Originally forked from https://github.com/chainguard-dev/osquery-defense-kit.
Ben Heater wrote a Powershell conversion scritpt to take the Chainguard sql and convert it to .yml format that can be consumed by fleetctl.
I took Ben's .yml files for IR and Detection and just added references to using teams with the queries.
The teams feature is a Premium licensed feature in Fleet, but it allows the admin to segment and target deployment of groups of queries (amongst other use cases).
This can be done in the Fleet UI or progrmammatically via REST API or fleetctl
. Your testing scenarios may differ, but a starting approach would be to create a single team to transfer hosts into when running DART activities:
- create team 'Workstations (canary)'
The .yml files have been formatted to use the above team names. If you would like to use different team names, please modify the .yml files appropriately.
- Using
fleetctl
, apply the following commands:
fleetctl apply --context <context> -f fleet_chainguard_queries.yml
https://fleetdm.com/guides/osquery-evented-tables-overview
I had created a separate team (Workstations (canary)) in the above step. Either enable evented tables as per the above article on the same "Workstations (canary)" team, or if you'd like to only enable on a case by case basis, create a different team. In my test scenario, I just enabled events in the Workstations (canary) team.
command_line_flags:
events_max: 50000
disable_audit: false
events_expiry: 86000
disable_events: false
events_optimize: true
enable_file_events: true
audit_allow_fim_events: true
disable_endpointsecurity: false
enable_ntfs_event_publisher: true
disable_endpointsecurity_fim: false
Done either through the UI or through modifying the .yml directly.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:DescribeStream"
],
"Resource": "arn:aws:kinesis:*:8888888xxxxxx:stream/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeStream"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::99999999xxxxxx:role/demo1-role"
},
"Action": "sts:AssumeRole"
}
]
}
https://docs.splunk.com/Documentation/AddOns/released/AWS/Setuptheadd-on
https://unfinished.bike/behavioral-detection-of-macos-malware-using-osquery