Built off the open source project Osquery
Description: Query for other IT tools
What The Data Shows: Whether your endpoints have any conflicting security tools installed that may cause interoperability issues.
SQL: Please see comments section.
Wondering if anyone has used A&R to query whether their endpoints have any conflicting security tools installed that may cause interoperability issues?
For example, how would you craft a query to ask your endpoints what machines have vendor A installed (thinking about AVs, for example)? Is this something we can potentially do?
osquery has a windows_security_products schema you can query, to query the installed security products on Windows (those registered in the Windows Security Center).
Should be as simple as:
SELECT * FROM windows_security_products;
thanks @YoanSchinck , that's very helpful.
I also tried to do a simple file search (assuming that we know the exact filename) . I am going to put "file #1" and "file#2" for privacy reasons, but this can be easily adaptable
SELECT * FROM file;SELECT * FROM file WHERE filename = "file#1.exe" and "file#2.exe"It returned me several "error" and "unsupported" messages.
Do you know if generic files are supported?
Per experience, the first query won't work.
SELECT * FROM file;
It's too board. osquery will tell you to be more specific. If you actually ran that query, you would be asking osquery to return you the million of files that are on the system. So you need to be more specific by using at least one other parameter, such as path. For instance:
SELECT * FROM file WHERE path LIKE "C:\ProgramData\%%" AND filename = "security.exe";
For the second query, I think the syntax is wrong. You're using the wrong operator, it shouldn't be AND but OR. Otherwise, you're basically asking osquery to return you an entry that has 2 filename property. And you also can't query directly the filename directly, you need to use another attribute.
For instance, this works:
SELECT * FROM file WHERE path LIKE "C:\Temp\%%" AND (filename = "file1.exe" OR filename = "file2.exe");
What's important to remember here is to use the path property when you query the file table, and also to use OR if you want to query multiple values for a property.
thanks a lot @YoanSchinck that's incredibly helpful. I just tried the query and it returns much better results. Really appreciate your help!
This is very useful, thank you.