-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmondoo-edr-policy.mql.yaml
304 lines (284 loc) · 13.6 KB
/
mondoo-edr-policy.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-edr-policy
name: Mondoo Endpoint Detection and Response (EDR)
version: 1.4.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: windows,linux,macos
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |-
In today's ever-changing world of cybersecurity, it is crucial to ensure the strength of endpoint security. A reliable defense mechanism is the Endpoint Detection and Response (EDR) framework, which provides real-time monitoring, threat identification, and incident response capabilities. However, the effectiveness of this framework depends on the agents' deployment and functionality across organizational endpoints.
In order to strengthen your cyber defenses and stay protected against emerging threats, it is essential to establish a policy that thoroughly confirms the presence and operational status of EDR agents. This policy aims to verify the installation of these critical components and ensure their continuous operation, thereby enhancing our resilience against malicious attacks.
By implementing this policy, we take a proactive approach to instill confidence in our security posture and reinforce our commitment to safeguarding sensitive data, critical assets, and the integrity of our digital infrastructure.
Additionally, it is highly recommended that antivirus signatures are updated daily to ensure protection against the latest threats. For instance, Windows Defender signatures can be updated using the following PowerShell command:
```powershell
Update-MpSignature
```
## Local scan
Local scan refer to scans of files and operating systems where cnspec is installed.
To scan the `localhost` against this policy:
```bash
cnspec scan local --policy-bundle mondoo-edr-policy.mql.yaml
```
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Prerequisites
Remote scans of windows hosts suitable authentication method such as winRM enabled or SSH keys.
### Scan a remote Windows (SSH authentication)
```bash
cnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key --policy-bundle mondoo-edr-policy.mql.yaml
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Endpoint Detection and Response (EDR)
filters: |
asset.platform == 'macos' || asset.family.contains("linux") || asset.family.contains('windows')
checks:
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed
- uid: mondoo-edr-policy-ensure-edr-agent-is-running
scoring_system: highest impact
queries:
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed
title: Ensure EDR Agent is installed
impact: 100
docs:
desc: |-
This query checks if the EDR agent is installed on the system. The presence of an EDR agent is crucial for real-time monitoring, threat identification, and incident response capabilities. It is essential to ensure that the EDR agent is installed and operational to enhance the resilience against malicious attacks.
audit: Please ensure that the EDR agent is installed on the system.
remediation:
- desc: |-
Please install an EDR agent on the system, e.g. SentinelOne, CrowdStrike, ESET Endpoint Security, Wazuh
variants:
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-macos
filters: asset.platform == 'macos'
mql: |
package('Falcon').installed ||
package('SentinelOne Extensions').installed ||
package('ESET Endpoint Security').installed ||
file('/Library/Ossec').exists ||
['Cortex XDR', 'Cortex XDR Agent'].all(package(_).installed)
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-linux
filters: asset.family.contains('linux')
mql: |
package('falcon-sensor').installed ||
['SentinelAgent', 'sentinelagent'].any(package(_).installed) ||
file('/opt/eset/RemoteAdministrator/Agent').exists
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-windows
filters: asset.family.contains('windows')
mql: |
package('CrowdStrike Sensor Platform').installed ||
package('Sentinel Agent').installed ||
['ESET Endpoint Security', 'ESET Server Security'].one(package(_).installed) ||
service('WinDefend').installed ||
package('Wazuh Agent').installed ||
['Sophos Endpoint Defense', 'Sophos Endpoint Agent'].all(package(_).installed) ||
packages.where(name == /Cortex XDR/i).any(installed)
- uid: mondoo-edr-policy-ensure-edr-agent-is-running
title: Ensure EDR Agent is running
impact: 100
docs:
desc: |-
This query checks if the EDR agent is running on the system. The presence of an EDR agent is crucial for real-time monitoring, threat identification, and incident response capabilities. It is essential to ensure that the EDR agent is installed and operational to enhance the resilience against malicious attacks.
audit: Please ensure that the EDR agent is running on the system.
remediation:
- desc: |-
Please install the EDR agent on the system, e.g. SentinelOne, CrowdStrike.
