Osquery - Cyber Threat Monitoring and Detection Tool

Singel-post cover image

What is Osquery

Osquery is a freeware platform enabling security monitoring and analysis of the status of PC devices with Windows, macOS, Linux, and FreeBSD operating systems. Osquery treats the operating system as a high-performance relational database, allowing the user to retrieve system data using standard SQL queries. When creating queries, a rich set of predefined tables is used, each of which represents a specific source of information about events and the current state of the device.

Osquery can also be installed and used on a single device, but its true power will be demonstrated in the mass deployment and use of central management software. As a result, teams of administrators and security personnel gain improved visibility into the state of security and events across the entire infrastructure, whether in daily monitoring, proactive threat detection, or response to a security incident. Query output is represented in the form of text tables, or a CSV file, regardless of which of the 273 currently available Osquery tables, or combinations thereof, the user query. Here are some of the most common:

  • Running processes and their parameters
  • Automatically running programs at system startup
  • System services
  • List of users and currently logged in users
  • Register
  • Windows Events
  • Scheduled tasks
  • The network ports on which the device is listening
  • File information, including hash calculation

Properties

Osquery was founded by Facebook, which began development in 2014, initially to monitor the security of Linux and macOS operating systems. In 2016, support for Windows was added. The name comes from the English * Operating System Query *, which captures the essence - “demand for the operating system”. Osquery is constantly evolving and its visibility options are supplemented by additional tables.

Pros

  • Visibility - Osquery provides visibility across all monitored systems.

  • Cyber Security - Osquery is an excellent tool in the process of searching for cyber threats, digital forensic analysis, or intrusion detection, thanks to insight into system data, such as all network connections, running processes, or a list of created user accounts.

  • Support for the most used platforms - Osquery works on most OS, namely Windows, macOS, CentOS, FreeBSD, and almost every Linux OS published since 2011, while the syntax of queries is still uniform.

  • Publicly available source code under the Apache 2.0 license - Ability to build your Osquery solution, connected to other products, and added functionality according to your needs.

What to look out for

  • Storage space - the amount of stored data can be quite high (it can exceed 100MB per day per device).

  • System complexity - in case of complex or poorly constructed demands, it is possible to utilize the target system.

  • Query optimization - The need to create custom Tailor-made Osquery queries, as built-in queries often return redundant data and serve as templates for creating your own.

Overall, the quality and contribution of Osquery to cybersecurity is confirmed by the fact that thanks to its features and benefits, Osquery is also built into some commercial EDR (Endpoint Detection and Response) solutions, which today represent one of the most advanced and affordable ways to protect against cyber attacks.

Resources