It’s inevitable that security logs will have gaps – either due to benign system errors, or due to attackers intentionally disabling logging to help cover their tracks. So what can we do to plug the holes in our visibility left by imperfect logging? In this video we’ll be exploring how to use OSQuery to make pointintime assessments of key security properties, without having to depend on logs.

References:
OSQuery schema explorer: https://osquery.io/schema
OSQuery documentation: https://osquery.readthedocs.io

Timecodes:
0:00 Introduction
0:43 Events vs. Queries
2:43 A simple query
3:23 Searching for specific IOCs
4:11 Custom queries and joining tables
5:07 Setup: Server
5:29 Setup: OSQuery agents on Windows
6:04 Setup: OSQuery agents via GPO
6:30 Setup: OSQuery agents on Linux
7:01 Some useful OSQuery tables
7:55 Final thoughts

Credits:
Intro/Outro Music: Render Prism:    • Render  Prism [Creative Commons]   (via Argofox:    / argofox  )
Diagram icons designed by OpenMoji (https://openmoji.org/) CC BYSA 4.0