Last Day to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training - Register Today!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Using osquery & MITRE ATT&CK® to Provide Analytics for Incident Response and Threat Hunting

  • Friday, March 20, 2020 at 3:30 PM EDT (2020-03-20 19:30:00 UTC)
  • Guillaume Ross, Dave Shackleford


  • Uptycs

You can now attend the webcast using your mobile device!



Theres a disconnect between best practice frameworks and real-life nitty gritty. While many frameworks broadly approach the overarching principles that a robust security program should encompass, the MITRE ATT&CK framework takes it a step further by connecting the dots to detail specifically what kind of attacker behavior a defender should anticipate, and how an attacker would work to thwart those vaulted best practices.

Using Osquery, an open-source universal endpoint agent that makes our macOS, Linux, Docker, and Windows environments queryable using SQL, we can begin to harden our defenses by writing and deploying queries that identify those known behaviors as outlined in the twelve attack technique categories mapped by the MITRE ATT&CK matrix.

Incident Response professionals should attend this webinar to:

  • Gain an understanding of what osquery is, how it structures data & how that data can be used across security teams
  • Learn how to create SQL queries to solve for example scenarios, and get acquainted with the data and insight osquery provides
  • Map portions of the ATT&CK matrix to SQL queries, using osquery to observe for these activities

Speaker Bios

Guillaume Ross

Guillaume is a Principal Product Manager at Uptycs, where he works on making the best security analytics tools for practitioners. As someone who has worked as a defender and manager of blue-teams for many years, he knows what is needed to build a good security program. Guillaume is also a trainer for Pluralsight, producing training materials on network and endpoint security, and really enjoys leveraging open source security tools and guidance from the community to deliver cost effective, actually useful security solutions.

Dave Shackleford

Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.