![]() ![]() ![]() Visually examine tables and columns, you can find for example discrepancies or column names that can be renamed to consolidate naming.Another application is understanding the relationship between tables by analyzing the graphs and possibly find hidden paths.One application is using it for Incident Response or Threat Hunting, an example, you run a query and get information that need further investigation, if you can easily find out which tables you can use, to pivot to, based on the results of the first query, you can enrich your results faster without having to look at all the tables and with trial and error.Now that you reached the end of my blog, you might be wondering what are the other applications besides just viewing colorful graphs. There is one more column that is the same but this was removed by the filtering, the name was too generic. I might send in a Feature Request for this. This would mean if the listening_ports columns are renamed with the local_ prefix (as listening is local), it will make it more alike. In process_open_sockets the port and address have a prefix, local_ and remote_. Interesting to see if you analyze the graph below you see almost all columns are the same but port and address(not visible), I went back to the table schema and noticed a difference in naming. Like listening_ports and process_open_sockets tables, they are both based on similar data so it would be logical that the column names would be pretty much the same. It is also good to be able to check if the graph gives results that you would expect. This would mean if a table has one of these columns it will give the most possibility for extra enrichment based on other tables. Zooming in on the graph you notice that uid and pid are the most connected column names. To understand the code snippets in the Jupyter Notebook you might need some basic understanding of: I was working on this as a personal project but when I heard about Jupyterthon I thought it was a good opportunity to present my research and also write this blog. Here is where my “Osquery❓ tables ➕ Jupyter Notebook?” journey started. Visualization of the connection between tables can help to understand the possibilities and how the tables can be extended. How can I visualize the relationship, for possible JOINs, between the tables? There is a great amount of information that you can retrieve from different Osquery tables, so in order to find related context for my Threat Hunts, I had to manually search through the table structures and sometime with trial and error find the data I needed. At the moment of writing Osquery is at version 4.3.0 and there are 257 tables! ? Not all tables can be used on all Operating Systems, at this moment it is divided as follows: Every component of the system that you can query is a different table, as you can understand there are quite some tables. ![]() Osquery is a great tool, as you can query almost everything on a system real-time, all is built around the simple concept of making difficult system calls easy to question (query) in SQL-like syntax. Query SELECT name,path,cmdline FROM processes WHERE cmdline LIKE '%jupyter%' Output name = python.exe path = C:\Users\username\Anaconda3\python.exe cmdline = C:\Users\username\Anaconda3\python.exe C:\Users\username\Anaconda3\Scripts\jupyter-notebook-script.py C:\Users\username/ This gives the possibility to “question” a system with simple SQL-like query syntax: Find Jupyter Notebook processes running at this moment. Osquery exposes an operating system as a high-performance relational database. I really like the current Open Source Security community and one special project for me is Osquery. One of the latest Jupyter Notebook projects I have been working on is the subject of this blog. For example: CTFs, API calls, Machine Learning and Threat Hunts. So I had to take quite some extra time learning Python and how it is applied in Jupyter Notebooks, I am still learning new things everyday… ?īut the best way to learn something new is to dive right in, so since I discovered Jupyter Notebooks I have been using it in pretty much anything I need to put some programmatic logic in. Let’s say programming/development is not my forte. I come from a System and Network Engineering background before rolling into Information Security. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more.Īs time went by I started to understand the genius of it and how you might be able to apply it in Information Security and Threat Hunting. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |