Network Defense.IO Osquery for Security Analysis

Improve your host-based investigation skills by learning how to use Osquery to interrogate suspicious processes, uncover persistence mechanisms, utilize enterprise-wide threat hunting techniques, and more!
Course Description

Take sixty seconds and imagine yourself in this scenario.

A production server that doesn’t normally communicate over the internet is exhibiting suspicious characteristics. It’s sending out weird bursts of network traffic to an external host you don’t know anything about. The traffic is encrypted, so network data won’t be helpful. You have to rely exclusively on host-based evidence to figure out what’s happening.

Now be completely honest with yourself. Would you be able to come to a conclusion about whether an attack has occurred? Would you be able to do it quickly? Would you be 100% certain about your determination?

If you answered no to any of those, then you aren’t alone. The truth is, investigating things on the host is overwhelming. There are so many places to look: the registry, prefetch, disk artifacts, operating system logs…the list goes on.

The problem isn’t just the number of rabbit holes, its that each one requires a different tool to access and parse the data. A question as simple as “Did the malware execute after it was downloaded?” might require a combination of a dozen complicated and unmaintained open sources tools or a pricey commercial solution.

I always thought there needed to be a better, more consistent way to find host-based evidence. When I discovered Osquery, I knew I had found it.

Osquery is a free endpoint visibility tool originally developed by Facebook. Osquery sees every endpoint device on your network as a database. This provides three benefits to security analysts:

Benefit #1: Simple questions, simple answers

Seeing a system like a database means you can ask questions in the form of database queries. Common evidence locations exist as tables that you can explore using SQL. The beauty is that these tables and the query language are mostly consistent across all your hosts. Write the query once and use it over and over again.

Benefit #2: Ask questions at scale

If you run into something weird, you’ll probably ask “Have I seen this on another host?” Pairing Osquery with Kolide Fleet (also free) provides a centralized console for querying every host across your network. You’ll know quickly if that suspicious process is actually malware or something the entire accounting department runs.

Benefit #3: It works everywhere

Osquery runs on Windows, macOS, and nearly every modern version of Linux. That means you can use it across your entire environment. That’s more than most EDR tools can claim.

Osquery is one of the most effective ways to perform host-based investigations at scale on your network.

Now, I’m excited to offer an online course dedicated to teaching you how to use Osquery to become a better investigator.