Integrating Osquery Into Security Onion

I recently presented at the 2018 Security Onion Conference, on “Integrating Osquery Into Security Onion.”  You can find the slide deck here [pdf]. The core of the presentation was focused on some basic integrations of osquery and Security Onion. The integrations I demoed included the following:

Osquery dashboard & other osquery visualizations on the Indicators page. The visualizations are tied to saved searches that use the following field: event_type: osquery 

osquery Dashboard                                         osquery data on Indicators page

   

 

Pivot link from osquery data to Live Query the endpoint using Kolide Fleet’s webui. The link directs the browser to a small PHP script that replaces the target IP’s dots with dashes, and then redirects the browser to the Fleet instance, preselecting the target endpoint via a Fleet Label. This pre-selection mechanism is not ideal, and there is a GH issue & Slack discussion around how to do this better.

Live query Pivot link                                            Fleet live query

   

 

Pivot link from osquery data to the SO Indicators page.This link is setup just like any other hyperlinked indicator in SO.

 

Pivot link from bro_http data (virtual_host) to blacklist domain using Trail of Bit’s osquery extension fwctl. This particular integration is definitely proof of concept, and should not be used in production without sufficient safeguards in place. The pivot link is created through a Kibana scripted field.

Blacklist domain                                               Blacklist progress & status

   

 

To push the osquery data to SO, I installed Filebeat on the Fleet server and used it to send the osquery logs to Logstash on SO. For your Filebeat config, you just need to use the following:

tags: [“osquery”]

fields:
event_type: osquery

fields_under_root: true

You can find the Logstash config here.

There is a ton more integration than can be done, this is just scratching the surface. Wazuh has recently integrated support for osquery, and bro-osquery is another very interesting project, considering how integral bro is to SO. Lots of ideas to try.

If you are interested in learning more about how to practically use osquery for security analysis, check out my recently released online course at LearnOsquery.com.

-Josh

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close