Hey y’all, I am creating a blog post on: • Installing/setting up FleetDM manually on Ubuntu 20.04 • Installing/setting up FleetDM with an Ansible playbook • Installing/setting up FleetDM with Docker-compose v2.x, • Installing/setting up FleetDM with Docker swarm v3.X. • How to manually install Osquery on Windows and Ubuntu • How to install Osquery on endpoints with an Ansible playbook • Section on converting an Osquery query pack to the YAML format to upload to FleetDM with FleetCTL • Section on creating query pack via webgui • Section on running live queries with FleetCTL • Section on running live queries with web gui • Section on the new file carve feature in FleetDM In a thread below, please add any additional items I should cover in my blog post for first time FleetDM users.

CI/CD for queries

@Zach Zeid I love the idea about CI/CD but I will probably cover that in a separate post since I don’t know of an easy way to implement that.

I'm generally a dense person, and it's not really clear to me when something should be in

flags

vs

conf

, and what options are required vs what aren't vs what options selected need other required flags

Ahhhh. Yeah that took me some time to understand as well.

I've generally been told that the docs make sense, but they don't for me, that's my hottake

I think I can providence so on that topic that will help ppl 🙂

I would be interested in "alerting" strategies based on query packs/snapshots 🙂

@maxwhite can you elaborate/provide an example on what you mean by alerting strategies?

For example, if I want to be alerted when a device is not encrypted (what to look for in the logs, how to send to a SIEM/Lambda?)

yeah that would be a more IR focused blog post for me. However, it’s good to know ppl are interested in something like that for a future blog post

Thanks man for the work, I'll check it out! Looking forwarding to the next release 😄