Uptycs Blog | Cloud Security Insights for Linux and Containers

[Video] Incident Investigation with Uptycs and Osquery

Written by Pat Haley | 7/18/19 12:43 PM

It’s back! osquery@scale ‘22: Risk Reduction for Modern Defenders will be happening in person at San Francisco’s Exploratorium on September 14 & 15. Join us for 2 days of captivating content, hands-on learning, and fun with your fellow osquery community members. 

This video features Pat Haley, our Principal Sales Engineer, walking through the strengths and challenges of osquery, how osquery can be used for incident investigations, and how Uptycs can add value to an osquery deployment of any size.


Incident investigation is one of the top osquery use cases. However, when it comes using Osquery at any type of scale, security engineers and analysts should be aware of these hurdles:

  1. No built-in way to deploy to multiple machines . Osquery is great on a single machine, but how do you manage osquery and the data it collects across 10s, 100s or even 1000s of machines?
  2. No pre-built queries. What data do you actually need to collect? What questions will you ask of a host to get the answers you're looking for?
  3. No correlation with external data (i.e. threat intel). How do you know if something in the data indicates potential malicious activity?

Pat will walk through how the Uptycs architecture is purpose built for osquery, which resolves these challenges.

Viewers can see a real world incident investigation scenario that highlights why osquery is so well suited to be the telemetry collection tool of choice. Finally, we will answer questions about the real world scenario by executing the following queries in the Uptycs platform:

  • SELECT pid, name, path, cmdline FROM processes WHERE name = ‘netcat’
  • SELECT host, time FROM dns_lookup_events WHERE question = ‘bad_domain’