Dustin M

10/25/2019, 6:27 PM
Hey everyone, I was wondering if anyone had any experience developing with osquery. I would like to write a security tool, but it seems like osquery is used to just ship logs to some aggregator then you can move logs to something like kibana or the cloud but analyzing them and sending an action or something back down to the original binary would be extremely time consuming. Could anyone confirm my suspicions or point me in the right direction? It also seems like there is not a way to run osqueryd and get the response locally? most of the documentation just shows it being moving to a log aggregator.

Tim F.

10/26/2019, 2:11 PM
My understanding is this is possible. Are you trying to make a stand alone EPP? Commercial EPP either so send data for analysis and mitigation, or they create a fat local client, I believe. What is it you are trying to do @Dustin M

Dustin M

10/28/2019, 2:43 PM
I am open to both options, Stand Alone EPP would be the goal. How are they sending the data? The examples I have been looking at seem to not work in the repo. Ideally we would have smaller rules on a local client but most of the data would be sent to the cloud for analysis and mitigation