RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,270 Commits 1 Branch 31 Tags 5.7 MiB
Commit Graph

359 Commits

Author SHA1 Message Date
Thomas Stromberg 1c17532ae8
fpr: kubectl, zoom, /opt, chrome, Autodesk Fusion 2024-10-25 11:29:40 -04:00
Thomas Stromberg 462fbef639
Mark as extra, as this query is racey 2024-10-24 15:36:21 -04:00
Thomas Stromberg 0b41ec5d07
unexpected fetcher parents: add Cursor Helper 2024-10-24 15:34:04 -04:00
Thomas Stromberg f038dc7557
fpr, refactor minimal-socket-client-macos 2024-10-24 15:12:33 -04:00
Thomas Stromberg 25f0e14790
add more exceptions 2024-10-24 11:31:28 -04:00
Thomas Stromberg 781f1a33af
fpr + Mark touched-executable as extra on macOS 2024-10-24 11:20:06 -04:00
Thomas Stromberg f3baa1d042
fpr: wider talkers exception, chrome extensions, postgres 2024-10-23 17:28:37 -04:00
Thomas Strömberg 1bbf419bfc
Merge pull request #402 from tstromberg/oct23 
fpr: bpftool, curl, pulumi, Docker Desktop, go tests
 2024-10-23 11:41:03 -04:00
Thomas Strömberg c8e99a5ee1
Merge pull request #400 from r0cketlad/21oct2024 
small fpr push
 2024-10-23 11:40:41 -04:00
Thomas Stromberg 78d243abf0
fpr: bpftool, curl, pulumi, Docker Desktop, go tests 2024-10-23 10:59:37 -04:00
Dave Smith 899fc1dfca
Update unexpected-setuid-binaries.sql 
Signed-off-by: Dave Smith <dave.smith@chainguard.dev>
 2024-10-23 08:32:35 -04:00
Thomas Stromberg 81180803ae
fpr: tune-ppd, lightdm, nami, gradle, etc 2024-10-22 16:12:21 -04:00
Dave Smith 9a69bb55ba small fpr push 2024-10-22 08:20:24 -04:00
Thomas Stromberg 2da853b35e
fpr: bwrap, malcontent, ld, metallb 2024-10-21 10:15:59 -04:00
Dave Smith f71898ca70 refactoring alerts to reduce noise 2024-10-16 14:59:43 -04:00
Thomas Stromberg 9f4b8a0b69
refactor to reduce false positives 2024-10-16 09:44:19 -04:00
Thomas Stromberg 14a9098a9a
widen query scope 2024-10-16 09:32:00 -04:00
Thomas Stromberg 71282a0a62
Relax checks enough to pass tests 2024-10-11 10:38:07 -04:00
Thomas Stromberg c60c8ccf39
mark https-linux extra, minor query tuning 2024-10-11 09:55:04 -04:00
Thomas Stromberg 9a1a4b049e
fpr: prosoft, ujust, kandji-library-manager, etc 2024-09-26 12:40:04 -04:00
Thomas Strömberg a6c38daf2d
Merge pull request #388 from tstromberg/net-events 
Add events and extra tags to relevant event-based queries
 2024-09-24 15:53:07 -04:00
Thomas Stromberg 6aab8fdfb6
Add events and extra tags to relevant event-based queries 2024-09-24 15:36:03 -04:00
Thomas Stromberg 8d583131ca
fpr: cups, zed, pycharm, msedge, surfshark, ubiquiti 2024-09-24 15:10:21 -04:00
Thomas Stromberg 47401947d5
fix verify errors 2024-09-23 11:10:05 -04:00
Thomas Stromberg 4d0a9fd533
fpr: sequoia, osquery, cups, atops, transmission, etc 2024-09-23 11:07:53 -04:00
Thomas Stromberg b976189cf3
run 'make reformat' 2024-08-27 18:45:06 -04:00
Thomas Stromberg 4b10d10520
False-positives be damned 2024-08-27 18:40:43 -04:00
Thomas Stromberg 1facce21f2
fpr: syft, krunner, k9s, espeak, chainctl, supermaven 2024-08-12 13:57:35 -04:00
Thomas Stromberg 6c292f11af
fpr: kas, bitnami, redis, bincapz, kolide, docker, whatsapp 2024-07-12 16:55:49 -04:00
Thomas Stromberg 4df51743d0
fpr: lima, rpm-ostree, gitsign, kde, python, etc 2024-07-01 21:56:28 -04:00
Thomas Stromberg 6fe74680a0
fpr: June 28 - final rule tuning 2024-06-28 10:08:04 -04:00
Thomas Stromberg 00fa80a0d9
Massive false-positive reduction, particularly for uBlue 2024-06-27 09:23:52 -04:00
Thomas Stromberg 18e05c5a4c
fpr: June 25 2024-06-25 20:48:09 -04:00
Thomas Stromberg 4aeff07118
More SilverBlue/Elastic allows 2024-05-23 21:22:59 -04:00
Thomas Stromberg ab2535717f
fpr: Fedora Silverblue, MHLinkServer, new terminals 2024-05-23 17:26:33 -04:00
Thomas Stromberg 03ea3bcff2
mark command-events & execdir-events as 'extra' due to high CPU usage 2024-04-29 09:33:06 -04:00
Thomas Stromberg 5dd614f54c
fpr: MHLink, k3d, BlueFin, query tuning 2024-04-26 16:14:02 -04:00
Thomas Stromberg 5ef3c88213
Overdue False Positive Reduction 2024-03-29 10:12:36 -04:00
Thomas Strömberg a673c28222
Merge pull request #362 from tstromberg/kandji 
Performance tuning, mark some Linux queries as 'extra'
 2024-03-15 19:07:10 -04:00
Thomas Stromberg 3447f95d9e
Performance tuning, mark some Linux queries as 'extra' 2024-03-15 19:06:16 -04:00
Thomas Stromberg d3352610f4 fpr: snapd, cups, ubuntu, etc 2024-03-07 16:33:01 -05:00
Thomas Stromberg 342d813bf8 fpr: Docker Desktop, code-oss, incus, etc 2024-02-26 17:26:56 -05:00
Thomas Stromberg f72e6424c0 Run reformat 2024-02-16 17:21:00 -05:00
Thomas Stromberg b1e05d6612 merge conflict 2024-02-16 17:17:45 -05:00
Thomas Stromberg f87a8e8197 fpr: Elastic, IR, Velociraptor, BitDefender, incus, Adguard 2024-02-16 17:14:11 -05:00
Thomas Stromberg a0624c0870
Add Elastic exceptions for osqueryd/packetbeat 2024-02-05 10:49:52 -05:00
Thomas Stromberg 12a55753b5
fpr: Elastic Defend, gcloud, Warp, etc 2024-02-05 10:45:17 -05:00
Thomas Stromberg 25c579aa1d
Add TTP details from https://www.sentinelone.com/blog/backdoor-activator-malware-running-rife-through-torrents-of-macos-apps/ 2024-02-01 13:04:07 -05:00
Thomas Stromberg e42ea9a4bc
massive fpr: Rapid7, Elastic, everything 2024-01-26 14:07:37 -05:00
Thomas Stromberg 5d31e8da5f
fpr: psi, arduino, bitdefender, keybase, cody, etc 2024-01-22 10:36:01 -05:00