Kicked the tires a bit by submitting a query for enumerating prefetch files with osquery, sorted by binary last execution (mtime of .pf) Still not sure how I feel about CB’s attempt at the Query Exchange, but it’s better than nothing (for now) https://community.carbonblack.com/t5/Query-Exchange/Prefetch-enumeration/idi-p/75144 …https://twitter.com/QueryConf/status/1141794033825488896 …
Replying to @eric_capuano
Kind of in the same boat - shared queries exist for SIEMs like Splunk - kind of wish it was more neutral ground via OSQuery as a Linux foundation org vs a single vendor.
3:53 PM - 22 Jun 2019
0 replies
0 retweets
2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.