Course

Skills Expanded

Getting Started with osquery

Learn how to deploy, configure, and use osquery to improve security by increasing visibility, detecting suspicious activity, and implementing features like File Integrity Monitoring, using this great cross-platform tool.

Preview this course

What you'll learn

Understanding how to leverage the power of osquery to solve security problems can seem complicated.

In this course, Getting Started with osquery, you will gain the ability to not only install and configure osquery, but also to understand different aspects of using it in a real environment.

First, you"ll learn how to install it on Linux and Windows.

Next, you'll discover how the power of SQL can be used with it to solve security problems, like identifying what processes are being executed where, and real-time events will be leveraged so you can learn how to monitor activity between scheduled query intervals and implement File Integrity Monitoring.

Finally, you'll explore how to plan for a real deployment of osquery, including the use of advanced options like TLS logging and extensions.

When you're finished with this course, you'll have the skills and knowledge of osquery needed to plan a deployment and start writing queries that will help you get answers to your most important endpoint security questions.

Software required: a Linux (Ubuntu, Debian, Redhat or CentOS) system with the latest version of osquery stable.

Course Overview

1min

Course Overview 1m

Understanding and Installing osquery

22mins

SQL Basics for osquery

23mins

Introduction to osquery's Dataset 3m
Demo 1a: Selecting Data and Separating Values with Split 7m
Demo 1b: Filtering Results with WHERE and LIKE 5m
Demo 2: Counting, Converting, and Calculating with osquery 8m
SQL Benefits and Summary 1m

Joining Tables

24mins

Getting Started with JOIN 4m
Demo 1a: Mapping Processes to User Accounts 5m
Demo 1b: Mapping Processes to Open Ports and Users via Multiple JOINs 5m
Demo 2a: Creating SSH Keys and Querying the Shell History 5m
Demo 2b: Finding Chrome Extensions for Specific Users 3m
Demo 2c: Identifying (Un)Encrypted SSH Keys 1m
Summarizing the Benefits of JOIN 1m

Using Events for Continuous Monitoring

18mins

Introduction to Events 6m
Using Events in osqueryi 7m
Using Events in osqueryd 6m

File Events and File Integrity Monitoring (FIM)

14mins

Introduction to File Events and File Integrity Monitoring 5m
Demo: Using File Events to Perform FIM with osquery 9m

Next Steps in Your osquery Journey

9mins

Next Steps in osquery Deployment 3m
Planning Logging, Queries, and Storage 4m
Extensions, Augeas, and Links 2m
Course Summary 1m

About the author

Guillaume Ross

Guillaume Ross is an experienced information security professional, providing services to many organizations as the lead consultant and founder of Caffeine Security Inc. Having worked in multiple verticals, from Fortune 50 to startups, his specialty is providing the right security program and architecture for each specific environment and company, and leading blue teams.

See more courses by Guillaume Ross

Ready to upskill? Get started

Contact Sales

Getting Started with osquery

What you'll learn

Table of contents

About the author

Ready to skill up
your entire team?

With your Pluralsight plan, you can:

With your 30-day pilot, you can:

Ready to skill up
your entire team?

With your Pluralsight plan, you can:

With your 30-day pilot, you can:

Support

Community

Company

Industries

Newsletter

Contact Sales

Getting Started with osquery

What you'll learn

Table of contents

About the author

Get access now

Ready to skill upyour entire team?

With your Pluralsight plan, you can:

With your 30-day pilot, you can:

Ready to skill upyour entire team?

With your Pluralsight plan, you can:

With your 30-day pilot, you can:

Support

Community

Company

Industries

Newsletter

Ready to skill up
your entire team?

Ready to skill up
your entire team?