![osquery architecture osquery architecture](https://cdn2.hubspot.net/hub/2617658/hubfs/Nectafy/Blog/Uptycs%20File%20Integrity%20Monitoring%20Solutions_%20Security%20Control,%20Simplified.jpeg)
We can then look at this instance in Panther’s resource search, which provides all attributes and associated policy successes and failures that could indicate security vulnerabilities. WHERE contains(p_any_ip_addresses, '136.24.229.194')įrom here, we can find all possible instance IDs connected to the timeframe: SELECT instanceid, COUNT(*) AS login_count In the Panther database (at the time of writing: Athena or Snowflake), we can use SQL to query all related logs to this IP: SELECT DISTINCT p_log_type During this process, common indicators (IPs, domains, etc) are extracted to allow for fast queries and quick searches across the log corpus. Using Panther’s standardized data fields, we can begin to pivot through all of our data to answer additional questions.Īfter Panther parses and analyzes logs, it stores them in a data warehouse for long-term storage. This is the starting point for our investigation. We’ll see the following messages in Slack (or via any other supported Alert Destination):įollowing the link in the alert to the Panther UI, we can now begin reviewing context and event details for the notification: When the following suspicious login activity occurs: Step 2: DetectĪfter our rules are uploaded, Panther will start analyzing new logs in real time. This rule can be written directly in the Panther UI or uploaded programmatically with a CLI. Panther rules contain metadata to assist with triage, such as severity, log types, unit tests, runbooks, and more. # Group logins by user to track lateral movement If ipaddress.IPv4Address(host_ip) not in OFFICE_NETWORK.hosts(): # Check that the IP is within the office network # Make sure we are analyzing the right osquery table In the example rule below, let’s ensure users are only logging in from centralized egress points, such as offices or VPNs: import ipaddress Using the osquery aws_firehose logger plugin, these results can be sent to S3 and analyzed by Panther. The above information provides context about how users are logging into our systems. | type | user | tty | host | time | pid |
![osquery architecture osquery architecture](https://image.3001.net/images/20191217/1576556228_5df856c4abdb0.png)
Osquery> SELECT * FROM logged_in_users WHERE type = 'user' To find the suspicious login, we’ll write a rule that analyzes osquery data from the logged_in_users table: $ sudo osqueryi Application: SSO, Productivity Tools, Sales Applicationsįor this exercise, let’s assume we are collecting logs from AWS CloudTrail, VPC Flow, and Osquery.Endpoint: Osquery, Syslog, Auditd, CrowdStrike.Network: VPC Flow, Switches/Firewalls, NIDS.Cloud: AWS CloudTrail, S3 Access, GuardDuty.In most cloud-focused organizations, this involves a combination of logs across various layers: The first step is to collect the proper data to power detections. How can we detect, investigate, and remediate these behaviors? Step 1: Preparation SSH credentials are stolen providing access into a production machine. Once the attacker connects to the host, they begin to enumerate access and establish their foothold.To better understand how Panther’s Cloud-Native SIEM can be helpful, let’s walk through a typical attacker scenario: Panther’s design provides a holistic approach to SIEM, where logs are contextually joined with standardized fields, and infrastructure context can be gained by looking up cloud resource attributes in a single pane. Optional remediations are applied to misconfigured infrastructure.Alerts are generated and dispatched to your team.All of this data is received, parsed, analyzed, and saved to the data warehouse.Panther also baseline scans cloud infrastructure to understand the state of your world.Panther receives security logs from clouds, networks, endpoints, and more.Panther is a Cloud-Native SIEM that leverages a Serverless architecture and is built fully on top of cloud-native services offered by AWS such as Lambda, ECS, DynamoDB, S3, Cognito, and more.
![osquery architecture osquery architecture](https://www.uptycs.com/hubfs/Blog_AWS%20Nitro%20%20Encrypt%20internod%20kuber%20(1).png)
In this post, we’ll discuss its platform architecture and walk through a typical attacker scenario to demonstrate how Panther can be used to detect and remediate threats in real-time. Panther is an open-source, cloud-native platform for security information and event management (SIEM).
#OSQUERY ARCHITECTURE HOW TO#
Learn how to detect, investigate, and remediate cybersecurity threats in real-time.