Using Facebook’s osquery for Monitoring and Response

Real-time visibility is key to completely understanding the current state of your IT infrastructure. In October 2014, Facebook made low-level operating system monitoring easier by releasing their endpoint and server security monitoring tool, osquery, as an open-source project.

The project was developed to be operating-system agnostic. This means that it can operate on Windows, Linux, and Apple OSX. By exposing collected data via Structured Query Language (SQL), a request for information on Windows works the same as it does on Apple OSX. With this structure, operating system-level information such as network, memory and service, process activity, and configurations can all be collected on a scheduled basis or queried in real time.

This kind of low-level host-based information is extremely useful for security analysts looking to detect malicious activities. However, osquery does not provide aggregate log collection—this is left to the administrator. Fortunately, LogRhythm can easily manage and collect these osquery logs and then turn them into actionable insight to drive rapid detection and response via SmartResponse actions.

Building a LogRhythm SmartResponse Action

With a LogRhythm SmartResponse automated playbook action, you can ask questions of an asset within your environment to find potentially malicious activity, in real time, all from a single application. Even better: Creating a SmartResponse action in LogRhythm is simple. By following the LogRhythm SmartResponse Plug-in Development Guide you can easily create a rule. I’ve provided a quick and dirty proof of concept below for this use case as an example.

  1. Actions.xml file:
<?xml version="1.0" encoding="utf-8"?>
<remv1:Remediation-Plugin xmlns:remv1="RemediationVersion1.xsd" Name="FaceBook Osquery"
Guid="00000000-0000-0000-0000-000000000001" Version="1" IsLogRhythmPlugin="false">
  <remv1:Action Name="Facebook Osquery" Command="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe">
    <remv1:ConstantParameter Name="Script" Switch="-file FaceBookOsquery.ps1"  Order="1" />
    <remv1:StringParameter Name="Query" Switch="" Order="2" />
    <remv1:StringParameter Name="Format" Switch="" Order="3" />
  </remv1:Action>
</remv1:Remediation-Plugin>
  1. Powershell (or any language of your choosing) Script
#Hardcore, no comments
trap [Exception] {
write-error $("TRAPPED: " + $_)
exit 1
}

$Query = $args[0]
$Format = $args[1]
#What could go wrong here?
$OsqueryWin = "C:\programdata\osquery\osqueryi.exe --" + $Format + " '" + $Query + "'"

#Run it all
iex $OsqueryWin
  1. Create a SmartResponse by importing the above files. Now you’re ready to start asking questions.

Using LogRhythm SmartResponse To Gather Indicators of Malicious Activity

In this use case, I am acting as an analyst, and I want to understand what is happening on server SIP01. Unfortunately, I don’t have direct access to this device. But I do have osquery installed as an agent, which can help me remotely run a query. This time, I want to understand which users currently exist on the system and which new users have been recently created. With just a click, I can activate my pre-existing SmartResponse action and automatically run a query to return all users.

Figure 1: Facebook osquery SmartResponse to Return All Users of SIP01

Figure 1: Facebook osquery SmartResponse to Return All Users of SIP01

Once prompted, osquery can return results in multiple formats for analysis. Here I have results available in either JSON or CSV format.

Figure 2: SmartResponse JSON-Formatted Output

Figure 2: SmartResponse JSON-Formatted Output

Figure 3: SmartResponse CSV-Formatted Output

Figure 3: SmartResponse CSV-Formatted Output

And there I have it! I now have log messages output of a system, server SIP01, that I would have otherwise not been able to without LogRhythm and osquery. From here, I can analyze the output. If I had seen something suspicious, I could attach the information to a case to bring additional details and insight to my team.

As an analyst, I was able to quickly and efficiently query a third-party system via osquery and get a real-time response on the status of the asset. I didn’t need to log a ticket with another department or phone someone. What’s more, I can quickly find an important answer without having to pivot to an interface outside of LogRhythm, effectively simplifying my Threat Lifecycle Management process and saving even more valuable time.

Being able to integrate LogRhythm and osquery to instantly question and understand the current state of your IT infrastructure opens up a huge array of other possible uses cases. I’ve included several other useful queries, adapted from Jen Andrew’s blog post, that can be run via SmartResponse from the Web UI to gather value security related information from endpoints and servers to detect or respond threats.

Other Useful Threat-Hunting Queries

Process Activity by Highest Memory Utilization

This SmartResponse query detects all running processes listed by highest memory utilization.

select pid, name, uid, resident_size from processes order by resident_size desc limit 10;

Figure 4: SmartResponse Process Activity Query Output

Figure 4: SmartResponse Process Activity Query Output

Process Activity by Count

This SmartResponse query shows processes with the highest active count.

select count(pid) as total, name from processes group by name order by total desc limit 10;

Figure 5: SmartResponse Process Activity by Count Query Output

Figure 5: SmartResponse Process Activity by Count Query Output

Running Processes with No Matching Binary

This SmartResponse query checks for a running process where there is no matching running binary on disk.

SELECT name, path, pid FROM processes WHERE on_disk = 0;

Figure 6: SmartResponse Running Processes with no Matching Binary Query Output

Figure 6: SmartResponse Running Processes with no Matching Binary Query Output

More from Chris Martin