Definitely. And you could write queries for the various indicators/files/etc., too (or use the built in YARA support and grab the rules from US-CERT).
I just started working at Kolide (http://kolide.com) a couple weeks ago where we're building a whole product on top of osquery. I'm constantly surprised by "can it do (x)" and the answer is almost always yes. It's pretty solid!
I just started working at Kolide (http://kolide.com) a couple weeks ago where we're building a whole product on top of osquery. I'm constantly surprised by "can it do (x)" and the answer is almost always yes. It's pretty solid!