i'm currently a master student looking for an interesting thesis topic to write about. my initial approach was to write about endpoint visibility because in times of DoH and DoT, solutions that honor the enduser's privacy, it becomes a lot more difficult for blue teams to detect suspicious behaviour over the wire. therefore i would like to focus on the endpoint, and what is possible to detect there. i have heard a lot good things about osquery, it helps a lot in regards to IT-Operations. But what would be the main Security use-cases for osquery to help blue teams detect threats in their environment/network? can you maybe point me in the right direction other than https://osquery.io/schema to help me get an idea on what is possible? many thanks in advance, cheers theresa

Hey. Palantir has some really good articles and repos about using osquery security. Guess you can start from this one: https://medium.com/palantir/osquery-across-the-enterprise-3c3c9d13ec55

I was just about to link to the Palanatir GitHub page 😄

Great minds think alike 😛

Wow, just wow! Thank you from the bottom of my heart @Haam3r I did google before, and found a lot of stuff in regards to SysOp/IT Ops but just not focused on Security. Somehow this Palantir stuff must have slipped through. Thanks a lot 🙂

Yeah it’s a good resource because they open sourced a lot of the config and then wrote the articles to explain why they are collecting those things with more practical examples of what they’re looking for.

Cool, thanks for the explanation, @Ryan Any idea, why most tutorials or write-ups focus heavily on threats for MacOS?

I think it might be to do with Kolide’s work on “user focused security”? https://blog.kolide.com/kolide-user-focused-security-for-teams-that-slack-ec9646a0ce0e

exactly, I've even seen companies enrolling their company-notebooks into MDM solutions (not just phones or tablets, but also notebooks) usually that's what a proper cmdb is for, to keep track of those devices and its patch-level.

yeah