BSidesSF 2019 has ended
Back To Schedule
Saturday, March 2 • 9:00am - 11:45am
Monitoring Minimum Viable Security via osquery on Mac, Windows, Linux, and Containers Full

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity full


In this workshop, we will learn how to use osquery in a variety of environments and then use it to solve problems security teams everywhere have.

Required: One or more PC or VM running Mac, Windows, or Linux with Chrome installed as well as osquery installed. If osquery is not installed, do not worry; we will start the workshop with instructions on how to do that, and for Linux, we will provide a virtual appliance you can import. Be aware that we will centralize some of the osquery logs we generate, so we ask that you do not use a personal computer with your real data on it, unless you agree with other students being able to see the output of your queries.

In this workshop, we will understand how osquery is deployed, look at the way many companies get successfully attacked, monitor our systems for these issues, implement a fix, and check that it was implemented properly with osquery. We will also look at how osquery extensions can allow us to manage our systems in a more proactive way, by writing to them instead of just querying them.

If you have to manage endpoints in an environment that includes Mac, Linux, Windows, and even Docker containers, this workshop is a great way to learn about ways to manage security homogeneously, on an heterogenous environment.

avatar for Guillaume Ross

Guillaume Ross

Guillaume has worked as a manager of blue teams, as a security consultant, and way before that as an enterprise IT person focused on endpoints. Having worked for startups to fortune50, he knows how to build a security program, but having had to do the work, he also dislikes doing... Read More →

Saturday March 2, 2019 9:00am - 11:45am PST
Splunk HQ