RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,037 Commits 1 Branch 31 Tags 5.6 MiB
Commit Graph

69 Commits

Author SHA1 Message Date
Thomas Stromberg 5f2680ca8b
fpr: Monday, Splunk, Gnome, Git, Grammarly, etc 2023-10-02 11:35:11 -04:00
Thomas Stromberg b39fca4e9f
fpr: RSA keys, tcpdump, login, crane, souregraph, etc 2023-09-20 09:30:46 -04:00
Thomas Stromberg a041305145 Improve base64/crontab detection 2023-09-14 16:39:35 -04:00
Thomas Stromberg dce2eb2af5 Add many exceptions 2023-08-15 18:13:06 -04:00
Thomas Stromberg 921cdc521e
fpr: nvidia drivers, su, agetty, crystalhd, hercules, etc 2023-07-19 15:22:43 -04:00
Thomas Stromberg 24c2baef28 Make process times broadly available, minor opts 2023-05-16 17:18:39 -04:00
Thomas Stromberg 41d83350a1
make reformat 2023-05-08 13:20:47 -04:00
Thomas Stromberg 272711ae7a
fpr: node, nc, busybox, libvirt, etc 2023-05-05 12:44:46 -04:00
Thomas Stromberg 47124daa01
fpr: RetailMeNot, LogiTune, macOS, mediawriter, etc 2023-05-02 15:25:36 -04:00
Thomas Stromberg 9c3f783491 fpr everything 2023-04-17 16:20:35 -04:00
Thomas Stromberg d4dd423745
fpr: Grammarly, semodule, docker-compose, xdg, etc 2023-03-30 18:44:01 -04:00
Thomas Stromberg 2d6ced6ae5
Remove powershell indicator 2023-03-28 17:02:14 -04:00
Thomas Stromberg 9b0ed09c8e
fpr: xdg, docker, dbus, bpfilter_umh, docker, spotify, mage 2023-03-28 16:25:26 -04:00
Thomas Stromberg 7a78199906
fpr: traceroute, thunderbird, garmin installer, chainctl, etc 2023-03-21 14:07:06 -04:00
Thomas Stromberg 15c666a170
Fix references to p0.cmdline 2023-03-17 15:38:22 -04:00
Thomas Stromberg 7ceb7b2b19
fpr: NetworkManager, packer, rancher desktop, proxmox, sd 2023-03-17 06:32:54 -04:00
Thomas Stromberg af9a78236e
New detector: unexpected chmod exec event 2023-03-16 16:53:32 -04:00
Thomas Stromberg 824efa9705
fpr: yum, systemd, cloud-sql-proxy, image-automation-controller, helm, bom, aws 2023-03-14 19:00:44 -04:00
Thomas Stromberg b3825ba2b9
fpr: Canon Universal Installer, melange, GPG, key names 2023-03-06 15:11:11 -05:00
Thomas Stromberg f25cfe1399
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 07:24:42 -05:00
Thomas Stromberg e8cf7ecbe3
fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird 2023-02-20 18:04:17 -05:00
Thomas Stromberg cf858d193d
fpr: ACE, Prusa, steam, pacman, Xcode, Adobe 2023-02-14 20:16:02 -05:00
Thomas Stromberg d897f0b50d
fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc 2023-02-14 08:33:05 -05:00
Thomas Stromberg 4f4ae0ed38
False positive removal and minor query perf improvements 2023-02-10 10:21:06 -05:00
echunduri e44dc167e9 Modified detections explicilty targeted towards macOS to not include cgroup_path fields anymore 2023-02-09 10:57:03 +11:00
Thomas Stromberg 668f012a92
Remove 'launchctl load' as an exotic event (too noisy) 2023-02-02 20:44:14 -05:00
Thomas Stromberg bb3e1f964e
Run make reformat, update max rows for incident response 2023-02-02 17:58:19 -05:00
Thomas Stromberg cdcb2d48f3
Slow queries down, minor improvements 2023-02-01 16:17:36 -05:00
Thomas Stromberg f9dce0a72d
Include more process information across queries 2023-02-01 13:55:55 -05:00
Thomas Stromberg 45ab183557
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 14:58:47 -05:00
Thomas Stromberg 141ab28310
False positives: autodocs, jupyter, apko 2023-01-27 10:38:01 -05:00
Thomas Stromberg 66ee3484c0
Remove unused active fields, add WhatsApp ioreg exception 2023-01-27 08:46:48 -05:00
Thomas Stromberg 7d8fa35eb4
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 16:30:14 -05:00
Thomas Stromberg f5fe9a4aac
Refactor process_events queries for more accurate parenting 2023-01-26 11:40:54 -05:00
Thomas Stromberg e6824d87e9
Run 'make reformat' 2023-01-20 09:24:24 -05:00
Thomas Stromberg 7b79b19090
False positive reduction: Messenger, Chrome, Final Cut Pro, etc 2023-01-18 09:49:56 -05:00
Thomas Stromberg d415b36b57
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc 2023-01-16 12:56:39 -05:00
Thomas Stromberg e3401a07c6
Weekend false-positive flush 2023-01-14 08:19:26 -05:00
Thomas Stromberg 1b79359b68
Friday False Positive Flush 2023-01-13 14:10:43 -05:00
Thomas Strömberg cb0ed647d8
Merge branch 'main' into bugfixesJan13 2023-01-13 13:56:19 -05:00
Thomas Stromberg 7073cde5f0
Allow chmod 0777 to match 2023-01-13 13:48:02 -05:00
Thomas Stromberg c7e4252af1
Remove false positives, fix some queries that failed to show a parent pid 2023-01-09 10:46:30 -05:00
Thomas Stromberg 1aefbe5e91
More false positive removal 2023-01-06 16:01:35 -05:00
Thomas Stromberg a8b95a2c9e
New Years cleanup: monitorix, snap-confine, steam, spotify, etc 2023-01-03 08:50:19 -05:00
Thomas Stromberg 15d3251120
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 18:06:06 -05:00
Thomas Stromberg 49a19a6fd5
Sort out more false positives 2022-12-16 17:37:32 -05:00
Thomas Stromberg 404adf3e1f
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 16:51:58 -05:00
Thomas Stromberg 76d5c8564b
Resolve latest reported false positives 2022-12-02 11:20:18 -05:00
Thomas Stromberg 6a7c4b6668
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 09:21:03 -05:00
Thomas Stromberg 8e3d6a1614
False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc 2022-11-18 10:27:43 -05:00