[Video] Incident Investigation with Uptycs and Osquery


This video features Pat Haley, our Principal Sales Engineer, walking through the strengths + challenges of osquery, how osquery can be used for incident investigations, and how Uptycs can add value to an osquery deployment of any size.

Uptycs and Osquery_YT

Osquery is purpose built, and highly effective, for macOS and cloud security. However, it does pose some challenges; especially when it comes using

Osquery at any type of scale. These hurdles include:

  1. No built-in way to deploy to multiple machines . Osquery is great on a single machine, but how do you manage osquery and the data it collects across 10s, 100s or even 1000s of machines?
  2. No pre-built queries. What data do you actually need to collect? What questions will you ask of a host to get the answers you’re looking for?
  3. No correlation with external data (i.e. threat intel). How do you know if something in the data indicates potential malicious activity?

Pat will walk through how the Uptycs architecture is purpose built for osquery, which resolves these challenges.

Viewers can see a real world incident investigation scenario that highlights why osquery is so well suited to be the telemetry collection tool of choice. Finally, we will answer questions about the real world scenario by executing the following queries in the Uptycs platform:

  • SELECT pid, name, path, cmdline FROM processes WHERE name = ‘netcat’
  • SELECT host, time FROM dns_lookup_events WHERE question = ‘bad_domain’

ATT&CK Webinar (Banner)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Pat Haley. Read the original post at: