#Osquery kolide how to
Now, I’m excited to offer an online course dedicated to teaching you how to use Osquery to become a better investigator. Osquery is one of the most effective ways to perform host-based investigations at scale on your network. That’s more than most EDR tools can claim. That means you can use it across your entire environment. Osquery runs on Windows, macOS, and nearly every modern version of Linux. You’ll know quickly if that suspicious process is actually malware or something the entire accounting department runs. If you run into something weird, you’ll probably ask “Have I seen this on another host?” Pairing Osquery with Kolide Fleet (also free) provides a centralized console for querying every host across your network. Write the query once and use it over and over again. The beauty is that these tables and the query language are mostly consistent across all your hosts. Common evidence locations exist as tables that you can explore using SQL. Seeing a system like a database means you can ask questions in the form of database queries. This provides three benefits to security analysts: Benefit #1: Simple questions, simple answers Osquery sees every endpoint device on your network as a database.
#Osquery kolide free
Osquery is a free endpoint visibility tool originally developed by Facebook.
![osquery kolide osquery kolide](https://miro.medium.com/max/5120/1*w_GgRJB3Q3XzTXyU3nStdw.png)
A question as simple as “Did the malware execute after it was downloaded?” might require a combination of a dozen complicated and unmaintained open sources tools or a pricey commercial solution. The problem isn’t just the number of rabbit holes, its that each one requires a different tool to access and parse the data. There are so many places to look: the registry, prefetch, disk artifacts, operating system logs…the list goes on.
![osquery kolide osquery kolide](https://i.ytimg.com/vi/1yRy94rBUU8/maxresdefault.jpg)
The truth is, investigating things on the host is overwhelming. If you answered no to any of those, then you aren’t alone. Would you be able to come to a conclusion about whether an attack has occurred? Would you be able to do it quickly? Would you be 100% certain about your determination? You have to rely exclusively on host-based evidence to figure out what’s happening. The traffic is encrypted, so network data won’t be helpful. It’s sending out weird bursts of network traffic to an external host you don’t know anything about. A production server that doesn’t normally communicate over the internet is exhibiting suspicious characteristics.