Yes, we use Kolide as the TLS server. Distributed queries are nice possibility but in our case my colleagues which are engaged in defining defects (security requirements violated) are analysing them in a different system. After a query was set, its results via syslog would be loaded to our SIEM system where there are different scheduled searches/alerts for that. They (my colleagues) have no access to Kolide Web UI as in Kolide there isnât appropriate RBAC and they would have more privileges than we wish them had.
Can you please clarify how decorators could help us to do something like this? We use decorators, our use case is adding ip address of the device to each query to make correlation easier. As I understand decorators are the wrap-up âqueriesâ which are run for every query at all. Am I right? If so, thatâs gonna overwhelm us with logs...
Also, as you can guess, users donât apply security settings themselves. We have separate teams of people who are engaged in it. After some security settings were applied we want to check if it was done correctly. Usually for this purpose we have those osquery queries (controls). Taking away the personal device from a user for 4h is inappropriate for us, we are trying to return it asap. If the device was returned before my colleagues make sure everything is correct with the help of their searches in SIEM, it might turn out that something was done wrong and works (applying security settings) are required again. Frequently it is not an easy task because we make it impossible for users to keep working, or users have to get to the office again (no vpn access to that device). Therefore if there has been startup queries, we could trigger osquery to run them by restarting osquery. Logs could be delivered to our SIEM system faster.