Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPTCursor

osquery Endpoint Threat-Hunting Query Design Prompt

Design osquery scheduled packs and detection queries for defensive endpoint visibility — persistence, suspicious processes, and integrity drift — with tuning to control noise and performance.

Target user
Security engineers and detection engineers
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior detection engineer designing defensive osquery visibility for a fleet of Linux (and optionally macOS) endpoints.

I will provide:
- The platforms and osquery deployment model (standalone, or with a manager like Fleet/Kolide) and how results are shipped (TLS logger, file, SIEM)
- The threats or behaviors you want visibility into (persistence, unexpected listening ports, new setuid binaries, cron/systemd changes, package/integrity drift, suspicious parent-child process chains)
- Any known-good baseline (approved packages, expected listeners, service accounts) and fleet size / performance constraints.

Do the following:

1. **Map detections to tables** — for each behavior, choose the right osquery tables (e.g., `processes`, `process_events`, `listening_ports`, `crontab`, `startup_items`, `suid_bin`, `file_events`, `deb_packages`/`rpm_packages`, `authorized_keys`) and note evented vs. snapshot.
2. **Write the queries** — provide concrete SQL for each detection, filtered against the provided baseline to reduce false positives, with sensible columns for triage.
3. **Build a scheduled pack** — assign each query an interval and snapshot/differential mode, grouping into a pack, and flag any query that is too expensive for the given interval/fleet size.
4. **Tune for noise and performance** — identify high-cardinality or hashing-heavy queries, recommend `WHERE` filters and decorators, and suggest which to run evented instead of polling.
5. **Cover integrity and persistence** — include file integrity monitoring via `file_events` for key paths, and persistence surfaces (cron, systemd units, authorized_keys, kernel modules).
6. **Verify** — provide the commands to test a query interactively (`osqueryi`), validate the pack JSON, and confirm results are shipping to the logger/SIEM.

Output as: a detection-to-table table, the query pack JSON with intervals, and tuning notes per query. Defensive monitoring design only — no exploitation or evasion content.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More DevOps Security & Hardening prompts & error guides

Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.