Hey there! I am pretty new to osquery, is there an...
# generals
sudo
04/01/2020, 11:49 AMHey there! I am pretty new to osquery, is there any GUI workbench for this or CLI-Only?
a
alessandrogario
04/01/2020, 12:26 PM
There are several; you can try out Kolide Fleet with docker-compose using this: https://github.com/dactivllc/osquery-in-a-box
s
sudo
04/01/2020, 12:27 PMThank you @alessandrogario
a
alessandrogario
04/01/2020, 12:29 PM
alessandrogario
04/01/2020, 12:29 PM
Some of the alternatives
alessandrogario
04/01/2020, 12:29 PM
If you try out Kolide Fleet, they have a channel here! It's #C1XCLA5DZ
s
sudo
04/01/2020, 12:30 PMAwesome, much appreciated. I started looking at the fleet now.
s
seph
04/01/2020, 5:42 PM
osquery is, IMO, hard to describe. It’s not a gui or a cli. It’s a tool to translate OS apis to sql.
A common way to interact with it is through the
osqueryiosqueryd💯 1
s
sudo
04/01/2020, 5:46 PMThanks @seph, I get it now. I spent some time on it. I thought it would be quite effective if theres a gui where we can perform aggregation as well.
Anyway, I pushed the logs to elastic for aggregation
s
seph
04/01/2020, 5:48 PM
gui where we can perform aggregation as wellLike a log aggregation system? you can push logs to any existing one. Generally folks can help if you’re looking to get the data into places.
seph
04/01/2020, 5:48 PM
But doing a good job building log aggregation is a big project. Using ELK is generally simpler.
s
sudo
04/01/2020, 5:49 PMWould you recommend anything else if I were to use osquery for threat hunting?
Currently, I am running a daemon, query packs, syslog server, elastic
s
seph
04/01/2020, 5:50 PM
Depends on how you want to explore and work with data.
s
sudo
04/01/2020, 5:53 PMTrue but in general these would suffice just leveraging opensource?
Do people use osquery to monitor their containers? I usually got used to prometheus and NodeExporter
s
seph
04/01/2020, 5:54 PM
True but in general these would suffice just leveraging opensourceI’m not sure what you mean. But as before, it depends on what you like, and how you like using data
seph
04/01/2020, 5:55 PM
Do people use osquery to monitor their containers? I usually got used to prometheus and NodeExporterosquery and nodeexporter have access to different kinds of information. prometheus is oriented around being a TSDB for metrics. osquery is a tool to generate whatever. You could use it to feed prometheus. but feeding ELK, a SIEM, whatever is going to be more powerful.
s
sudo
04/01/2020, 6:02 PMGot it, I think I should read docs, seems like this got good documentation. Thanks for your time
3 Views