loved it! i have a question tho; is there anyway so that we can kill the process whose binary isn't in the disk using osquery itself? can we do that? or we need an extra hand for incident response (via wazuh's active response lets say)?
@taylorwalton_socfortress3 жыл бұрын
Hey Rahul, yes the best way to kill the process would be to write a bash script to kill the process ID that was observed with the osquery alert and then use active response to call that script when that osquery alert is triggered. Unfortunately I have not tried that myself but in theory it should be possible. That's the power of OpenSource! Thanks for watching!
@elatedmaniac3 жыл бұрын
FYI: For exiting the CLI in a cleaner fashion, use .exit otherwise, the video is great.