I recently published a major update to my AND course, Osquery For Security Analysis. Lots of content updated, and lots of brand new content including the following:
Deploying osquery with Kolide Launcher
Generating custom osquery packages, deploying them to your endpoints and keeping them updated is alot of work! Fortunately, Launcher makes that whole process much easier. Launcher is yet another opensource toolkit from Kolide. This new lesson walks through a few different options for creating custom osquery install packages and finishes up with how to do it with the Launcher toolkit (my personal recommendation).
CLI Fleet Management
Using a GUI is not alway practical when managing large deployments and makes it especially difficult if you are trying to maintain your configuration, packs and queries under source control. With this in mind, I added a new lesson on using Kolide’s (open source) CLI Fleet management tool, fleetctl. You can use fleetctl to connect to a Fleet instance, run live queries, and import/export queries, packs, and configs.
As a side note, I recently sponsored @TheZachW to integrate goquery into Fleet. fleetctl now has builtin support for goquery!
Tracking Osquery Performance
Lastly, I added a lengthy new section on how to prototype, test and track new queries from a performance perspective. It’s easy to shoot yourself in the foot when scheduling new queries across your osquery endpoints – this section guides you through practical steps you can take to develop and test performant queries in the pre-deployment, deployment and post-deployment phases.
Let me know if there is another topic you would like to see tackled in Osquery For Security Analysis!
-Josh
Defensive Depth 