To enable this sophos records all process activity and puts the information into a series of journals that are made available with the extension. For forensics you really need to be able to go back in time and see what was happening on the device days or weeks in the past. With OSQuery we have excellent information on the current running state of a device and access to some of the event and system logs. This leads to some other work we have done to extend osquery. With this query you can also see the version information and an indication that extensions are 'Active'. This allows administrators to target the query to a single device or group of devices and is a common filering method with fleet managers where the admin may not want to issue a complex queries to all devices or may be issuing a query that only works on Linux and does not want to send it to devices that sill simply return a table not found error. We do this to allow administrator to set a highlevel filter on what devices they want to send the query to. The epName Column is automatically added by sophos to identify the device that returned the result. Get the OSQuery information from the deviceįor those already familiar with OSquery you will notice a column you might not have expected. For example all operating systems have an OSQuery table for processes, but only windows has a table for registry keys as these are unique to windows.įrom central you can get a fair bit of information on exactly what version of OSQuery running on the device and information about the extensions we added as well as information on how we fill the sophos data lake. There are a number of online locations where folks exchange queries that work with OSQuery directly and almost all of those should work fine from Sophos Central.Įach of the supported operating system has common tables that are shared with other operating systems and a number of tables that are unique to the operating system. Sophos actively participates in the open source project and contributes back to the community both new capabilities (Support for Windows 7) and bug fixes. OSQuery acts as the foundation technology for issuing queries to endpoints and collecting the information back to Sophos Central (A Fleet Manager in OSQuery language). With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.' This allows you to write SQL queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. The tools make low-level operating system analytics and monitoring both performant and intuitive. 'osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD.
#Osquery regexp full
For a full discussion on the OSQuery extension I recommend starting with the OSQUERY.IO web site.
#Osquery regexp mac
We are currently using OSQuery version 4.5.1, in total between Windows Mac and Linux this gives you access to over 200 tables of device information. Endpoint - Data Lake Schema for Endpoints.Sophos Extension (Windows)- Sophos Extension Schema for Windows.OSQuery (Windows, Mac, Linux) - OSQuery Schema for Windows, Mac and Linix.In this document we will discuss each of the core database schemas.įor those that simply want the schema data some links are provided below With the addition of the data lake a significant amount of new information is available. For query assistance, please see the following Best Practices guide
0 kommentar(er)
