osquery—Windows, macOS, Linux Monitoring and Intrusion Detection

This workshop is an introduction to osquery, an open source SQL-powered operating system agent for host visibility and analytics. Osquery was created by the Facebook Security team and is actively developed by Facebook and the open source community. It is currently used by many companies for collecting host forensics and proactively hunting for abnormalities. Osquery makes it easy to ask targeted or broad questions about your heterogeneous infrastructure. This workshop is a very hands-on training and we expect participants to be comfortable with CLI. The workshop is broken into three components:

Part I - osquery zero -> hero: The first section of the workshop will make use of the interactive osquery command line tool (osqueryi) to explore your operating system. The goal of this section is to get participants familiar with writing SQL statements and to understand how osquery makes use of core tables to abstract operating system concepts.

Part II - osquery at scale: The second part of the workshop will focus on automation and deployment of osquery at a larger scale. You will learn how to configure the osquery daemon (osqueryd) and to write “query packs”. The daemon is a persistent agent that logs events and state changes according to a schedule of queries. Packs are used to share sets of common queries.

Part III - File Integrity Monitoring (FIM), Linux process auditing, and Windows event log collection: The last part of the workshop focuses on three parts of osquery's eventing features: FIM, process auditing, and Windows event logs. You will add several paths to your configuration and begin collecting hashes when files are updated or created. You will start collecting all execve, bind, and connect syscall arguments on Linux and track inbound SSH connections and the tree of processes launched. You will learn about Windows event logs and how to audit all Powershell executions.