The agenda doc covers some of the details that have been previously discussed. SIRT is utilizing Panther to ingest logs from a variety of sources that we can write rules against, and we will work with the observability team to get the osquery logs into Panther (probably in a similar way to how we're ingesting rails logs into Panther). The current plan is to have osquery deployed to hosts in the gitlab-staging-1 GCP project by end of January 2021, with the deployment to the gitlab-production project following several weeks afterwards. The original SIRT osquery project is set up with a valid osquery configuration + flag file, and also a baseline file + query packs for different server types and associated queries (eg iptables query pack for camoproxy server type).Ī gitlab-osquery project has also been set up under the gitlab-cookbooks group and has a cookbook based off the template here. It includes TheHive, Playbook and Sigma, Fleet and osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, Zeek, Wazuh, and many other security tools. It is hands-down the best way to train security operations, incident response, and threat hunting teams. Previously uptycs was used, but as we were having issues with it and it wasn't delivering value, the contract with uptycs has since been scrapped and it's been decided to roll out vanilla osquery itself to the relevant hosts. the osquery slack channel is very active + they are doing awesome stuff with windows. Additional call details (format, type of call): N/Aĭue to compliance requirements, osquery needs to be installed on VM hosts in a number of our environments (notably the gitlab-staging-1, gitlab-production and gitlab-ci GCP projects).Point of contact for this request: If a call is needed, what is the proposed date and time of the call: N/A.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |