Open zayhanlon opened 10 months ago
Feature fest: We have a yara
table in Fleet: https://fleetdm.com/tables/yara
Does that address the need?
Related to an ask from customer-domon re: #19553
The yara
& yara_events' tables do not have the capabilities to access sigrules from a remote server.
@noahtalerman let me know if you or design team would like to chat with the customer during or after this air guitar. thanks!
Hey @zayhanlon! Would love some help setting up a call w/ the customer.
Containers supported by YARA (Specifically Kubernetes): Brock: Need context → Adding namespace column by PID would allow you to use YARA rules in containers kubequery in the repo may be helpful May be a blocker since they don’t have direct Kubernetes API Brock: Could pass along to infra team to use Ben: Potentially, could be hard though Concern was if they could use osquery to run YARA rules in containers that are Docker → Now use Kubernetes so want that same ability for Kube osquery does not support containerd → this would resolve the issue TODO Brock: Bring this to eng to discuss Found article about osquery support for containerd https://developer.ibm.com/articles/monitoring-containers-osquery/
Hey @noahtalerman I did reach out to IBM on their GitHub to see if they had open-sourced anything in relation to this. Got no response. That said, I think we could duplicate what was built based on the article.
Hey @zayhanlon, I updated this air guitar to the user story format and moved our original issue description below.
Bringing this one back to feature fest to weigh whether we'll commit to solving this one next sprint or in a later sprint.
Original issue description:
Ideal workflow: Customer would have a repo of YARA rules that only detection & response team can access. Deploy these per team (production servers and workstations).
Some tables are blocked by not having YARA
Future: How to displace CrowdStrike? Event monitoring. osquery evented tables aren't as good and performant as CrowdStrike.
Background:
Thank you @noahtalerman
Hey @zwass, I'm passing this story to you and tagged you as the product designer.
Please bring this story + your proposed changes to the design review ritual so that we can provide a second pair of eyes on changes and give feedback.
Thanks!
cc @zayhanlon
Hey @zayhanlon because this is being worked on by customer success I think it makes sense to move this issue to the #g-customer-success
board. I moved it.
When @zwass brings changes through design review and we decide that it's ready to estimate, I think at that point we add the issue back to the drafting board (:product
) so that we can bring it through a product group's estimation session.
Please let me know if you disagree!
sounds good! i was tracking it separately, but we can follow your guidance. this will be zach's next issue after he's back from leave.
Context
Changes
Product
Engineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation