# Investigate Endpoints with osquery Incident responders need fast endpoint evidence without switching between many host tools. This skill guides Claude, Codex, and Claude Code through osquery-based triage, hunting, and monitoring workflows. ## Install ```bash npx skillstore add agentsecops/forensics-osquery ``` ## Metadata - - Slug: agentsecops-forensics-osquery - - Version: 0.1.0 - - Author: AgentSecOps - - GitHub username: AgentSecOps - - License: MIT - - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/incident-response/forensics-osquery - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: external\_commands, filesystem, network - - Quality score: 50 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/agentsecops-forensics-osquery - - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-forensics-osquery/manifest ## Capabilities - Provides osquery workflows for process, network, file, user, and persistence analysis. - Maps common investigation tasks to MITRE ATT&CK-oriented osquery queries. - Includes query packs for triage, persistence hunting, lateral movement, and credential access detection. - Explains osqueryd deployment, scheduling, logging, and service management basics. - Highlights platform differences across Linux, macOS, and Windows osquery tables. - Offers guidance for evidence handling, query tuning, and SIEM integration. ## Use Cases - Rapid Endpoint Triage: Collect process, login, network, and file metadata after an alert to understand host state quickly. - MITRE-Based Threat Hunting: Translate a suspected ATT&CK technique into osquery searches for observable endpoint artifacts. - Fleet Monitoring Design: Build scheduled osqueryd packs that monitor persistence, credential access, and lateral movement indicators. ## Prompt Templates ### Start Endpoint Triage ``` Use the forensics-osquery skill to plan an initial endpoint triage. Focus on processes, logged-in users, network connections, and recent file changes. ``` ### Hunt Persistence ``` Use the forensics-osquery skill to create a persistence hunting workflow for Linux, macOS, and Windows. Include what each result means. ``` ### Map A Technique ``` Use the forensics-osquery skill to map MITRE ATT&CK technique T1003 to endpoint artifacts and osquery checks. Include analysis steps and evidence handling. ``` ### Design Monitoring Pack ``` Use the forensics-osquery skill to design an osqueryd monitoring pack for lateral movement and credential access. Include scheduling, tuning, and false positive review. ``` ## Limitations - Requires osquery or osqueryd to be installed on the target endpoint. - Some tables and results require root or administrator privileges. - Query coverage depends on operating system support and enabled event collection. - The skill does not validate findings against live threat intelligence by itself. ## Best Practices - Run privileged queries only on systems where you have explicit authorization. - Store exported results in encrypted locations with access logging and retention limits. - Test scheduled queries in a lab before enabling them across production endpoints. ## Anti Patterns - Do not run broad file or process queries without scope limits on production fleets. - Do not share raw osquery results before removing secrets and personal data. - Do not treat query matches as confirmed compromise without analyst validation. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T05:33:49.072\+00:00 - - Summary: Static analysis found many command, credential, filesystem, and network indicators, but review shows they are mostly osquery detection queries and defensive documentation. The skill is not malicious, but it can guide privileged endpoint collection that exposes sensitive files, process details, registry data, and network activity, so users need clear operational controls. ## Stats - - Views: 220 - - Downloads: 7 - - Favorites: 0 - - Popularity score: 0