RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
808 Commits 1 Branch 31 Tags 5.6 MiB
Commit Graph

54 Commits

Author SHA1 Message Date
Thomas Stromberg 7ceb7b2b19
fpr: NetworkManager, packer, rancher desktop, proxmox, sd 2023-03-17 06:32:54 -04:00
Thomas Stromberg af9a78236e
New detector: unexpected chmod exec event 2023-03-16 16:53:32 -04:00
Thomas Stromberg 824efa9705
fpr: yum, systemd, cloud-sql-proxy, image-automation-controller, helm, bom, aws 2023-03-14 19:00:44 -04:00
Thomas Stromberg b3825ba2b9
fpr: Canon Universal Installer, melange, GPG, key names 2023-03-06 15:11:11 -05:00
Thomas Stromberg f25cfe1399
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 07:24:42 -05:00
Thomas Stromberg e8cf7ecbe3
fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird 2023-02-20 18:04:17 -05:00
Thomas Stromberg cf858d193d
fpr: ACE, Prusa, steam, pacman, Xcode, Adobe 2023-02-14 20:16:02 -05:00
Thomas Stromberg d897f0b50d
fpr: Nessus, mysql-shell, ntia-checker, Ecamm, CopyClip, etc 2023-02-14 08:33:05 -05:00
Thomas Stromberg 4f4ae0ed38
False positive removal and minor query perf improvements 2023-02-10 10:21:06 -05:00
echunduri e44dc167e9 Modified detections explicilty targeted towards macOS to not include cgroup_path fields anymore 2023-02-09 10:57:03 +11:00
Thomas Stromberg 668f012a92
Remove 'launchctl load' as an exotic event (too noisy) 2023-02-02 20:44:14 -05:00
Thomas Stromberg bb3e1f964e
Run make reformat, update max rows for incident response 2023-02-02 17:58:19 -05:00
Thomas Stromberg cdcb2d48f3
Slow queries down, minor improvements 2023-02-01 16:17:36 -05:00
Thomas Stromberg f9dce0a72d
Include more process information across queries 2023-02-01 13:55:55 -05:00
Thomas Stromberg 45ab183557
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc 2023-01-30 14:58:47 -05:00
Thomas Stromberg 141ab28310
False positives: autodocs, jupyter, apko 2023-01-27 10:38:01 -05:00
Thomas Stromberg 66ee3484c0
Remove unused active fields, add WhatsApp ioreg exception 2023-01-27 08:46:48 -05:00
Thomas Stromberg 7d8fa35eb4
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc 2023-01-26 16:30:14 -05:00
Thomas Stromberg f5fe9a4aac
Refactor process_events queries for more accurate parenting 2023-01-26 11:40:54 -05:00
Thomas Stromberg e6824d87e9
Run 'make reformat' 2023-01-20 09:24:24 -05:00
Thomas Stromberg 7b79b19090
False positive reduction: Messenger, Chrome, Final Cut Pro, etc 2023-01-18 09:49:56 -05:00
Thomas Stromberg d415b36b57
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc 2023-01-16 12:56:39 -05:00
Thomas Stromberg e3401a07c6
Weekend false-positive flush 2023-01-14 08:19:26 -05:00
Thomas Stromberg 1b79359b68
Friday False Positive Flush 2023-01-13 14:10:43 -05:00
Thomas Strömberg cb0ed647d8
Merge branch 'main' into bugfixesJan13 2023-01-13 13:56:19 -05:00
Thomas Stromberg 7073cde5f0
Allow chmod 0777 to match 2023-01-13 13:48:02 -05:00
Thomas Stromberg c7e4252af1
Remove false positives, fix some queries that failed to show a parent pid 2023-01-09 10:46:30 -05:00
Thomas Stromberg 1aefbe5e91
More false positive removal 2023-01-06 16:01:35 -05:00
Thomas Stromberg a8b95a2c9e
New Years cleanup: monitorix, snap-confine, steam, spotify, etc 2023-01-03 08:50:19 -05:00
Thomas Stromberg 15d3251120
False-positive flush: mount.ntfs, docker-credential-desktop, exotic socket refactor 2022-12-19 18:06:06 -05:00
Thomas Stromberg 49a19a6fd5
Sort out more false positives 2022-12-16 17:37:32 -05:00
Thomas Stromberg 404adf3e1f
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 16:51:58 -05:00
Thomas Stromberg 76d5c8564b
Resolve latest reported false positives 2022-12-02 11:20:18 -05:00
Thomas Stromberg 6a7c4b6668
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 09:21:03 -05:00
Thomas Stromberg 8e3d6a1614
False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc 2022-11-18 10:27:43 -05:00
Thomas Stromberg eeeaeecda1
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 07:20:19 -05:00
Thomas Stromberg 9f63e3b21d
Begin making use of cgroup_paths, clear more false positives 2022-11-16 16:52:39 -05:00
Thomas Stromberg 3d7bc8363e
More false positive management 2022-11-16 14:49:36 -05:00
Thomas Stromberg 8047c88374
Run 'make reformat' 2022-11-16 11:02:29 -05:00
Thomas Stromberg f1a3354495
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 11:04:48 -05:00
Thomas Stromberg f93a18d112
Refactor execdir, remove false positives 2022-11-07 20:36:37 -05:00
Thomas Stromberg fffff696a7
Ignore weird Logitech commands, and add grandparent process info 2022-11-03 14:25:13 -04:00
Thomas Stromberg e7e714c9db
Make another stab at reducing false positives across the map 2022-11-03 11:51:54 -04:00
Thomas Stromberg caab2a6c82
Loads of fresh new false-positives removal 2022-10-31 17:40:37 -04:00
Thomas Stromberg 81b97536e9
Exclude locatedb updates 2022-10-29 12:11:46 -04:00
Thomas Stromberg 6c78695b73
Final KubeCon 2022 false-positive cleanup 2022-10-28 19:24:00 -04:00
Thomas Stromberg 239df4ea1f
Reduce more false positives found on macOS and Linux 2022-10-25 21:27:41 -04:00
Thomas Stromberg 8516aec8c3
Fix broken osascript script, move duplicate check out of exotic 2022-10-21 17:42:44 -04:00
Thomas Stromberg 356db76a44
Filter out sh -i if launched by sh, ukh if launchedb by lima, Socket. if launched by compile 2022-10-21 14:11:45 -04:00
Thomas Stromberg 535d835290
Simplify exotic commands queries, remove more false positives 2022-10-18 11:32:18 -04:00