No announcement yet.

Guillaume Ross, Kathy Satterlee - Protect/hunt/respond with Fleet and osquery

  • Filter
  • Time
  • Show
Clear All
new posts

  • Guillaume Ross, Kathy Satterlee - Protect/hunt/respond with Fleet and osquery


    Thursday from 0900 to 1300
    EventBrite Link:

    In this workshop, we will learn how to use Fleet and osquery to ensure systems are protected, detect suspicious activity, hunt for attackers, and respond to incidents. First, we'll see how to deploy Fleet to manage osquery agents. Then, we will use shared Fleet instances to track the security posture of systems, inventory vulnerable applications, and perform threat hunting. These Fleet instances will be connected to a shared Slack workspace, where we will generate custom alerts to ensure insecure systems can be dealt with. These shared Fleet instances will output data to centralized logging (Graylog), which we will use to create dashboards as well as alerting for suspicious activity. At the end of this workshop, you'll know how to use Fleet and osquery to ensure your workstations and servers are secure, to quickly find vulnerable systems as well as discover attackers performing techniques such as establishing persistence and privilege escalation.

    Skill Level: Beginner to Intermediate

    Materials Needed: A laptop with internet access, a web browser, virtualization app such as VirtualBox or VMware, and Docker (on main OS or in a VM). We recommend bringing at least one or two VMs (Mac, Windows or Linux) ready to use as osquery clients.


    Guillaume started hacking away in the early 90s. Whereby hacking, we mean "understanding how pkzip works so he could fit this game on his ridiculous HDD". He then went on to work in IT, focusing on large scale endpoint deployments for a few years. He then became a security consultant, working with all types of different organizations, doing endpoint security, mobile security, and cloud security until he started leading security in startups. Guillaume is currently the Head of Security at Fleet Device Management, the company behind the open source project Fleet.
    Guillaume dislikes doing meaningless "best practices" work that has no practical value and enjoys leveraging great open source software available to all of us to improve security.
    Guillaume has spoken and given workshops at various conferences like BSidesLV, BsidesSF, DEF CON, RSAC, Thotcon and Northsec on many topics, including mobile security, endpoint security, logging and monitoring.

    Kathy is a Developer Advocate at Fleet Device Management. She generally has a pretty good idea of how Fleet and osquery work together and what people are doing with them. She also usually knows who to reach out to when she doesn’t have a clue.

    Forum: @gepeto

    Max Class Size: 80
    Last edited by number6; July 4, 2022, 16:00.

  • #2
    Hi everyone!

    We will ask the organizers to send attendees an email tomorrow. In the meantime, if you are hanging on the forum, and you want to be as ready as possible for next week:
    1. Be sure you have Docker and Node installed on your laptop or in a VM. This should be Docker from Docker, not from your Linux distribution. Docker desktop for Mac and Windows work well too.
    2. Have a virtualization app and a couple VMs without confidential data, for testing purposes only ready to go. Linux, Windows or macOS, we'll use them all anyway, so you don't need anything specific, grab what you like. In those VMs, you can install pre-built installers for the workshop. Again, DO NOT INSTALL THIS ON REAL MACHINES WITH REAL DATA - everyone in the workshop will be able to query data from this, including potentially READ FILES. Only install on dedicated test VMs.
    3. Join the #Fleet channel on the osquery Slack. We will use this for copy-pasta purposes, but we also will use it for support, and we will have more people from Fleet able to help than will be in the workshop physically: (
    Looking forward to next week with all of you!