These logs will show up in Security Onion as event.dataset: windows_eventlog or event.dataset: sysmon. Current parsing support extends to core Windows Eventlog channels ( Security, Application, System ) as well as Sysmon under the default channel location.
Windows Eventlogs from the local Windows system can be shipped with osquery to Security Onion.
QUERY OSQUERY ON ANOTHER MACHINE INSTALL
The macOS package is a stock Launcher package, and will require additional configuration once it has been deployed.įor macOS deployments, install the package and then configure the following: If this value ever changes, the osquery packages under the Security Onion Console (SOC) Downloads page will need to be regenerated.Īll the packages (except for the macOS PKG) are customized for the specific Security Onion grid they were downloaded from, and include all the necessary configuration to connect to that grid. See this value by running the following command on the manager: sudo salt-call pillar.get global:url_base. If the hostname is used, the endpoints need to be able to resolve that hostname to the manager’s IP. Osquery will attempt to connect to the manager via the manager’s IP or Hostname - whichever was selected during the manager setup. Zentral can act as a remote server for Osquery, for configuration, query runs.
Then install the osquery agent and it should check into the manager and start showing up in FleetDM. Osquery is an operating system instrumentation framework for Windows. Use so-allow to allow the osquery agent to connect to port 8090 on the manager.
To deploy an osquery agent to an endpoint, go to the Security Onion Console (SOC) Downloads page and download the proper osquery agent for the operating system of that endpoint.
0 kommentar(er)
