Osquery for Security Analysis
Take sixty seconds and imagine yourself in this scenario.
A production server that doesn’t normally communicate over the internet is exhibiting suspicious characteristics. It’s sending out weird bursts of network traffic to an external host you don’t know anything about. The traffic is encrypted, so network data won’t be helpful. You have to rely exclusively on host-based evidence to figure out what’s happening.
Now be completely honest with yourself.
Would you be able to come to a conclusion about whether an attack has occurred? Would you be able to do it quickly? Would you be 100% certain about your determination?
If you answered no to any of those, then you aren’t alone. The truth is, investigating things on the host is overwhelming. There are so many places to look: the registry, prefetch, disk artifacts, operating system logs…the list goes on.
The problem isn’t just the number of rabbit holes, its that each one requires a different tool to access and parse the data. A question as simple as “Did the malware execute after it was downloaded?” might require a combination of a dozen complicated and unmaintained open sources tools or a pricey commercial solution.
I always thought there needed to be a better, more consistent way to find host-based evidence. When I discovered Osquery, I knew I had found it.
Osquery is a free endpoint visibility tool originally developed by Facebook. Osquery sees every endpoint device on your network as a database. This provides three benefits to security analysts:
Benefit #1: Simple questions, simple answers
Seeing a system like a database means you can ask questions in the form of database queries. Common evidence locations exist as tables that you can explore using SQL. The beauty is that these tables and the query language are mostly consistent across all your hosts. Write the query once and use it over and over again.
Benefit #2: Ask questions at scale
If you run into something weird, you’ll probably ask “Have I seen this on another host?” Pairing Osquery with Kolide Fleet (also free) provides a centralized console for querying every host across your network. You’ll know quickly if that suspicious process is actually malware or something the entire accounting department runs.
Benefit #3: It works everywhere
Osquery runs on Windows, macOS, and nearly every modern version of Linux. That means you can use it across your entire environment. That’s more than most EDR tools can claim.
Osquery is one of the most effective ways to perform host-based investigations at scale on your network.
Now, I’m excited to offer an online course dedicated to teaching you how to use Osquery to become a better investigator.
Osquery for Security Analysis will teach you how to use Osquery to perform thorough investigations of hosts on your network. This isn’t just an Osquery tutorial; it’s a course designed to help you improve your host-based investigation skills using one of the best tools for the job.
- How to craft SQL queries to interrogate Windows, Linux, and MacOS hosts
- Common queries for performing software inventory and asset control
- Strategies for interrogating processes to determine if they are malicious
- Techniques for uncovering persistence and lateral movement
- Triaging suspicious systems using high-value data tables
- Hunting leveraging MITRE ATT&CK techniques
- Complete deployment of distributed Osquery across your network using FleetDM and ElasticStack
- How to leverage differential queries to monitor state changes and generate alerts
- Extending Osquery with extensions
If you want to level up your host-based investigation skills using one of the best open source tools available, Osquery for Security Analysis is the course you’re looking for.
You can view the detailed course syllabus here.
Osquery for Security Analysis Includes:
Over 5 hours of demonstration videos. These videos will break down the concepts and skills you need to become adept at using Osquery and improve your host interrogation skills.
Hands-on labs to help you develop and test your skills. You’ll complete lab exercises by downloading compromised virtual machines and using Osquery to figure out what happened. You’ll also complete a final challenge using Kolide Fleet to investigate multiple systems in a real-world scenario.
Our Osquery investigation cheat sheet. We’ve picked our favorite queries and combined them into a quick reference cheat sheet. I keep mine in my desk drawer and use it all the time!
Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
Frequently Asked Questions
Is this course live?
This is NOT a live course. It’s an online video course you can take at your own pace.
How long do I have access to the course material?
You have access to the course for six months following your purchase date. If you need more time, you can extend your access for a small monthly fee.
Are there any prerequisites or lab requirements for this course?
This course is designed for all security practitioner skill levels and assumes no prior Osquery or host-based forensic experience. To complete the lab exercises your system must be capable of running a virtualization platform such as VMWare or VirtualBox as you’ll be asked to download and run virtual machines. Additional lab exercises are conducted entirely via Fleet access in the web browser.
How much time does it take to do this course?
Given the amount of content, it takes people dramatically different times to complete the material. If you focus all your time on it, you can complete everything in about a week. Most choose to spread it out over a few weeks as they take time to practice the concepts demonstrated.
How many CPEs/CMUs is this course worth?
Organizations calculate continuing education credits in different ways, but they are often based on the length of the training. This course averages 12 hours of video+lab work.
Do you offer discounts for groups from the same organization?
Yes. To inquire about discounts or group invoices please contact us at firstname.lastname@example.org.
Meet the Course Author – Josh Brower
Josh Brower has been crashing computers since his teens, and now feels fortunate to be doing it professionally. He has spent the last decade focusing on InfoSec, particularly network and endpoint detection. He also enjoys teaching around InfoSec issues, especially to non-technical learners – helping them to understand how their actions in the digital world have real-world consequences, as well as how to proactively reduce the risk.
You can catch him on twitter @DefensiveDepth.
“Osquery is definitely worth taking. Osquery provides for Linux and MacOS what sysmon does for Windows. What surprised me most was the depth of the course. I expected some articles and videos about using osquery and just an explanation about osquery distributed. Josh Brower did an absolutely awesome job. There is a lot of “bang for your buck. I highly recommend this course.” – Mark Thompson
“Easy and clear deployment of the elements. In minutes, you can clearly study any machine and possible issues in that.”
“[The class] helped me understand better the data sources on Mac, Windows, and Linux.” – Mark
“This is a great way to practically learn how to use Osquery in a distributed fashion. The course doesn’t only teach how to use the tool, it teaches the real-world techniques of threat hunting across different operating systems.” – Paul Masek