Fleet 4.1.0 released with Schedule and Activity feed features
Fleet 4.1.0 is now available to increase the usability and maturity of your Fleet deployment with Schedule for making the ability to collect data from your devices faster and Activity feed for easily monitoring changes made to your Fleet and osquery deployment.
For the complete summary of changes and release binaries check out the release notes on GitHub.
Easier data collection for increased usability
Deciding what, and how often, data is sent to a configured log destination, is vital to our customers’ success, and we want to make it easier for new and experienced users of Fleet…
Fleet 4.0.0 released with Role-based access control and Teams features
Fleet 4.0.0 is now available to spread the power of Fleet throughout your organization, with Teams for separating devices into exclusive groups, Role-based access control to define a user’s access to features in Fleet, and API-only users to help you create more automation pipelines.
Spread the power of Fleet
Fleet is utilized at organizations with hundreds of thousands of devices. Our new Teams feature enables separating hosts into exclusive groups. This way, users can easily act on a consistent group of devices.
Having access to Fleet and…
What can we expect to see?
Osquery 4.9.0 is currently in pre-release, so let’s have a quick look at some of the new additions that we are hopefully in store for.
As always, for the complete list of changes, check out the osquery changelog and osquery.io
New features
Add filesystem logrotate feature
For Windows users who don’t have a good alternative to osquery’s recommendation to logrotate, osquery 4.9.0 brings a basic logrotate feature for the --logger_plugin=filesystem filesystem plugin.
This feature is disabled by default because it will delete logs when rotation limits are exceeded, and also so as to avoid any possible conflicts if there is another logrotate function enabled. …
Human readable timestamps
If you are anything like me, and unix timestamps leave you thinking about the mysterious numbers in Lost, you’re going to want to convert them into something more human friendly. Running your timestamp through any number of online converters is one way to go, but it’s a clunky process.
Fleet 3.13 is now available on GitHub and Docker Hub! 3.13 introduces improved performance of the additional queries feature, improvements to the fleetctl preview experience, and more.
For the complete summary of changes and release binaries check out the release notes on GitHub.
Improved performance of the additional queries feature
The additional queries feature in Fleet allows you to add host data to the response payload of the /hosts Fleet API endpoint. This feature is helpful when you want to grab specific host information straight from the Fleet API instead of your logging destination. …
Connect network monitoring with endpoint monitoring.
This article was originally written by Zach Wasserman
Interested in correlating events from network monitoring tools to host activity? Support for Community ID hashing in osquery allows osquery’s endpoint instrumentation to be easily correlated with that of network monitors such as Zeek. Similar strategies can be used to correlate osquery logs with those from other tools that support Community ID. This includes Arkime (formerly Moloch), Suricata, and more.
Community ID
Community ID is a hash of the network connection parameters that allows a connection to be matched between monitoring solutions that support the hash.
To generate a Community ID, a hash is…
Using Elasticsearch and Kibana to visualize osquery performance
This article was originally written by Zach Wasserman
This article serves as a guide to building an osquery performance dashboard with Elasticsearch and Kibana.
Our goal is to build a dashboard like the one pictured below:
Fleet 3.12 is now available! 3.12 offers enhanced host vitals to see which queries are run on which devices, the ability to “refetch” host vitals to get authoritative answers about your devices on-demand, and several awesome contributions from the Fleet community.
For the complete summary of changes and release binaries check out the release notes on GitHub.
Which queries apply to a host
Rich process trees on macOS, Linux, and Windows
This article was originally written by Zach Wasserman
Using advanced SQL syntax, it is possible to generate process trees in osquery similar to those generated by the pstree utility. With osquery, the generated trees can be extended to include additional information that can aid analysis.
Below is the basic structure of the query:
WITH target_procs AS (
SELECT * FROM processes WHERE name = 'osqueryd'
)
SELECT *
FROM (
WITH recursive parent_proc AS (
SELECT * FROM target_procs
UNION ALL
SELECT p.* FROM processes p JOIN parent_proc pp ON p.pid = pp.parent
WHERE pp.pid != pp.parent …A simple query for IP-Geolocation
This article was originally written by Zach Wasserman
In the event of an emergency or public safety concern, osquery can be easily used to identify employees the direct vicinity, so that teams can push warnings or safety precautions to their staff.
This simple strategy for obtaining the location of an osquery device utilizes the ipapi.co API to retrieve the IP geolocation of the device. Note that the device must be able to connect to the internet over HTTP, and the calculated location may be skewed by VPN, proxies, etc.
Query:
SELECT JSON_EXTRACT(result, '$.ip') AS ip,
JSON_EXTRACT(result, '$.city') AS city,
JSON_EXTRACT(result…Fleet Device Management
Open source endpoint visibility
