Fleet 4.3.0 is now available. Visit our Updating Fleet guide for instructions on how to update.

For the complete summary of all changes and release binaries, check out the release notes on GitHub. In the meantime, read on for more info about the main features and improvements introduced in Fleet 4.3.0.

Primary features

  • Policies allow users to define security policies which their enrolled devices must adhere to.
  • Improved query console, so users can more easily walk through the flow of crafting a query, selecting targets, running, and saving a query.
  • Query performance gives users the ability to gain insight into the data-to-performance…

Jason Walton — Director of information security @ Schrödinger

Jason Walton gives us some insight into how his team uses Fleet and osquery at Schrödinger.

How did you first get started using osquery?
I became aware of osquery a number of years ago — maybe 2017 when a colleague mentioned it. I experimented with it locally, and it was very interesting, but I never invested much time until I discovered Fleet (then Kolide Fleet) I believe around 2018.

Why are you using Fleet?
It’s easy to deploy and use in combination with Launcher. It provides me with a single source of truth about endpoints in my organization, and provides a…

Ahmed Elshaer — DFIR, Blue Team, SecOps @ Wayfair

This week, I spoke with Ahmed Elshaer (DFIR, Blue Team, SecOps) about how Wayfair uses Fleet and osquery:

How did you first get started using osquery?

We were looking for a tool that provided linux logging, and incident response capabilities. Osquery had most of the requirements like logging, ability to scope an incident, interrogate systems but it’s missing the response or the ability to do an action on the remote systems.

Why are you using Fleet?

We have POC’d couple free options and Fleet was the highest engagement and continuous development although it may be missing some features.

How do your end users feel about Fleet?

We are using Fleet only in the remote query on scale, so we find Fleet…

What can we expect to see?

Osquery 4.9.0 is currently in pre-release, so let’s have a quick look at some of the new additions that we are hopefully in store for.

As always, for the complete list of changes, check out the osquery changelog and osquery.io

New features

Add filesystem logrotate feature

For Windows users who don’t have a good alternative to osquery’s recommendation to logrotate, osquery 4.9.0 brings a basic logrotate feature for the --logger_plugin=filesystem filesystem plugin.

This feature is disabled by default because it will delete logs when rotation limits are exceeded, and also so as to avoid any possible conflicts if there is another logrotate function enabled. …

Human readable timestamps

Unix timestamps can be confusing for even the smartest Time Lord.

If you are anything like me, and unix timestamps leave you thinking about the mysterious numbers in Lost, you’re going to want to convert them into something more human friendly. Running your timestamp through any number of online converters is one way to go, but it’s a clunky process.

Connect network monitoring with endpoint monitoring.

This article was originally written by Zach Wasserman

Interested in correlating events from network monitoring tools to host activity? Support for Community ID hashing in osquery allows osquery’s endpoint instrumentation to be easily correlated with that of network monitors such as Zeek. Similar strategies can be used to correlate osquery logs with those from other tools that support Community ID. This includes Arkime (formerly Moloch), Suricata, and more.

Community ID

Community ID is a hash of the network connection parameters that allows a connection to be matched between monitoring solutions that support the hash.

To generate a Community ID, a hash is…

Using Elasticsearch and Kibana to visualize osquery performance

This article was originally written by Zach Wasserman

This article serves as a guide to building an osquery performance dashboard with Elasticsearch and Kibana.

Our goal is to build a dashboard like the one pictured below:

Rich process trees on macOS, Linux, and Windows

This article was originally written by Zach Wasserman

Using advanced SQL syntax, it is possible to generate process trees in osquery similar to those generated by the pstree utility. With osquery, the generated trees can be extended to include additional information that can aid analysis.

Below is the basic structure of the query:

WITH target_procs AS (
SELECT * FROM processes WHERE name = 'osqueryd'
WITH recursive parent_proc AS (
SELECT * FROM target_procs
SELECT p.* FROM processes p JOIN parent_proc pp ON p.pid = pp.parent
WHERE pp.pid != pp.parent …

A simple query for IP-Geolocation

This article was originally written by Zach Wasserman

In the event of an emergency or public safety concern, osquery can be easily used to identify employees the direct vicinity, so that teams can push warnings or safety precautions to their staff.

This simple strategy for obtaining the location of an osquery device utilizes the ipapi.co API to retrieve the IP geolocation of the device. Note that the device must be able to connect to the internet over HTTP, and the calculated location may be skewed by VPN, proxies, etc.


SELECT JSON_EXTRACT(result, '$.ip') AS ip,
JSON_EXTRACT(result, '$.city') AS city,

Proper use of JOIN to return osquery data for users

This article was originally written by Zach Wasserman

Many an osquery user has encountered a situation like the following:

$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> SELECT uid, name FROM chrome_extensions LIMIT 3;
| uid | name |
| 501 | Slides…

Mike Thomas

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store