I recently presented at the 2018 Security Onion Conference, on “Integrating Osquery Into Security Onion.” You can find the slide deck here [pdf]. The core of the presentation was focused on some basic integrations of osquery and Security Onion. The integrations I demoed included the following:
Osquery dashboard & other osquery visualizations on the Indicators page. The visualizations are tied to saved searches that use the following field: event_type: osquery
osquery Dashboard osquery data on Indicators page
Pivot link from osquery data to Live Query the endpoint using Kolide Fleet’s webui. The link directs the browser to a small PHP script that replaces the target IP’s dots with dashes, and then redirects the browser to the Fleet instance, preselecting the target endpoint via a Fleet Label. This pre-selection mechanism is not ideal, and there is a GH issue & Slack discussion around how to do this better.
Live query Pivot link Fleet live query
Pivot link from osquery data to the SO Indicators page.This link is setup just like any other hyperlinked indicator in SO.
Pivot link from bro_http data (virtual_host) to blacklist domain using Trail of Bit’s osquery extension fwctl. This particular integration is definitely proof of concept, and should not be used in production without sufficient safeguards in place. The pivot link is created through a Kibana scripted field.
Blacklist domain Blacklist progress & status
To push the osquery data to SO, I installed Filebeat on the Fleet server and used it to send the osquery logs to Logstash on SO. For your Filebeat config, you just need to use the following:
You can find the Logstash config here.
There is a ton more integration than can be done, this is just scratching the surface. Wazuh has recently integrated support for osquery, and bro-osquery is another very interesting project, considering how integral bro is to SO. Lots of ideas to try.
If you are interested in learning more about how to practically use osquery for security analysis, check out my recently released online course at LearnOsquery.com.