Custom events

[mikermcneil]

Problem

As discussed with @lukeheath and @rachaelshaw on 2024-04-26:

• Story: "As a corporate security engineer, I want to hook into certain custom events from osquery so that I can…"
• Use case: "…so that I can (a) ping a Slack channel (or create a security ticket) any time a new Chrome extension is installed by an end user so I can investigate it, or automate its name versus a denylist of dangerous extensions, or (b) the same thing for Homebrew extensions (like Figma built in-house), or (c) monitor for FIM/FAM events that indicate an end user is attempting to secretly uninstall the agent (like Fleet's CEO did a couple weeks back as a test, which we failed)"
• Feature: Custom events
• Primary buying situation: eo-security
• Implementation notes: There are multiple ways! One way is like "As a user on a host detail activity feed, I want to press a button to custom subscribe to certain events indicated by a SQL query." OR e.g. "As a user I want to save an evented query, but instead of automating it to an external-facing log destination, I want to have it write entries to the appropriate host detail page's activity page." (Note: We could also expose a custom "Create activity" API route-- and maybe the first version is to expose such a route and then test this out by using the webhook log destination to process query results from an evented query, and then write those results back in to the activity feed from Tines))

Potential solutions

[nonpunctual]

Related? https://github.com/fleetdm/fleet/issues/14722 Specifically:

from nonpunctual...

I can see webhooks being sent to acknowledge changes made in Fleet via gitops, i.e., a new configuration profile was added, a new script was added, a new team was created, etc. These things could be triggered from the Github Actions or whatever themselves, but, acknowledging the actual change in Fleet UI might notify someone that something bad happened if so.

[nonpunctual]

Also, see: https://www.modtitan.com/2022/02/jamf-binary-self-heal-with-jamf-api.html

[noahtalerman]

monitor for FIM/FAM events that indicate an end user is attempting to secretly uninstall the agent (like Fleet's CEO did a couple weeks back as a test, which we failed)

maybe the first version is to expose such a route and then test this out by using the webhook log destination to process query results from an evented query

@sharon-fdm this use case specifically sounds similar to what you're thinking in "Receive events-based real-time alerts on potential threats in Fleet" #18650

cc @mikermcneil

[sharon-fdm]

@noahtalerman @mikermcneil @lukeheath Yes. This is very similar and doable. We will need the product team’s help to define exactly how we want to alert. Here are some of my thoughts.

Collection of events: We have a just-reach-your-hand-and-take-it ability to collect events in a well-developed, community-trusted agent, in the form of existing evented tables. macOS: I have successfully experimented with FIM, processes, disk, and almost completed YARA events. (see results table below) Linux and Windows: should be fairly easy to configure as macOS. Chrome: Other than disk activity, I am not aware of the ability to collect events. We can implement a similar table in the future. (@zwass please correct me if I’m wrong)

Use case examples: We can create SQL queries for some use cases (see #18650). (In reality, the options are much much wider): • Changes made to files that should not be changed. • Updates to Windows Registry keys that should not be updated (TODO: Check if there's a table for registry events). • Known processes running outside of their regular path (e.g. Windows calculator running directly from c:), or running with more command-line params then expected. • (Stretching SQL) Multiple login events of the same user, coming with multiple IPs from different countries.

Alerting mechanism: I think we should keep the spirit of harnessing the flexibility of SQL, allowing the customers to say what they want to collect. This entails creating a mechanism for alerting on any SQL query, empowering customers to define their own alerting criteria. From initial estimation I believe any of the options below could be done within 1 sprint (as low as 0.5-1 sprint x person ) Options:

• Slack msg
• Webhook
• Alerts page (alerted results kept in DB)
• Other….