Clik here to view.
Integrating Osquery Into Security Onion
I recently presented at the 2018 Security Onion Conference, on “Integrating Osquery Into Security Onion.” You can find the slide deck here [pdf]. The core of the presentation was focused on some basic...
View ArticleClik here to view.
Tag osquery logs with ATT&CK IDs
Just a quick tip: Tag your osquery queries/logs with @MITREattack IDs like so: SELECT username,shell, ‘T1136’ AS attckID FROM users;
View ArticleLogstash Parsing – Windows Event Logs shipped by osquery
Did you know that you can ship Windows eventlogs with osquery? Just use the windows_events evented table, which by default, gets logs from the following channels: System, Security, and Application....
View ArticleOsquery – JOIN with Users table not returning results
This is a question that I have seen asked many times (and yes, a few of those were me!): “I can’t figure out why my query isn’t working. `SELECT * FROM users JOIN chrome_extensions USING (uid);` works...
View ArticleOsquery – Enriching Chrome Extension Data
I am always looking for ways to gain further context around data in order to make more effective decisions about whats actually going on. Last fall I was looking at the data provided by the...
View ArticleClik here to view.
Detecting Internet-Exposed Services (That shouldn’t be)
I recently woke up to this email from Digital Ocean: Hi there, On December 4, 2019, we identified a bug in our systems that affected how Cloud Firewalls were applied to some Droplets. From November 20,...
View ArticleClik here to view.
Osquery For Security Analysis – Q1 2020 Update
I recently published a major update to my AND course, Osquery For Security Analysis. Lots of content updated, and lots of brand new content including the following: Deploying osquery with Kolide...
View ArticleKolide Fleet – Breaking out the osquery API & Web UI
I was a very early user of Kolide’s open source osquery fleet manager, Fleet. I have used it in production for my osquery endpoints, within my osquery course (Osquery For Security Analysis), and now,...
View ArticleClik here to view.
Osquery Handout – Query Performance
It’s easy to shoot yourself in the foot when scheduling new queries across your osquery endpoints – this new handout guides you through practical steps you can take to develop and test performant...
View ArticleClik here to view.
Osquery Handout – SQL Filtering
Filtering out unneeded / known-good data is a key component to security operations – this handout guides you through the use of the most common SQL filtering operators that you can use with osquery....
View Article
