What is osquery?
Osquery is a an open-source, cross-platform agent that turns your operating system into a virtual database, letting you leverage the power of the SQL language to ask anything from your system. Over 200 tables let you understand what processes are running, what users are logged in, where the machine is connected, what files are on disk and much, much more. Due to its flexibility and power, it makes an amazing tool for threat hunting, security monitoring, and even IT operations.
Where can I find more info about osquery + ATT&CK?
The topic of this webinar stems from a project that Guillaume has been working on since early 2019. While unfinished, he continues to update and tailor the presentation to fit the interests (and provide value to) of audiences at conferences such as:
- 2019 MacAdmins Conference
- SANS Security Operations Summit 2019
- DEF CON 27
Guillaume's presentation at the SANS SOC Summit 2019 earned him accolades in the "Staff Picks for Splunk Security Reading June 2019".
If this topic is of interest to you and/or your team, we encourage you to explore the work of Filippo Mottini (GitHub/Twitter: @teoseller). Filipo has gradually been working on mapping the MITRE ATT&CK Matrix to osquery and then creating query packs that can be used for osquery enterprise threat hunting. Learn more about this project here.
How do I learn more about the Uptycs Osquery-Powered Security Analytics Platform?