{"id":22383550,"url":"https://github.com/khulnasoft/osinsight","last_synced_at":"2025-03-26T20:16:59.203Z","repository":{"id":266383563,"uuid":"898198308","full_name":"khulnasoft/osinsight","owner":"khulnasoft","description":"🔍 Production-ready detection \u0026 response queries for osquery 🛡️ Boost endpoint monitoring, detect threats 🚨, and streamline incident response ⚡","archived":false,"fork":false,"pushed_at":"2025-02-26T12:16:00.000Z","size":3294,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-19T20:18:00.791Z","etag":null,"topics":["cybersecurity","detection-queries","endpoint-monitoring","incident-response","osquery","real-time-monitoring","response-automation","security-auditing","system-security","threat-detection"],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/khulnasoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-04T00:54:48.000Z","updated_at":"2025-02-26T12:15:56.000Z","dependencies_parsed_at":"2025-01-14T00:32:36.351Z","dependency_job_id":null,"html_url":"https://github.com/khulnasoft/osinsight","commit_stats":null,"previous_names":["khulnasoft/osinsight"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khulnasoft%2Fosinsight","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khulnasoft%2Fosinsight/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khulnasoft%2Fosinsight/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khulnasoft%2Fosinsight/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/khulnasoft","download_url":"https://codeload.github.com/khulnasoft/osinsight/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245727722,"owners_count":20662557,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","detection-queries","endpoint-monitoring","incident-response","osquery","real-time-monitoring","response-automation","security-auditing","system-security","threat-detection"],"created_at":"2024-12-05T01:14:04.667Z","updated_at":"2025-03-26T20:16:59.179Z","avatar_url":"https://github.com/khulnasoft.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# osinsight\n\n[![Actions Status](https://github.com/khulnasoft/osinsight/workflows/verify/badge.svg)](https://github.com/khulnasoft/osinsight/actions)\n[![Latest Release](https://img.shields.io/github/v/release/khulnasoft/osinsight?include_prereleases)](https://github.com/khulnasoft/osinsight/releases/latest)\n[![stable](https://badges.github.io/stability-badges/dist/stable.svg)](https://github.com/badges/stability-badges)\n[![License](https://img.shields.io/github/license/khulnasoft/osinsight)](https://github.com/khulnasoft/osinsight/blob/main/LICENSE)\n[![GitHub stars](https://img.shields.io/github/stars/khulnasoft/osinsight?style=social)](https://github.com/khulnasoft/osinsight/stargazers)\n[![GitHub forks](https://img.shields.io/github/forks/khulnasoft/osinsight?style=social)](https://github.com/khulnasoft/osinsight/network/members)\n\nProduction-ready osquery queries for Detection \u0026 Incident Response\n\n[Getting Started](#requirements) • [Documentation](#file-organization) • [Contributing](#contributions)\n\n---\n\nosquery queries for Detection \u0026 Incident Response, containing 250+ production-ready queries.\n\nODK (osinsight) is unique in that the queries are designed to be used as part of a production detection \u0026 response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.\n\nAt the moment, these queries are predominantly designed for execution on POSIX platforms (Linux \u0026 macOS). Pull requests to improve support on other platforms are fully welcome.\n\n## Requirements\n\n* osquery v5.7.0 or above\n* macOS or Linux\n* If you plan to do local development you will also need Go v1.20+ for [ossentry](https://github.com/khulnasoft-lab/ossentry)\n\n## Usage\n\n### Local Detection\n\nRun `make detect` for point-in-time detection. This will not detect as much as a production installation as it will not have access to historical events.\n\n### Production Detection\n\nDownload a released query pack into a convenient location, and point to these files from the `packs` stanza of your `osquery.conf` file\n\n### Local Data Collection for IR\n\nRun `make collect`. This is particularly useful for before/after analysis.\n\n### Local pack generation\n\nRun `make packs`.  For more control, you can invoke [ossentry](https://github.com/khulnasoft-lab/ossentry) directly, to override default intervals or exclude checks.