If you like a command line and want a way to access osquery data stored in your various Uptycs databases (global | realtime | timemachine), you'll want to install and use usql. usql is written in python and uses the dbcli framework. It functions like osqueryi, giving you the ability to run a query or multiple queries against all enrolled assets in Uptycs.
Having the ability to aggregate and analyze data across multiple systems is a necessity for companies of all sizes, primarily for security and compliance reasons. For most businesses, SIEM (security information and event management) tools fulfill this function. But SIEM solutions as they are traditionally used can be costly, a problem that eventually leads most security professionals to make important decisions based on dollars and cents rather than actual security needs.
The Uptycs Threat Intelligence team is responsible for providing a high quality, curated, and current Threat Intelligence feed to the Uptycs product. In order to deliver the threat feed, the team evaluates every single alert that is seen by our customers, and investigates the alert as feedback into the threat feed curation process. Recently we observed a malicious domain alert from a customer. The out-of-the-box alert description indicated that it belonged to the OSX/Shlayer malware family. We were quickly able to query Uptycs threat intelligence to find that the domain first appeared on February, 2019 and was reported by multiple threat intel sources. Once the threat was validated, we dove into deeper investigation to understand the threat surface and risk. This post walks through the steps and techniques we performed to analyze data that had been collected via osquery, and aggregated in Uptycs.
Osquery has become a popular tooling for endpoint-based security analytics. The user community is thriving and vibrant as reflected in GitHub security showcase and osquery slack channel activity. There are many organizations, large and small, who are using it for a wide-variety of use cases. There are anecdotal references to organizations such as Facebook, Google and others using it at very large scale to get security visibility.
Being proactive about protecting your systems, networks, applications and critical data is a cornerstone of a robust, successful security program. Having a vulnerability assessment plan is a way of doing just that—proactively identifying weaknesses within your systems, so you can shore them up before attackers find and take advantage of them.