Jason Walton gives us some insight into how his team uses Fleet and osquery at Schrödinger.

How did you first get started using osquery?
I became aware of osquery a number of years ago — maybe 2017 when a colleague mentioned it. I experimented with it locally, and it was very interesting, but I never invested much time until I discovered Fleet (then Kolide Fleet) I believe around 2018.

Why are you using Fleet?
It’s easy to deploy and use in combination with Launcher. It provides me with a single source of truth about endpoints in my organization, and provides a…

This week, I spoke with Ahmed Elshaer (DFIR, Blue Team, SecOps) about how Wayfair uses Fleet and osquery:

How did you first get started using osquery?

We were looking for a tool that provided linux logging, and incident response capabilities. Osquery had most of the requirements like logging, ability to scope an incident, interrogate systems but it’s missing the response or the ability to do an action on the remote systems.

Why are you using Fleet?

We have POC’d couple free options and Fleet was the highest engagement and continuous development although it may be missing some features.

How do your end users feel about Fleet?

We are using Fleet only in the remote query on scale, so we find Fleet…

Fleet 4.2.0 is now available. Visit our Updating Fleet guide for instructions on how to update.

Primary features

• Team schedule makes the ability to collect data from your devices faster.
• Host filtering improvements to more easily monitor the status of your Fleet and osquery deployment.

For the complete summary of all 15+ changes and release binaries check out the release notes on GitHub.

Team schedule

Available in Fleet Basic

In the previous release of Fleet 4.1.0, we introduced the Schedule feature that lets you add queries which are executed on your devices at regular intervals without having to understand osquery packs.

Similarly, the Team…

Fleet 4.1.0 released with Schedule and Activity feed features

Fleet 4.1.0 is now available to increase the usability and maturity of your Fleet deployment with Schedule for making the ability to collect data from your devices faster and Activity feed for easily monitoring changes made to your Fleet and osquery deployment.

For the complete summary of changes and release binaries check out the release notes on GitHub.

Easier data collection for increased usability

Deciding what, and how often, data is sent to a configured log destination, is vital to our customers’ success, and we want to make it easier for new and experienced users of Fleet…

Fleet 4.0.0 released with Role-based access control and Teams features

Fleet 4.0.0 is now available to spread the power of Fleet throughout your organization, with Teams for separating devices into exclusive groups, Role-based access control to define a user’s access to features in Fleet, and API-only users to help you create more automation pipelines.

Spread the power of Fleet

Fleet is utilized at organizations with hundreds of thousands of devices. Our new Teams feature enables separating hosts into exclusive groups. This way, users can easily act on a consistent group of devices.

Having access to Fleet and…

Osquery 4.9.0 is currently in pre-release, so let’s have a quick look at some of the new additions that we are hopefully in store for.

As always, for the complete list of changes, check out the osquery changelog and osquery.io

New features

Add filesystem logrotate feature

For Windows users who don’t have a good alternative to osquery’s recommendation to logrotate, osquery 4.9.0 brings a basic logrotate feature for the --logger_plugin=filesystem filesystem plugin.

This feature is disabled by default because it will delete logs when rotation limits are exceeded, and also so as to avoid any possible conflicts if there is another logrotate function enabled. …

If you are anything like me, and unix timestamps leave you thinking about the mysterious numbers in Lost, you’re going to want to convert them into something more human friendly. Running your timestamp through any number of online converters is one way to go, but it’s a clunky process.

Fleet 3.13 is now available on GitHub and Docker Hub! 3.13 introduces improved performance of the additional queries feature, improvements to the fleetctl preview experience, and more.

For the complete summary of changes and release binaries check out the release notes on GitHub.

Improved performance of the additional queries feature

The additional queries feature in Fleet allows you to add host data to the response payload of the /hosts Fleet API endpoint. This feature is helpful when you want to grab specific host information straight from the Fleet API instead of your logging destination. …