osquery Endpoint Threat-Hunting Query Design Prompt
Design osquery scheduled packs and detection queries for defensive endpoint visibility — persistence, suspicious processes, and integrity drift — with tuning to control noise and performance.
- Target user
- Security engineers and detection engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior detection engineer designing defensive osquery visibility for a fleet of Linux (and optionally macOS) endpoints. I will provide: - The platforms and osquery deployment model (standalone, or with a manager like Fleet/Kolide) and how results are shipped (TLS logger, file, SIEM) - The threats or behaviors you want visibility into (persistence, unexpected listening ports, new setuid binaries, cron/systemd changes, package/integrity drift, suspicious parent-child process chains) - Any known-good baseline (approved packages, expected listeners, service accounts) and fleet size / performance constraints. Do the following: 1. **Map detections to tables** — for each behavior, choose the right osquery tables (e.g., `processes`, `process_events`, `listening_ports`, `crontab`, `startup_items`, `suid_bin`, `file_events`, `deb_packages`/`rpm_packages`, `authorized_keys`) and note evented vs. snapshot. 2. **Write the queries** — provide concrete SQL for each detection, filtered against the provided baseline to reduce false positives, with sensible columns for triage. 3. **Build a scheduled pack** — assign each query an interval and snapshot/differential mode, grouping into a pack, and flag any query that is too expensive for the given interval/fleet size. 4. **Tune for noise and performance** — identify high-cardinality or hashing-heavy queries, recommend `WHERE` filters and decorators, and suggest which to run evented instead of polling. 5. **Cover integrity and persistence** — include file integrity monitoring via `file_events` for key paths, and persistence surfaces (cron, systemd units, authorized_keys, kernel modules). 6. **Verify** — provide the commands to test a query interactively (`osqueryi`), validate the pack JSON, and confirm results are shipping to the logger/SIEM. Output as: a detection-to-table table, the query pack JSON with intervals, and tuning notes per query. Defensive monitoring design only — no exploitation or evasion content.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
CloudTrail Anomaly Hunting Review Prompt
Threat-hunt across AWS CloudTrail events to surface suspicious IAM, persistence, and exfiltration patterns and turn them into detections
-
Ansible Playbook & Vault Security Review Prompt
Review Ansible playbooks and roles for plaintext secrets, unsafe privilege escalation, and host-key/command-injection risks, and produce a hardened Vault, become, and templating configuration.
-
Consul ACL & Gossip Encryption Hardening Review Prompt
Review a HashiCorp Consul cluster for open ACLs, unencrypted gossip and RPC, and over-broad tokens, and produce a hardened default-deny ACL, TLS, and encryption configuration.
-
Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.