I’m excited to share that we have just released free online training to introduce you to osquery. Our goal was to combine quick setup and hands on labs with complete accessibility, so that anyone who wanted to give osquery a try, could.
The idea to do free osquery training began earlier this year when I offered to do a presentation to introduce the FIRST community to osquery at their annual conference. The conference committee asked if I could actually support a hands-on workshop instead. I remembered my first interactions with osquery. There were a bunch of gotchas that were not immediately obvious.
When I finally figured out how to bring the right queries together, I was super excited as a security practitioner about the wealth of data I could get, how easily I could get it (once I knew what I was doing), and all of the potential places that I thought osquery could go. I wanted to help others reach that aha! moment too, although maybe in less time and with less frustration.
So, I accepted the challenge from FIRST and created a hands-on lab component (which I initially field tested in Washington DC) to present at the FIRST conference in Kuala Lumpur to a room of about forty incident response practitioners. (Here’s my FIRST Conference presentation and an attendee’s review of various sessions, including the workshop.) People enjoyed having a quick and simple process to get up on osquery and immediately start practicing basic to advanced queries that taught them about SQL, and let them witness the power of osquery in a classroom environment. For a bonus, I also covered some of the trickier concepts for those just starting out, such as how to capture system events with osquery, and how it works with additional third party open-source tools like augeas and prometheus.
Uptycs offered the course again during B-Sides Las Vegas and Black Hat later in the summer, and despite crazy packed schedules, interest was very high, attendance was solid and feedback was again quite positive. However, as much as I love going to conferences and spreading the word about osquery, I recognized that it wasn’t the most scalable or accessible way to help people learn and reach that aha! moment. After B-Sides, we began looking at a way to make it more widely available, and presenting it online seemed a logical choice.
As osquery evolves, there is more and more interest in the project among people with limited or no experience using osquery, and thus a corresponding need for training and onboarding resources exists. Numerous entities are jumping into the training arena for osquery, with several announcements in the past weeks. However, creating these workshops and training takes time, effort, and resources . . . so logically, most of the more detailed training offering advanced osquery deployment practices is not free. After some internal discussions at Uptycs, we agreed that, for this introductory training, there was greater benefit if we shared it freely with the community. Getting the word out and getting new people to see what osquery is capable of will increase interest and hopefully participation on the community, and that will drive future adoption, improvements, and products on top of that.
I hope that you have the chance to check out the training by signing up here - go give the videos and labs a whirl!