Skip to content

[osquery_manager] Add packs and dashboards #2851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
patrykkopycinski merged 8 commits into from
Mar 23, 2022
Merged

[osquery_manager] Add packs and dashboards #2851

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5deb51d
[osquery_manager] Add packs and dashboards
patrykkopycinski Mar 18, 2022
baca3af
fix
patrykkopycinski Mar 19, 2022
9682c4e
fix format
patrykkopycinski Mar 20, 2022
d11454a
Merge branch 'main' of github.com:elastic/integrations into feat/osqu…
patrykkopycinski Mar 22, 2022
4a76399
Merge branch 'main' of github.com:elastic/integrations into feat/osqu…
patrykkopycinski Mar 22, 2022
b31ae1e
fix
patrykkopycinski Mar 22, 2022
faf40c1
fix
patrykkopycinski Mar 22, 2022
372ceb6
fix
patrykkopycinski Mar 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/osquery_manager/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.2.0"
changes:
- description: Add packs and dashboards
type: enhancement
link: https://github.com/elastic/integrations/pull/2851
- version: "1.1.0"
changes:
- description: Upgrade schema and readme to match osquery 5.2.2.
Expand Down
54 changes: 54 additions & 0 deletions ...squery_manager/kibana/dashboard/osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"attributes": {
"description": "Dashboard for visualizing the data collected by the Osquery compliance pack.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.module:osquery_manager\"},\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
"panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":28,\"x\":20,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"4\",\"w\":11,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":11,\"i\":\"5\",\"w\":9,\"x\":11,\"y\":4},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":20,\"x\":0,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0-SNAPSHOT\"}]",
"timeRestore": false,
"title": "[Osquery Manager] Compliance pack",
"version": 1
},
"coreMigrationVersion": "8.2.0",
"id": "osquery_manager-69f5ae20-eb02-11e7-8f04-51231daa5b05",
"migrationVersion": {
"dashboard": "8.2.0"
},
"references": [
{
"id": "osquery_manager-7a9482d0-eb00-11e7-8f04-51231daa5b05",
"name": "panel_0",
"type": "search"
},
{
"id": "osquery_manager-a9fd8bb0-eb01-11e7-8f04-51231daa5b05",
"name": "panel_1",
"type": "visualization"
},
{
"id": "osquery_manager-3824b080-eb02-11e7-8f04-51231daa5b05",
"name": "panel_2",
"type": "search"
},
{
"id": "osquery_manager-1da1ed30-eb03-11e7-8f04-51231daa5b05",
"name": "panel_3",
"type": "visualization"
},
{
"id": "osquery_manager-240f3630-eb05-11e7-8f04-51231daa5b05",
"name": "panel_4",
"type": "visualization"
},
{
"id": "osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040",
"name": "panel_5",
"type": "visualization"
}
],
"type": "dashboard",
"updated_at": "2022-03-18T16:51:37.575Z",
"version": "WzE2NzkxOSw2XQ=="
}
49 changes: 49 additions & 0 deletions ...squery_manager/kibana/dashboard/osquery_manager-c0a7ce90-f4aa-11e7-8647-534bb4c21040.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"attributes": {
"description": "This dashboard shows data collected by the OSSEC rootkit pack from osquery",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.module:osquery_manager\"},\"version\":true,\"filter\":[]}"
},
"optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
"panelsJSON": "[{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":7,\"y\":0,\"w\":24,\"h\":5,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_1\"},{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":0,\"w\":6,\"h\":5,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_2\"},{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":0,\"w\":6,\"h\":5,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_3\"},{\"version\":\"8.2.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":5,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"8.2.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":5,\"w\":43,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"}]",
"timeRestore": false,
"title": "[Osquery Manager] OSSEC rootkit pack",
"version": 1
},
"coreMigrationVersion": "8.2.0",
"id": "osquery_manager-c0a7ce90-f4aa-11e7-8647-534bb4c21040",
"migrationVersion": {
"dashboard": "8.2.0"
},
"references": [
{
"id": "osquery_manager-6ec10290-f4aa-11e7-8647-534bb4c21040",
"name": "1:panel_1",
"type": "visualization"
},
{
"id": "osquery_manager-ffdbba50-f4a9-11e7-8647-534bb4c21040",
"name": "2:panel_2",
"type": "visualization"
},
{
"id": "osquery_manager-ab587180-f4a9-11e7-8647-534bb4c21040",
"name": "3:panel_3",
"type": "visualization"
},
{
"id": "osquery_manager-2d6e0760-f4ab-11e7-8647-534bb4c21040",
"name": "4:panel_4",
"type": "visualization"
},
{
