Osquery For Security Analysis – Q1 2020 Update

I recently published a major update to my AND course, Osquery For Security Analysis. Lots of content updated, and lots of brand new content including the following:

Deploying osquery with Kolide Launcher

Generating custom osquery packages, deploying them to your endpoints and keeping them updated is alot of work! Fortunately, Launcher makes that whole process much easier. Launcher is yet another opensource toolkit from Kolide. This new lesson walks through a few different options for creating custom osquery install packages and finishes up with how to do it with the Launcher toolkit (my personal recommendation).

CLI Fleet Management

Using a GUI is not alway practical when managing large deployments and makes it especially difficult if you are trying to maintain your configuration, packs and queries under source control. With this in mind, I added a new lesson on using Kolide’s (open source) CLI Fleet management tool, fleetctl. You can use fleetctl to connect to a Fleet instance, run live queries, and import/export queries, packs, and configs.

As a side note, I recently sponsored @TheZachW to integrate goquery into Fleet. fleetctl now has builtin support for goquery!

Tracking Osquery Performance

Lastly, I added a lengthy new section on how to prototype, test and track new queries from a performance perspective. It’s easy to shoot yourself in the foot when scheduling new queries across your osquery endpoints – this section guides you through practical steps you can take to develop and test performant queries in the pre-deployment, deployment and post-deployment phases.

Let me know if there is another topic you would like to see tackled in Osquery For Security Analysis!

-Josh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close