\n\n### Local verification testing\n\nRun `make verify`\n\n## File Organization\n\n* `detection/` - Threat detection queries tuned for alert generation.\n* `policy/` - Security policy queries tuned for alert generation.\n* `incident_response/` - Data collection to assist in responding to possible threats. Tuned for periodic evidence collection.\n\nThe detection queries are further divided up by [MITRE ATT\u0026CK](https://attack.mitre.org/) tactics categories.\n\nAt release time, the queries are packed up in [osquery query pack](https://osquery.readthedocs.io/en/stable/deployment/configuration/#query-packs) format. See `Local Pack Generation` for information on how to generate your own packs at any time.\n\n## Case Studies\n\n### Linux: Shikitega (September 2022)\n\n\u003chttps://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux\u003e\n\nHere is a partial list of what queries would have fired an alert based on these queries:\n\n* *Initial Dropper Execution*, detected by:\n  * `execution/tiny-executable-events.sql`\n  * `execution/tiny-executable.sql`\n* *Next Stage Dropper Execution*, detected by:\n  * `execution/tiny-executable-events.sql`\n  * `execution/tiny-executable.sql`\n  * `execution/unexpected-shell-parents.sql`\n* *Escalation Prep*, detected by:\n  * `execution/sketchy-fetchers.sql`\n  * `execution/sketchy-fetcher-events.sql`\n  * `c2/unexpected-talkers-linux.sql`\n  * `c2/exotic-command-events.sql`\n  * `c2/exotic-cmdline.sql`\n* *Escalation Tool Execution* detected by:\n  * `execution/unexpected-executable-permissions.sql`\n  * `execution/unexpected-executable-directory-linux.sql`\n  * `execution/unexpected-tmp-executables.sql`\n  * `c2/exotic-command-events.sql`\n  * `c2/exotic-cmdline.sql`\n  * `initial_access/unexpected-shell-parents.sql`\n  * `evasion/missing-from-disk-linux.sql`\n* *Privilege Escalation* detected by:\n  * `privesc/unexpected-setxid-process.sql`\n  * `privesc/unexpected-privilege-escalation.sql`\n  * `privesc/events/unexpected-privilege-escalation-events.sql`\n  * `evasion/name_path_mismatch.sql`\n* *Persistence* detected by:\n  * `persistence/unexpected-cron-entries.sql`\n  * `execution/unexpected-executable-directory-linux.sql`\n\n### macOS: CloudMensis (April 2022)\n\n\u003chttps://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/\u003e\n\nHere is a partial list of what stages would have been detected by particular queries:\n\n* *Initial Dropper Execution*, detected by:\n  * `c2/unexpected-talkers-macos.sql`\n\n* *Second Stage Execution*, detected by:\n  * `execution/unexpected-executable-directory-macos.sql`\n  * `persistence/unexpected-launch-daemon-macos.sql`\n  * `execution/unexpected-mounts.sql`\n\n* *TCC Bypass*, detected by:\n  * `evasion/unexpected-env-values.sql`\n\n* *Spy Agent Execution*, detected by:\n  * `c2/unexpected-talkers-macos.sql`\n  * `execution/exotic-command-events.sql`\n  * `execution/unexpected-executable-directory-macos.sql`\n\n\n## Policies\n\n### Contributions\n\nHelp Wanted! We support any new queries so long as they can be easily updated to address false positives.\n\nUsers may submit false positive exceptions for popular well-known software packages, but may be asked to provide evidence for the behavior.\n\n### Platform Support\n\nWhile originally focused on Linux and macOS, we support the addition of queries on any platform supported by osquery.\n\nIn particular, we've been asked about Windows support: Chainguard doesn't have any Windows machines, but if you have Windows queries that you think would be useful and match our philosophy, we're more than willing to accept them!\n\n### False Positives\n\nWe endeavor to exclude real-world false positives from our `detection` queries.\n\nManaging false positives is easier said than done - pull requests are welcome!\n\n### CPU Overhead\n\nIn aggregate, queries should not consume more than 2% of the wall clock time across a day on a deployed system.\n\n### Intervals\n\nDeployed intervals are automatically determined based on the tags supported by the [ossentry](https://github.com/khulnasoft-lab/ossentry), which we use for pack assembly.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkhulnasoft%2Fosinsight","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkhulnasoft%2Fosinsight","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkhulnasoft%2Fosinsight/lists"}