Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Here are the Workshop notes:

<https://docs.google.com/document/d/1AQtsxt6PKykaspivzcPGW05eX6q5lsDwEeTZNKahThQ/edit>

`git clone -b defcon <https://github.com/ksatter/fleet-docker.git>`

Link to Google Drive: <https://drive.google.com/drive/u/0/folders/1yg2ijwcSWRwDVvA0Byy8oAPTKhRAImqa>

The password for the Workshop instance is : `DEFCON2022workshop!` - your usernames are on the card I gave you - if you don’t have one yet pick it up by the projector!

<http://osquery.io/schema|osquery.io/schema>

If you want to set up your VULN automations, use this webhook -&gt; <https://rustling-snow-6608.tines.com/webhook/0fe6acf0c2b62cdf527eeffdbcefb7a3/1ebd48b0aa19e1954791e30eda28eb69>

POLICY automations : <https://rustling-snow-6608.tines.com/webhook/941ed53790a7aee18ed548cd5548dbb3/d721f52270deb139f9c2a1068f3c3141>

YARA example query:

```sql
SELECT * FROM yara WHERE path like ‘/root/%%’ AND sigrule IN (
    ‘rule eicar {
    strings:
    $s1 = “X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*” fullword ascii
    condition:
    all of them
}’
) AND matches=‘eicar’;
```