Instructions
- Install dependencies:
pip install requests (osquery installed on endpoints)
- Generate
osquery.conf with scheduled query packs for:
- Process monitoring: new processes, unusual parent-child relationships
- Network listeners: unexpected listening ports and outbound connections
- File integrity: modifications in /etc, /usr/bin, system32
- Persistence: cron jobs, startup items, scheduled tasks, services
- Deploy configuration to endpoints.
- Analyze differential results from osquery log output.
- Generate security findings report.
python scripts/agent.py --results-dir /var/log/osquery/results/ --output osquery_report.json
Examples
Osquery Scheduled Query
{"schedule": {"process_snapshot": {"query": "SELECT pid, name, path, cmdline, uid FROM processes WHERE on_disk = 0;", "interval": 300}}}
