Threat Hunting with Osquery in Kibana — Part 1
In the intricate landscape of cybersecurity, the essential utility of Threat Hunting with Osquery in Kibana lies in enabling security teams to proactively and automatically analyze threats. This article is divided into two parts: the first part introduces the advantages of the tool and outlines the implementation of Osquery with Elastic Agent. In the second part, we will conduct hunting using Osquery in Kibana, offering valuable queries that could greatly assist cybersecurity threat analysts in their hunting and investigative activities.
We start with the definition of Threat Hunting, which is a cybersecurity methodology based on the proactive search for threats within an infrastructure. Unlike prevention, which focuses on blocking threats before they occur, Threat Hunting focuses on finding threats that have already eluded security measures.
It's important to note that most security defenses operate passively, responding to specific events or predefined conditions, similar to the functioning of our immune system. However, this reactivity has its limitations, allowing adversaries to remain hidden in our environment for extended periods.
A classic example of this is antivirus software used in enterprises, which waits for specific events to trigger. But what if adversaries avoid these predictable events? This is where threat hunting comes into play.
Now, have you heard of Osquery? Let me tell you a bit about it. Osquery is a tool that allows you to query your operating systems as if you were querying a database. With it, you can use basic SQL commands to obtain information about servers and computers running operating systems like Linux, macOS, or Windows.
As an open-source tool, it enables security analysts to query the state of an operating system, collecting data from various sources such as the system log, running processes, open files, and network connections.
Some examples of using Osquery for Threat Hunting include detecting malicious processes, suspicious network connections, and identifying software without patches or with known vulnerabilities.
How does it work in Kibana?
The Osquery user interface in Kibana allows you to run real-time queries for one or multiple agents, view a history of previous queries, schedule queries to capture changes in the operating system's state over time, and build a library of queries for specific use cases.
Osquery results are stored in Elasticsearch, enabling you to search, analyze, and visualize Osquery data. This not only helps you identify potential vulnerabilities in your operating systems but also ensures they comply with security standards and facilitates the investigation of issues in your systems.
Let's proceed with the integration!
Before integrating, you need to install Elastic Agent on the machine where you want to conduct the hunting. Here's a guide on how to do it. After this step, we proceed with the integration.
Let's start configuring the rule!
We access Elasticsearch to carry out the integration.
2. We navigate to “fleet” to verify if the Windows Server 2022 contains the installed Elastic Agent.
Elastic Agent installed on the Windows Server!
3.Next, we navigate to the “Add Integrations” section and search for the required integration. In this instance, we choose “Osquery Manager”.
With this integration, you can centrally manage the deployments of Osquery on Elastic Agents
4.We select “Add Osquery Manager”.
5. Now, we give the integration a name; in this case, “osquery_infrasecuritycode”.
6. We choose the “Infrasecuritycode” policy, which is added to the Windows Server 2022, then click on “Save and deploy changes”. Here is an article on how to create and assign a policy.
7. Now, we click on the “Save and continue” option.
Done!
8. Once the integration is set up, we navigate to the “Management” section and access “Osquery”.
9. When choosing “New live query”, you can create a new query or live query.
We have concluded the first part of this article. I hope it has been helpful for you. Don't miss the second part, where I will provide valuable queries that could be of great assistance in your hunting and investigative activities.
Don't miss out!
Hi! I am Kendra Mazara
Senior Information Security Specialist | MBA | Cofounder MujeresTICs RD | Speaker | LinkedIn Learning Instructor
