The security team maintains Kolide for monitoring Linux workstations. By leveraging an osquery agent as part of this deployment, the security team has created alerts for possible indications of compromise. Logs are centralized in the Elasticsearch cluster and when anomalies are detected, create alerting in our centralized alerting channel.
Detections are defined as SQL queries. Queries are part of packs, that are documented and stored in the Security Monitoring GitHub repository. These queries run at a specified interval and are logged in Elasticsearch. When queries return certain results and depending on the severity, they either alert a team member through Slack, or OpsGenie.
Kolide integrates with Okta, allowing device verification and phishing resistant authentication. The security team has defined checks that either “Report Only” or “Block” when a user’s device is not compliant. Example checks include lack of firewall rules, disk encryption or outdated packages. Check failures are reported to the security team.