osquery-defense-kit icon indicating copy to clipboard operation
osquery-defense-kit copied to clipboard
verified publisher icon chainguard-dev

Make a `socket_events` port of `unexpected-talkers-linux`

Open tstromberg opened this issue 3 years ago • 1 comments

For less racy detection.

tstromberg avatar Oct 21 '22 17:10 tstromberg

See the currently ported queries as a template to use:

  • https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/c2/unexpected-icmp-socket-events.sql
  • https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/c2/unexpected-dns-traffic-events.sql

tstromberg avatar Oct 21 '22 17:10 tstromberg