Process_Open_Sockets v/s Socket_Events
This article explains the difference between socket information captured by Process_open_sockets and socket_events.
The article is also applicable in case of processes i.e process information captured by table 'Processes' and table 'Process_events'
- A Scheduled Query
- Captures all sockets opened by all running processes when the query runs,.
- It will the miss the process that was opened and closed between query intervals.
- Captures all Connect, Accept, Bind and listen System calls.
- Will Not miss any sockets that is created.
With socket events enabled, process_open_sockets is less useful, any process started before osquery started will captured by process_open_sockets.
With socket_events enabled, the frequency of collection of process_open_sockets can be decreased.
Please contact email@example.com for any issues.
Tracing command execution back to a user across an ssh session
Some IT shops have sysadmins logging into a Jumpbox or Bastion host (with their individual id’s) then logging into production servers as root and running commands. In such a case it can be difficult to trace command execution back to the sysadmin who ...
What are the Standard OSQuery Tables?
Question: What are the standard osquery tables? Answer: As of osquery version 4.5.1 the standard osquery schema tables are listed below: account_policy_data acpi_tables ad_config alf alf_exceptions alf_explicit_auths app_schemes apparmor_events ...
Query to find Inbound / Outbound connections on Mac
Query WITH mac_assets AS (SELECT t.upt_asset_id FROM upt_asset_tags t WHERE t.key = 'upt-mac-edr') SELECT DISTINCT pos.upt_asset_id, ps.name, pos.pid, pos.local_address, pos.remote_address, pos.local_port, pos.remote_port, CASE WHEN pos.pid = lp.pid ...
Query to find the Process Tree
Query WITH pstree AS (SELECT 0 AS LEVEL, pid, name, parent, Cast(pid AS TEXT) AS ppid, name AS pparent FROM processes WHERE parent = 0 UNION ALL SELECT LEVEL + 1, t.pid, t.name, t.parent, pstree.ppid || ', ' || Cast(t.pid AS TEXT), pstree.pparent || ...
Windows Forensic Analysis queries
This article includes a list of queries to conduct forensic analysis on Windows systems. These are categorized into sections as - processes, services, file system activities, user login/session activities, network traffic. ...