Getting Started with osquery
Learn how to deploy, configure, and use osquery to improve security by increasing visibility, detecting suspicious activity, and implementing features like File Integrity Monitoring, using this great cross-platform tool.
What you'll learn
Understanding how to leverage the power of osquery to solve security problems can seem complicated.
In this course, Getting Started with osquery, you will gain the ability to not only install and configure osquery, but also to understand different aspects of using it in a real environment.
First, you"ll learn how to install it on Linux and Windows.
Next, you'll discover how the power of SQL can be used with it to solve security problems, like identifying what processes are being executed where, and real-time events will be leveraged so you can learn how to monitor activity between scheduled query intervals and implement File Integrity Monitoring.
Finally, you'll explore how to plan for a real deployment of osquery, including the use of advanced options like TLS logging and extensions.
When you're finished with this course, you'll have the skills and knowledge of osquery needed to plan a deployment and start writing queries that will help you get answers to your most important endpoint security questions.
Software required: a Linux (Ubuntu, Debian, Redhat or CentOS) system with the latest version of osquery stable.
Table of contents
- Getting Started with JOIN 4m
- Demo 1a: Mapping Processes to User Accounts 5m
- Demo 1b: Mapping Processes to Open Ports and Users via Multiple JOINs 5m
- Demo 2a: Creating SSH Keys and Querying the Shell History 5m
- Demo 2b: Finding Chrome Extensions for Specific Users 3m
- Demo 2c: Identifying (Un)Encrypted SSH Keys 1m
- Summarizing the Benefits of JOIN 1m
About the author
Guillaume Ross is an experienced information security professional, providing services to many organizations as the lead consultant and founder of Caffeine Security Inc. Having worked in multiple verticals, from Fortune 50 to startups, his specialty is providing the right security program and architecture for each specific environment and company, and leading blue teams.