RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-17 19:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve README

Browse Source
This commit is contained in:
Thomas Strömberg 2022-10-20 09:20:42 -04:00 committed by GitHub
parent 1c38ef430e
commit 69d4c8b829
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -1,22 +1,22 @@
# osquery-defense-kit
Real-world queries for using osquery as part of a detection & response pipeline.
Production-ready detection & response queries for osquery
![osquery-defense-kit](images/logo-small.png?raw=true "osquery-defense-kit logo")
Primarily focused on threat detection on POSIX platforms (Linux, macOS), the osquery-defense-kit (ODK) differs from
existing published query sets in that they are designed to be used in an alert pipeline. Most queries (particularly those in `detection` and `policy`) should return 0 results
unless an exceptional behavior is detected.
ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.
At the moment, these queries are predominantly designed for execution on POSIX platforms (Linux & macOS). Pull requests to improve support on other platforms are fully welcome.
## Organization
* `detection/` - Threat detection queries tuned for alert generation.
* `response/` - Data collection to assist in responding to possible threats. Tuned for periodic evidence collection.
* `policy/` - Security policy queries tuned for alert generation.
* `response/` - Data collection to assist in responding to possible threats. Tuned for periodic evidence collection.
The detection queries are further divided up by [MITRE ATT&CK](https://attack.mitre.org/) tactics categories.
Periodically, queries published in [osquery query pack](https://osquery.readthedocs.io/en/stable/deployment/configuration/#query-packs) format. See `Local Pack Generation` for information on how to generate your own.
At release time, the queries are packed up in [osquery query pack](https://osquery.readthedocs.io/en/stable/deployment/configuration/#query-packs) format. See `Local Pack Generation` for information on how to generate your own packs at any time.
## Detection on Linux Case Study: Shikitega (September 2022)