Real-time visibility is key to completely understanding the current state of your IT infrastructure. In October 2014, Facebook made low-level operating system monitoring easier by releasing their endpoint and server security monitoring tool, osquery, as an open-source project.
The project was developed to be operating-system agnostic. This means that it can operate on Windows, Linux, and Apple OSX. By exposing collected data via Structured Query Language (SQL), a request for information on Windows works the same as it does on Apple OSX. With this structure, operating system-level information such as network, memory and service, process activity, and configurations can all be collected on a scheduled basis or queried in real time.
This kind of low-level host-based information is extremely useful for security analysts looking to detect malicious activities. However, osquery does not provide aggregate log collection—this is left to the administrator. Fortunately, LogRhythm can easily manage and collect these osquery logs and then turn them into actionable insight to drive rapid detection and response via SmartResponse actions.
Building a LogRhythm SmartResponse Action
With a LogRhythm SmartResponse automated playbook action, you can ask questions of an asset within your environment to find potentially malicious activity, in real time, all from a single application. Even better: Creating a SmartResponse action in LogRhythm is simple. By following the LogRhythm SmartResponse Plug-in Development Guide you can easily create a rule. I’ve provided a quick and dirty proof of concept below for this use case as an example.
- Actions.xml file:
- Powershell (or any language of your choosing) Script
- Create a SmartResponse by importing the above files. Now you’re ready to start asking questions.
Using LogRhythm SmartResponse To Gather Indicators of Malicious Activity
In this use case, I am acting as an analyst, and I want to understand what is happening on server SIP01. Unfortunately, I don’t have direct access to this device. But I do have osquery installed as an agent, which can help me remotely run a query. This time, I want to understand which users currently exist on the system and which new users have been recently created. With just a click, I can activate my pre-existing SmartResponse action and automatically run a query to return all users.
Figure 1: Facebook osquery SmartResponse to Return All Users of SIP01 (Click on images to view larger.)
Once prompted, osquery can return results in multiple formats for analysis. Here I have results available in either JSON or CSV format.
Figure 2: SmartResponse JSON-Formatted Output (Click on images to view larger.)
Figure 3: SmartResponse CSV-Formatted Output (Click on images to view larger.)
And there I have it! I now have log messages output of a system, server SIP01, that I would have otherwise not been able to without LogRhythm and osquery. From here, I can analyze the output. If I had seen something suspicious, I could attach the information to a case to bring additional details and insight to my team.
As an analyst, I was able to quickly and efficiently query a third-party system via osquery and get a real-time response on the status of the asset. I didn’t need to log a ticket with another department or phone someone. What’s more, I can quickly find an important answer without having to pivot to an interface outside of LogRhythm, effectively simplifying my Threat Lifecycle Management process and saving even more valuable time.
Being able to integrate LogRhythm and osquery to instantly question and understand the current state of your IT infrastructure opens up a huge array of other possible uses cases. I’ve included several other useful queries, adapted from Jen Andrew’s blog post, that can be run via SmartResponse from the Web UI to gather value security related information from endpoints and servers to detect or respond threats.
Other Useful Threat-Hunting Queries
Process Activity by Highest Memory Utilization
This SmartResponse query detects all running processes listed by highest memory utilization.
Figure 4: SmartResponse Process Activity Query Output (Click on images to view larger.)
Process Activity by Count
This SmartResponse query shows processes with the highest active count.
Figure 5: SmartResponse Process Activity by Count Query Output (Click on images to view larger.)
Running Processes with No Matching Binary
This SmartResponse query checks for a running process where there is no matching running binary on disk.
Figure 6: SmartResponse Running Processes with no Matching Binary Query Output (Click on images to view larger.)