variants:
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-defender-agent-is-running-and-updated-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-sophos-endpoint-defense-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-macos
title: Ensure CrowdStrike Agent is running
filters: |
asset.platform == 'macos'
package('Falcon').installed
mql: |
macos.systemExtensions.where(identifier == "com.crowdstrike.falcon.Agent").all(enabled == true && active == true && state == "activated_enabled")
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-linux
title: Ensure CrowdStrike Agent is running
filters: |
asset.family.contains('linux')
package('falcon-sensor').installed
mql: |
service('falcon-sensor').running
service('falcon-sensor').enabled
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-windows
title: Ensure CrowdStrike Agent is running
filters: |
asset.family.contains('windows')
package('CrowdStrike Sensor Platform').installed
mql: |
service('CSFalconService').running
service('CSFalconService').enabled
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-macos
title: Ensure SentinelOne Agent is running
filters: |
asset.platform == 'macos'
package('SentinelOne Extensions').installed
mql: |
service('com.sentinelone.sentineld-helper').running
service('com.sentinelone.sentineld-helper').enabled
service('com.sentinelone.sentineld-shell').enabled
service('com.sentinelone.sentinel-extensions').running
service('com.sentinelone.sentinel-extensions').enabled
service('com.sentinelone.sentineld').running
service('com.sentinelone.sentineld').enabled
service('com.sentinelone.sentineld-guard').running
service('com.sentinelone.sentineld-guard').enabled
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-linux
title: Ensure SentinelOne Agent is running
filters: |
asset.family.contains('linux')
package('SentinelAgent').installed || package('sentinelagent').installed
mql: |
service('sentinelone').running
service('sentinelone').enabled
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-windows
title: Ensure SentinelOne Agent is running
filters: |
asset.family.contains('windows')
package('Sentinel Agent').installed
mql: |
services.where(name == /SentinelAgent/).any(running == true)
services.where(name == /SentinelAgent/).any(enabled == true)
services.where(name == /SentinelStaticEngine/).any(running == true)
services.where(name == /SentinelStaticEngine/).any(enabled == true)
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-macos
title: Ensure ESET Agent is running
filters: |
asset.platform == 'macos'
package('ESET Endpoint Security').installed
mql: |
services.where(name == /com\.eset\.endpoint/).any(running == true)
services.where(name == 'com.eset.enterpriseinspector.eiagent').any(enabled == true)
services.where(name == 'com.eset.remoteadministrator.agent').any(enabled == true)
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-linux
title: Ensure ESET Agent is running
filters: |
asset.family.contains('linux')
file('/opt/eset/RemoteAdministrator/Agent').exists
mql: |
service('eraagent').running
service('eraagent').enabled
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-windows
title: Ensure ESET Agent is running
filters: |
asset.family.contains('windows') &&
['ESET Endpoint Security', 'ESET Server Security'].one(package(_).installed)
mql: |
service('EraAgentSvc').running
service('EraAgentSvc').enabled
- uid: mondoo-edr-policy-ensure-defender-agent-is-running-and-updated-windows
title: Ensure Windows Defender Agent is running
filters: |
asset.family.contains('windows')
service('WinDefend').installed
mql: |
service('WinDefend').running
service('WinDefend').enabled
parse.json(content: powershell("Get-MpComputerStatus | Select-Object -Property AntivirusSignatureAge | ConvertTo-JSON").stdout).params.AntivirusSignatureAge == 0
- uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-macos
title: Ensure Wazuh Agent is running
filters: |
asset.platform == "macos"
file('/Library/Ossec').exists
mql: |
service('wazuh-agentd').running
service('wazuh-agentd').enabled
- uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-windows
title: Ensure Wazuh Agent is running
filters: |
asset.platform == "windows"
package('Wazuh Agent').installed
mql: |
service('WazuhSvc').running
service('WazuhSvc').enabled
- uid: mondoo-edr-policy-ensure-sophos-endpoint-defense-is-running-windows
title: Ensure Sophos Endpoint Defense Agent is running
filters: |
asset.family.contains('windows') &&
['Sophos Endpoint Defense', 'Sophos Endpoint Agent'].all(package(_).installed)
mql: |
service('Sophos Endpoint Defense Service').running
service('Sophos Endpoint Defense Service').enabled
service('Sophos MCS Agent').running
service('Sophos MCS Agent').enabled
- uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-macos
title: Ensure Cortex XDR Agent is running
filters: |
asset.platform == 'macos' &&
['Cortex XDR', 'Cortex XDR Agent'].all(package(_).installed)
mql: |
service('com.paloaltonetworks.cortex.agent').running
service('com.paloaltonetworks.cortex.agent').enabled
- uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-windows
title: Ensure Cortex XDR Agent is running
filters: |
asset.family.contains('windows') &&
packages.where(name == /Cortex XDR/i).any(installed)
mql: |
service('cyserver').running
service('cyserver').enabled