What is the hardware configuration of the endpoint?.Windows OS endpoints have which KBs installed?.In addition, visibility will allow you to better understand the environment in order to answer questions such as: The visibility capability is critical not only for monitoring but also for making decisions when something is off track. Osquery can provide a very clear view, ensuring the state of the endpoints as well as whether they are working properly. As a consequence, some teams don’t know exactly which endpoints are in their environment, or even the physical configuration of each of them, what programs are running, or if the operating system updates are kept up to date. Visibility and MonitoringĪs already mentioned at the beginning of this article, a common problem in organizations is the low visibility of their endpoints. If it’s not quite clear yet, we will elaborate on these possibilities in the topics of monitoring and anomaly detection. These can be used minimally to improve the logs in a SIEM and build use cases. Now it may be easier to see the tool’s potential and what we can try to generate with the inputs from the results. And this is just the tip of the iceberg for what Osquery can do as a monitoring and anomaly detection tool. In the example shown above, you can see the result of a simple query that provides details of users ‘logged in’ to the operating system in question. ![]() Demo of a Query on ‘Logged On’ Users on Windows Operating System Next, we see a query referring to the table “logged_in_users,” representing users ‘logged in’ to the operating system. In Osquery, the tables correspond to a certain set of data representing components and OS states with the respective attributes of the objects. ![]() For example, with it, you can monitor the integrity of files, socket connections, running processes, and much more. This behavior opens up a huge range of query possibilities that can return valuable information about the system’s state. All this occurs through SQL queries, similar to what is done when a database is queried. Basically, it makes it possible to understand a particular operating system that is running and what is happening on a machine. Osquery is a tool that allows you to monitor the operating system and several of its attributes and configurations differently. The main problem is that we can’t always find low-cost tools to meet this need.įortunately, in the middle of 2014, Facebook released an open-source tool called Osquery that makes it possible to meet this need and can be used for monitoring security anomalies, checking compliance and security policies, performance analysis, or even in the response and analysis of a security incident. This happens because of the importance that a real-time view can provide for a company’s defensive security teams. It’s very common these days to want to have visibility into the technology assets or endpoints of a network, especially when there’s a concern with security and their respective monitoring.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |