"Which computers in my fleet have no disk encryption?"
Which computers in my organization are unencrypted?
Which servers had root logins in the last hour?
Which macOS hosts need updates?
What processes are running whose binary has been deleted from the disk?
Which servers are exhibiting suspicious network activity?
// Machines with unencrypted primary disk.
FROM mounts m, disk_encryption d
WHERE m.device_alias = d.name
AND m.path = "/" AND d.encrypted = 0;
// Root Logins In The Last Hour
WHERE username = "root"
AND time > ((SELECT unix_time FROM time) - 3600);
// macOS Needs Update
WHERE name = "mac os x"
AND minor < 10;
// Processes running whose binary has been deleted from the disk
SELECT name, path, pid
WHERE on_disk = 0;
// Looks for processes with IP traffic to ports not in (80, 443)
SELECT s.pid, p.name, local_address, remote_address, family, protocol,
FROM process_open_sockets s JOIN processes p ON s.pid = p.pid WHERE
remote_port NOT IN ( 80, 443 ) AND family = 2;
Kolide Fleet is Powered by
Kolide Fleet is a state of the art host monitoring platform built on top of Facebook's legendary osquery agent. Built in part by our CTO, Mike Arpaia, osquery transforms your infrastructure into a rich database that you can query with standard SQL.
- Osquery runs performantly on hundreds of thousands of real production systems.
- Osquery allows you to access over 4500 unique data points across macOS, Linux and Windows operating systems.
- Osquery is 100% open-source and as a result, it receives intense scrutiny, new features, and regular updates from the community.
Kolide Fleet integrates with
the tools your team loves
Kolide Fleet's mission is to provide everyone with the most performant, accurate, and diverse host inspection capability possible. Our goal is to make your existing security, operations, and IT investments smarter by integrating with top of the line tools.
- Kolide Fleet coalesces important host data in one place for effortless retrieval and transformation.
- Kolide Fleet integrates with existing logging and analytics pipelines including SumoLogic, Splunk, and Logstash
- Kolide Fleet is infrastructure provider agnostic and works across cloud vendors, on premises servers and workstations.
Top down infrastructure unbelievably simple
Kolide Fleet harnesses rich host data collection so you can track assets that are out of spec in real-time. Whether a policy violation occurred, or a vulnerability is present, Kolide allows you to track progress towards your goals.
- Collect detailed information about macOS and Linux hosts that other agents fail to obtain.
- Get detailed information on installed apps, packages, plugins and even browser extensions for all hosts in your organization.
- Automatically apply data collection policies for infrastructure as they come online.
Learn About osquery
Kolide Fleet is powered by Facebook's open source osquery agent. We encourage you to learn more about its data collection capabilities.
Read the Kolide Fleet Docs
Want more technical details on Kolide Fleet? The documentation is a great place to learn the ins and outs.