« back to schedule

Introduction to Osquery

Maximum numbers of participants: 20. Registration will be done on site.

Maintaining real-time insight into the current state of your endpoint infrastructure is crucial. It is very important from operational, continuous security monitoring, and incident response perspective. Created by Facebook in 2014, osquery is an open-source instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD operating systems.

Osquery exposes the operating system as a relational database and allows you to write SQL queries to explore system data. The generic SQL tables represent running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, etc. These SQL tables are implemented via an easy to extend API and several tables already exist and more are being written. The main advantage of osquery is that it allows you to use one platform for monitoring complex operating system state across an entire infrastructure. It has a high-performance and low-footprint distributed host monitoring daemon, osquery and also an interactive query console, called osqueryi.

During this two-hour workshop, we will learn about osquery’s capabilities and cover the following topics:

  • Osquery basics (installation, osqueryi, osqueryd, osquery schema);
  • SQL refresher (SELECT, FROM, WHERE, LIKE, JOIN, etc.);
  • Osquery configuration (flagfile, packs, schedule, logging, file integrity monitoring, etc.);
  • Fleet management (Kolide Fleet, Doorman, SGT, etc.);
  • Osquery extensions.


  • Hardware: a laptop with at least 8 GB of RAM and 30-50 GB of free disk space;
  • Software: VMware Workstation, VMware Fusion or VMware Player installed. Other virtualization like VirtualBox should be OK, but participants must be ready to troubleshoot/make it work.
  • Skills: Basic Bash command line skills.



David Szili (Managing Partner at Alzette Information Security)


David Szili: David Szili is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. David is also an instructor at SANS Institute, teaching FOR572: Advanced Network Forensics. He has more than eight years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. David has master’s degrees in computer engineering and in networks and telecommunication and a bachelor’s degree in electrical engineering. He holds several IT security certifications such as GSEC, GCED, GCIA, GCIH, GMON, GCDA, GNFA, GPYC, GMOB, CCSK, OSCP, OSWP, and CEH. David speaks on a regular basis at international conferences like BruCON, Hack.lu, Nuit du Hack, Hacktivity, x33fcon, Black Alps, BSidesLjubljana, BSides Munich, BSidesBUD, Pass the SALT, Security Session and he is a member of the organizer team of BSides Luxembourg. He occasionally blogs about information security at jumpespjump.blogspot.com.

« back to schedule