Osquery Pack - Coldroot Detection
This search looks for ColdRoot events from the osx-attacks osquery pack.
Osquery Pack - Coldroot Detection Help
In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the osx-attacks.conf pack enabled. Also the TA-OSquery must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model
Open in Search