Threat hunting with Kolide and osquery


In this article, we’ll discuss how we can use Kolide Fleet for threat-hunting purposes. This article is not intended to be an introductory piece, but rather a write-up showing the capabilities of Kolide Fleet in threat-hunting. We will therefore not cover basic installation, but the main and capabilities of Kolide.


Kolide Fleet is a flexible control server that can be used to manage osquery fleets. Using Fleet, we can be able to query multiple hosts on-demand. We can also create query packs and build schedules.

With Kolide, you can manage your fleet of osquery hosts more easily through a web interface. The following are some of the things that you can be able to query:

Running processes Kernel modules loaded Active user accounts Active connections

The web interface makes it very easy to use Kolide if you already understand SQL syntax and have interacted with osquery. The extensiveness of the queries that you can use depend on how conversant and comfortable you are using SQL. For instance, just like in SQL, osquery allows you to perform joins, limits and aggregates within your queries.

Running the Fleet

Before you can run Kolide, you

Read More: