The Best of Osquery@scale: Detection & Incident Response

Tags: ,
Blog Author
Brian Thomas

Here we are again to continue with our osquery@scale best of series. Who’s pumped to dive into some great detection and incident response content? Of all the use cases for osquery, this is the one that usually gets the crowd going since it’s such a vital part of our jobs.


Hearing best practices from great speakers on such an important topic is why we love hosting the osquery@scale conference. That’s why we love that every year we get to bring together this community of security practitioners and leaders who are passionate about exploring and finding better ways to do things. And, indicative of what a great community it is, we’re always amazed at how willing everyone is to share what they’ve learned and their hard-won knowledge.


Previous years have seen speakers from all walks of security bring their wealth of experience to share with the community. Detection and incident response can keep a lot of people up at night, so check out some of our favorite talks osquery@scale attendees have given over the years to see if we can help you sleep a little better using the power of osquery.


How Stripe Is Actioning The osquery API at Scale

Way back in a pre-pandemic 2020 we had the pleasure of hosting a great presentation from Matthew Kemelhar and Russ Nolen from the security team at fintech giant, Stripe. Matthew is the Threat Operations Manager and Russ is a Security Engineer from Stripe, and they gave us some great insight into how their team is leveraging osquery for investigations. Their decision to onboard osquery initially started off as an effort to solve for three problems: how to eliminate the need to recreate detection or alert logic with every new tool, how to enable other teams who need info without direct access to security tooling, and centralizing a source of all company specific detections. But once they brought in osquery they realized how it could be used to codify their detection strategy.


In this talk, they go into some pretty awesome detail on how to codify collection and analyze osquery data as well as integrate the data with other systems for investigation and response.

Video 1: How Stripe is actioning the osquery API at scale


osquery@scale register now cta

You've been breached! Deploying osquery (fast) to support incident response

One of the most under-appreciated (if you ask us at least) features of osquery is the ability to provide structured telemetry from any environment you have the agent running in. As Josh Lemon of Ankura discusses, this feature is especially useful in the post-2020 world where so many organizations have remote workers. osquery allows telemetry to be pulled off of endpoints and sent to a centralized location for analysis.


This is especially useful in reconstructing incidents that already occured in the past. So if you work at an organization that doesn't have existing endpoint telemetry in place, and you fall victim to a cyberattack, osquery is a tool you can rapidly deploy to assist your incident response team to reconstruct what has happened, even when the endpoints are remote.

Video 2: Deploying osquery (fast) to support incident response


Resource Efficient Malware Scans with YARA + osquery

We dug up this 2020 throwback gem from Uptycs’ own Julian Wyatt. Julian is lowkey one of the best osquery experts we’ve ever seen (hence why we hired him). Here he digs into how you can use YARA rules in osquery to create a powerful malware scanning combination.


One of the biggest challenges to malwares scanning is that filehash malware detection is relatively easy to circumvent as threat actors easily morph code to create "new" variants, rendering old IOC's useless. YARA, uses a different approach. Its rules match to small segments of code within the malware, making traditional morphing techniques easier to detect. The challenge can be knowing which files to scan with YARA, as scanning everything can be expensive.


This is where osquery can tell us exactly which files have been executed, and therefore which files to scan. Even if a file has not been executed, osquery can be used to create whitelists from golden images and identify suspect binaries.

Video: Resource Efficient Malware Scans with YARA + osquery


osquery@scale 2022

Want to see more great content like that? Or even better, how about meeting the community and making some great connections? Then join us in San Francisco September 14th for the next osquery@scale conference.

osquery@scale register now cta