Detect promiscuous interfaces on LInux
https://en.wikipedia.org/wiki/Promiscuous_mode
SCHEMA
| flags | int | Flags (netdevice) for the device |
| interface | string | Interface name |
| loopback | long | Loopback interface |
| mac | string | MAC of interface (optional) |
| promisc | long | Promiscuous interface |
-- threat_promisc_interfaces_linux INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, flags, interface, loopback, mac, promisc, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'threat_promisc_interfaces_linux'
Once we have LINUX in the lake we will test it :)
