In this article, we’ll discuss how we can use Kolide Fleet for threat-hunting purposes. This article is not intended to be an introductory piece, but rather a write-up showing the capabilities of Kolide Fleet in threat-hunting. We will therefore not cover basic installation, but the main features and capabilities of Kolide.
With Kolide, you can manage your fleet of osquery hosts more easily through a web interface. The following are some of the things that you can be able to query:
Running processes Kernel modules loaded Active user accounts Active network connections
The web interface makes it very easy to use Kolide if you already understand SQL syntax and have interacted with osquery. The extensiveness of the queries that you can use depend on how conversant and comfortable you are using SQL. For instance, just like in SQL, osquery allows you to perform joins, limits and aggregates within your queries.
Running the Fleet
Before you can run Kolide, you