forensics-osquery
About
This skill enables SQL-based forensic investigation and threat hunting by querying endpoint operating systems as relational databases via osquery. It's designed for rapid evidence collection, incident response, and analyzing system artifacts like processes, network connections, and file hashes across Linux, macOS, and Windows. Use it for live forensics, building detection queries, and hunting for compromise indicators during security incidents.
Quick Install
Claude Code
Recommendednpx skills add aiskillstore/marketplace -a claude-code/plugin add https://github.com/aiskillstore/marketplacegit clone https://github.com/aiskillstore/marketplace.git ~/.claude/skills/forensics-osqueryCopy and paste this command in Claude Code to install this skill
GitHub Repository
Frequently asked questions
What is the forensics-osquery skill?
forensics-osquery is a Claude Skill by aiskillstore. Skills package instructions and resources that Claude loads on demand, so Claude can perform forensics-osquery-related tasks without extra prompting.
How do I install forensics-osquery?
Use the install commands on this page: add forensics-osquery to Claude Code as a plugin, or clone its repository into your skills directory, then restart Claude so it picks up the skill.
What category does forensics-osquery belong to?
forensics-osquery is in the incident-response category, tagged forensics, osquery, incident-response, threat-hunting, endpoint-detection and dfir.
Is forensics-osquery free to use?
Yes. forensics-osquery is listed on AIMCP and free to install. It runs inside Claude, so no separate service account is required to use the skill itself.
Related Skills
This skill enables large-scale endpoint forensics and incident response using Velociraptor Query Language (VQL). It's designed for collecting evidence, hunting threats, and performing live response across multiple systems. Developers can use it to gather telemetry, monitor security events, and create custom forensic artifacts for investigations.
This skill enables the creation and management of universal, vendor-agnostic SIEM detection rules using the Sigma format. It allows developers to write rules once and convert them for platforms like Splunk, Elastic, QRadar, and Sentinel, facilitating threat hunting and detection-as-code pipelines. Key features include mapping detections to MITRE ATT&CK and implementing compliance monitoring.
This skill enables creation and management of vendor-agnostic SIEM detection rules using the Sigma format. It allows converting rules between platforms like Splunk and Elasticsearch while supporting threat hunting and detection-as-code workflows. Developers should use it for standardized security monitoring, MITRE ATT&CK mapping, and cross-platform rule portability.
This skill provides a production-tested setup for Content Collections, a TypeScript-first tool that transforms Markdown/MDX files into type-safe data collections with Zod validation. Use it when building blogs, documentation sites, or content-heavy Vite + React applications to ensure type safety and automatic content validation. It covers everything from Vite plugin configuration and MDX compilation to deployment optimization and schema validation.
