osquery Provides Extensible Endpoint Visibility
osquery is a universal, light-weight, highly configurable endpoint agent which can collect and normalize data across macOS, Linux, Windows and container environments. It is managed by The Linux Foundation and is widely adopted by IT security teams looking for an open platform for endpoint visibility. osquery increases visibility across your infrastructure and gives you the power to ask questions using SQL across any machine, such as “Which machines are running vulnerable software packages?” and “Where else are we seeing this malicious process?”
How Is osquery Used?
osquery empowers a variety of security roles with broad visibility and comprehensive analytics. Whether you’re concerned with enforcing configuration policies, SOC 2 compliance or hunting threats, osquery can help security teams secure their attack surface and drive better outcomes.
Security Configuration Management
- Audit all machines in your fleet
- Identify users and connection locations
- Audit software & hardware (incl. versions)
- Identify where sensitive data lives
- Gather detailed application configuration data (with Augeus )
* To monitor configuration drift or change over time requires the ability to historically lookback and compare. Having a scalable data storage solution will be required.
- Collect a subset of data for compliance checks ( osquery Compliance Query Packs )
- Audit configuration settings
- Identify where sensitive data lives (with YARA + FIM)
- Scan your WiFi for unknown users
Detection & Threat Hunting
- Spot lateral movement
- Detect behavioral anomalies
- Observe open connections/ ports
- Identify & analyze malware (with YARA, JA3 )
- Map endpoint data to the MITRE ATT&CK framework
- Monitor critical file activity (FIM)
- Identify root access
* When scaling open source osquery for detection and threat hunting, be aware of limitations to scale — no standard deployment exists. Open source has different functions for every user, and no two users will configure and operate the tool exactly alike.
- Find vulnerabilities early in development
- Monitor user access
- Audit container or microservice misconfigurations
- Monitor infrastructure behavior post deployment
* osquery alone enables DevOps teams to continuously monitor their cloud applications/workloads. Visibility inside the workloads themselves (resource utilization, processes running, and network connections) will require the complimentary cloudquery extension.
- Audit active users & unknown logins
- Inventory your hardware
- Oversee your software inventory & package versions
- See how much memory is available
- Identify process performance hogs
- Examine existing extensions
How osquery Worksosquery is a small endpoint agent that makes your entire system configuration and runtime state available for query through an SQL interface, including a real-time stream of events. With osquery, you can:
- run SQL queries to retrieve information from system calls, system APIs, configuration files, and your filesystem directly across your entire fleet of laptops, servers, or containers.
- schedule these queries to run periodically and be delivered to your storage destination of choice for alerting and after-the-fact investigation.
- subscribe to event sources to immediately detect new processes, network activity, and file changes. These events can be streamed to your specified destination for detection and investigation purposes.
- run ad-hoc queries through your fleet manager to investigate your system in real time.
Uptycs developers and engineers contribute features and bug fixes to the open source osquery project. Fun fact—way back in 2017, we contributed the original Docker tables extending osquery to containers. More recently, we’ve open-sourced two osuery extensions:
- Cloudquery : extends osquery for AWS, GCP & Azure account services data
- Kubequery : extends osquery for K8s cluster data
We have plans to release additional extensions in the future to broaden osquery’s visibility across the modern attack surface to include Identity Provider and SaaS Provider telemetry. To support the ongoing education and evangelism of osquery, we also host the annual osquery@scale conference, bringing osquery practitioners together with their osquery-curious peers for meaningful knowledge exchange focused on production use cases.
When it comes to Uptycs Unified CNAPP and XDR, osquery provides the foundational telemetry for endpoints and containers that when augmented by cloudquery and kubequery, form the basis of our telemetry-powered security offering for Cloud Workload Protection, Cloud Security Posture Management, eXtended Detection & Response, Insight & Inventory, and Audit, Compliance & Governance. For Uptycs Unified CNAPP and XDR, we’ve enhanced the osquery agent—optimizing it for scale, reliability and performance.
Install osquery Now
Visit osquery.io for the latest install package and installation guidance.