Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Built-in checks Raw data App library Tutorials & guides API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Fleet user stories — Wayfair

{{articleSubtitle}}

| The author's GitHub profile picture

Mike Thomas

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Fleet user stories — Wayfair

{{articleSubtitle}}

| The author's GitHub profile picture

Mike Thomas

Fleet user stories

Ahmed Elshaer — DFIR, Blue Team, SecOps @ Wayfair

Two people talking about Fleet

This week, I spoke with Ahmed Elshaer (DFIR, Blue Team, SecOps) about how Wayfair uses Fleet and osquery:

How did you first get started using osquery?

We were looking for a tool that provided linux logging, and incident response capabilities. Osquery had most of the requirements like logging, ability to scope an incident, interrogate systems but it’s missing the response or the ability to do an action on the remote systems.

Why are you using Fleet?

We have POC’d couple free options and Fleet was the highest engagement and continuous development although it may be missing some features.

How do your end users feel about Fleet?

We are using Fleet only in the remote query on scale, so we find Fleet is doing a good job in that area, and it’s easy to use for any new members.

How are you dealing with alert fatigue and false positives from your SIEM?

We have lots of queries that generate logs, but the ones that go into alerts are verified queries that are intended to hunt malicious or suspicious activity. Those activities are known based on public threat reports, Mitre Attack, or internal Red Team exercise.