osquery-defense-kit icon indicating copy to clipboard operation
osquery-defense-kit copied to clipboard

Published 20 hours ago verified publisher icon chainguard-dev

Make a `socket_events` port of `unexpected-https-client-linux`

Open tstromberg opened this issue 3 years ago • 1 comments

Detection will be less racy on machines with eventing enabled.

tstromberg avatar Oct 21 '22 17:10 tstromberg

See the currently ported queries as a template to use:

  • https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/c2/unexpected-icmp-socket-events.sql
  • https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/c2/unexpected-dns-traffic-events.sql

tstromberg avatar Oct 21 '22 17:10 tstromberg