clong

SELECT * FROM python_packages WHERE name = 'acqusition' OR name = 'apidev-coop' OR name = 'bzip' OR name = 'crypt' OR name = 'django-server' OR name = 'pwd' OR name = 'setup-tools' OR name = 'telnet' OR name = 'urlib3' OR name = 'urllib';

clong

Scenario 1 - Detection logic in osquery, alerting logic on backend (Splunk/ELK/StreamAlert)

osquery.conf

"bash_reverse_shell": {
  "query": "SELECT * FROM processes WHERE cmdline LIKE '/bin/bash -i >& /dev/tcp/%';",
  "interval": 30,
  "description": "Looks for processes that resemble a bash reverse shell"
}

clong

{
  "action": "added",
  "columns": {
    "vendor_id": "1050",
    "vendor": "Yubico",
    "type": "IOUSBDevice",
    "action": "attach",
    "driver": "IOUSBDeviceUserClientV2",
 "model": "Yubikey NEO OTP+U2F+CCID",

clong

{
  "name": "file_events",
  "hostIdentifier": "computer.local",
  "calendarTime": "Mon Mar 13 07:03:13 2017 UTC",
  "unixTime": "1489388593",
  "columns": {
    "action": "CREATED",
    "atime": "1489388581",
 "category": "tmp",

clong

#! /bin/bash

sudo su
apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd
cd /root

# Update Golang from 1.2 to 1.7 or compilation of go-audit will fail
wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz
tar -xvf go1.7.linux-amd64.tar.gz
mv go /usr/local

clong

{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "host_identifier": "hostname",
    "event_pubsub_expiry": "86000",
    "debug": "false",
    "verbose_debug": "false",
    "worker_threads": "4",
    "schedule_splay_percent": 10