This article was authored by Jon Nelson
VMware Carbon Black Cloud Audit and Remediation is a powerful real-time query platform that allows customers to query over 2,000 individual attributes from their Windows, Linux, and MacOS endpoints and workloads. This helps customers who struggle with answering auditor’s questions, searching Windows event logs, MacOS plists, or Linux configuration files.
Audit and Remediation provides direct access to osquery functionality within the VMware Carbon Black Cloud console to enable security, compliance, and IT teams to quickly gather information from their endpoints and workloads. osquery can help teams with gathering information at scale across environments for IT and help desk operations, compliance and M&A reporting, incident response, and security investigations.
In this ongoing blog series, we will show how to construct advanced Audit and Remediation queries to meet use cases across IT Operations, Helpdesk Operations, Security, Incident Response, Compliance, and more. By understanding how these queries are constructed, you will be empowered to extend this knowledge to solving other use cases, all while making your teams more efficient and effective in their roles.
This blog series is intended for readers that have a basic understanding of SQLite and have an osquery test environment. If neither of these things is true for you, please take a moment to read the Audit and Remediation Best Practices Guide before exploring the rest of this blog series.
- Leveling Up with osquery for Workloads blog series
- Leveling Up with osquery for Workloads: Identifying and Contextualizing Windows Logon Failures
- Leveling Up with osquery for Workloads: Locating local administrator accounts (windows)
- Leveling Up with osquery for Workloads: Determining Free Disk Space on Linux & macOS
- Leveling up with osquery for Workloads: Check for weak authentication types (LM/NTLM)