osquery is an instrumentation framework for OS X and Linux. It exposes low-level operating system information as virtual SQL “tables” and queries can be grouped in “packs”. This is a multi-part workshop focusing on how Facebook uses osquery for incident response and intrusion detection, recommended deployment, and how attendees can build new features. Workshop attendees will use a compromised Linux server and example log aggregator to detect a rootkit and continuously monitor for similar attacks.