Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<https://blogs.vmware.com/security/2022/05/leveling-up-with-osquery-answering-your-questions-with-vmware-carbon-black-cloud-audit-remediation.html>

oooh, I like this regex-y one <https://carbonblack.vmware.com/blog/leveling-osquery-workloads-using-regular-expressions-regex-queries%C2%A0>

<@U0F29L5C4> FYI: <https://blogs.vmware.com/security/2022/05/leveling-up-with-osquery-answering-your-questions-with-vmware-carbon-black-cloud-audit-remediation.html>

Jon is doing alot of stuff around this topic :slightly_smiling_face:
• <https://carbonblack.vmware.com/users/jon-nelson|Leveling Up with osquery for Workloads blog series>
• <https://carbonblack.vmware.com/blog/leveling-osquery-workloads-identifying-and-contextualizing-windows-logon-failures-part-1|Leveling Up with osquery for Workloads: Identifying and Contextualizing Windows Logon Failures>
• <https://carbonblack.vmware.com/blog/leveling-osquery-workloads-locating-local-administrator-accounts-windows-part-2|Leveling Up with osquery for Workloads: Locating local administrator accounts (windows)>
• <https://carbonblack.vmware.com/blog/leveling-osquery-workloads-determining-free-disk-space-linux-macos|Leveling Up with osquery for Workloads: Determining Free Disk Space on Linux &amp; macOS>
• <https://carbonblack.vmware.com/blog/leveling-osquery-workloads-check-weak-authentication-types-lmntlm|Leveling up with osquery for Workloads: Check for weak authentication types (LM/NTLM)>
