osquery—Windows, macOS, Linux Monitoring and Intrusion Detection

Thursday, November 02, 2017 - 2:00 pm3:30 pm

Teddy Reed and Mitchell Grenier, Facebook


This workshop is an introduction to osquery, an open source SQL-powered operating system agent for host visibility and analytics. Osquery was created by the Facebook Security team and is actively developed by Facebook and the open source community. It is currently used by many companies for collecting host forensics and proactively hunting for abnormalities. Osquery makes it easy to ask targeted or broad questions about your heterogeneous infrastructure. This workshop is a very hands-on training and we expect participants to be comfortable with CLI. The workshop is broken into three components:

Part I - osquery zero -> hero: The first section of the workshop will make use of the interactive osquery command line tool (osqueryi) to explore your operating system. The goal of this section is to get participants familiar with writing SQL statements and to understand how osquery makes use of core tables to abstract operating system concepts.

Part II - osquery at scale: The second part of the workshop will focus on automation and deployment of osquery at a larger scale. You will learn how to configure the osquery daemon (osqueryd) and to write “query packs”. The daemon is a persistent agent that logs events and state changes according to a schedule of queries. Packs are used to share sets of common queries.

Part III - File Integrity Monitoring (FIM), Linux process auditing, and Windows event log collection: The last part of the workshop focuses on three parts of osquery's eventing features: FIM, process auditing, and Windows event logs. You will add several paths to your configuration and begin collecting hashes when files are updated or created. You will start collecting all execve, bind, and connect syscall arguments on Linux and track inbound SSH connections and the tree of processes launched. You will learn about Windows event logs and how to audit all Powershell executions.

Teddy Reed, Facebook

Teddy is a Security Engineer at Facebook developing tools to help protect the company. He is very passionate about trustworthy, safe, and secure code development. Ask me about: osquery, firmware, secure roots of trust, and operating system hardening.

@conference {207235,
author = {Teddy Reed and Mitchell Grenier},
title = {{osquery{\textemdash}Windows}, {macOS}, Linux Monitoring and Intrusion Detection},
year = {2017},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = oct
Who should attend: 

Ideal students for this course would be:

  • Members of an enterprise IR team, network defenders, systems administrators
  • Enterprise security tool developers
  • People excited about open source security tools and development
Take back to work: 
  • Understanding of how osquery may compliment your existing endpoint detection
  • How to deploy osquery on Windows, macOS, or Linux fleets
  • Overview of common log aggregation architectures for osquery data
  • Simple indicator-based malware detection queries for macOS
  • Windows event log collection and Powershell auditing
Topics include: 
  • Host intrusion detection
  • File integrity monitoring 
  • Process auditing (accounting) 
  • Windows event logs 
  • Configuration monitoring 
  • Vulnerability management and detection