"id": "osquery_manager-0fe5dc00-f49b-11e7-8647-534bb4c21040",
"name": "5:panel_5",
"type": "search"
}
],
"type": "dashboard",
"updated_at": "2022-03-18T16:52:59.542Z",
"version": "WzE2Nzk2MSw2XQ=="
}
249 changes: 249 additions & 0 deletions ...nager/kibana/osquery_pack_asset/osquery_manager-03e88290-a6df-11ec-b2f9-c732a3845c54.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,249 @@
{
"attributes": {
"name": "windows-hardening",
"version": 1,
"queries": [
{
"id": "OpenType_Font_Driver_Vulnerability",
"interval": 3600,
"platform": "windows",
"query": "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';",
"version": "2.2.1"
},
{
"id": "Protecting_Against_Weak_Crypto_Algo",
"interval": 3600,
"platform": "windows",
"query": "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';",
"version": "2.2.1"
},
{
"id": "UAC_Disabled",
"interval": 3600,
"platform": "windows",
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;",
"version": "2.2.1"
},
{
"id": "SecureBoot",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State\\UEFISecureBootEnabled'"
},
{
"id": "FontBlocking",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\MitigationOptions\\MitigationOptions_FontBlocking'"
},
{
"id": "DepPolicy",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemStartOptions'"
},
{
"id": "MitigationOptions",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\MitigationOptions'"
},
{
"id": "MoveImages",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\moveImages'"
},
{
"id": "KernelSehopEnabled",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\KernelSEHOPEnabled'"
},
{
"id": "EnableCertPaddingCheck",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'"
},
{
"id": "EnableCertPaddingCheck_wow64",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'"
},
{
"id": "CwdIllegalInDllSearch",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\CWDIllegalInDllSearch'"
},
{
"id": "DisabledExceptionChainValidation",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\DisableExceptionChainValidation'"
},
{
"id": "EnableLowVaAccess",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableLowVaAccess'"
},
{
"id": "ControlFlowGuard",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableCfg'"
},
{
"id": "App_ExecuteOptions",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\executeOptions'"
},
{
"id": "App_MitigationOptions",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\MitigationOptions'"
},
{
"id": "AppCompat",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers'"
},
{
"id": "App_disabledExceptionChainValidation",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\DisableExceptionChainValidation'"
},
{
"id": "DefaultLevelMachine",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'"
},
{
"id": "DefaultLevelUser",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'"
},
{
"id": "PolicyScopeMachine",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'"
},
{
"id": "PolicyScopeUser",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'"
},
{
"id": "ExecutableTryMachine",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'"
},
{
"id": "ExecutableTryUser",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'"
},
{
"id": "TransparentEnabledMachine",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'"
},
{
"id": "TransparentEnabledUser",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'"
},
{
"id": "Unrestricted",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144'"
},
{
"id": "Unrestricted_Paths",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths'"
},
{
"id": "Unrestricted_Paths_ItemData",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths\\%\\ItemData'"
},
{
"id": "Disallowed",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0'"
},
{
"id": "Disallowed_Paths",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths'"
},
{
"id": "Disallowed_Paths_ItemData",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths\\%\\ItemData'"
},
{
"id": "SaferFlags",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\%\\%\\%\\SaferFlags'"
},
{
"id": "RuleSetEnforcementMode",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\EnforcementMode'"
},
{
"id": "Rule",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\%\\Value'"
},
{
"id": "AuditSpecialGroups",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit'"
},
{
"id": "SysmonConfig",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CCS\\Services\\SysmonDrv\\Parameters'"
},
{
"id": "DeveloperMode",
"interval": 86400,
"platform": "windows",
"query": "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock'"
}
]
},
"coreMigrationVersion": "8.2.0",
"id": "osquery_manager-03e88290-a6df-11ec-b2f9-c732a3845c54",
"references": [],
"type": "osquery-pack-asset"
}
Loading