Osquery Deep Dive: Doing Low Level Analytics and Monitoring for Windows/Linux/macOS

Webinar Registration

How would you like to query your systems like a DB – with SQL- to do things like find all processes running without an EXE on the file system? (you do know why that’s important, right? File-less malware?) Here’s an Osquery that does just that:

SELECT name, path, pid FROM processes WHERE on_disk = 0;

OSQuery is an open-source operating system instrumentation framework licensed under Apache and it runs on Windows, Linux and macOS. You can query nearly anything about those Oss including:

  • Accounts
  • Policy
  • Firmware
  • Installed applications
  • Files and permissions
  • Authenticode code signatures of binaries
  • Hardware
  • Browser plugins
  • PowerShell events
  • Registry
  • Scheduled Tasks
  • Shared Folders

There are tons more – I just picked some highlights.

All of this information is surfaced as “tables” that you can query with good ole SQL.

This ability is incredibly valuable for administration and more importantly security. You can easily and quickly ask questions about your systems. 

But Osquery goes further and allows you to detect change. Basically, you define queries that Osquery periodically runs and then compares to the previous query to provide you with the delta (aka change).

So, you could setup a query to let you know whenever a new EXE or DLL shows up on your system based on its hash as just one example.

Osquery can send it’s output multiple places – including the Windows Event Log, which means you can collect and aggregate the data.

In this real training for free session, we will:

  1. Install Osquery live in my lab
  2. Run some very cool example queries
  3. Discuss how to install and manage Osquery across your environment
  4. Explore Osquery output and logging
  5. Understand Osquery’s ability to monitor for change

I’m joined by Tristan Morris from Carbon Black, our sponsor, who will show you how Carbon Black has built Osquery into their products and how they are contributing to the Osquery community. You’ll see how a real-time security operations solution enables organizations to ask questions of all endpoints and act to remediate in real time.

Please join us for this real training for free event.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
Zip/Postal Code:  
Industry:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.

 

 

Additional Resources