osquery
Description
Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.
Osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With Osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
Purpose
While many endpoint security agents collect ongoing and streaming data such as process creation and file modification, Osquery allows you to take a “point in time” examination about the state of your devices which makes searching for anomolies and outliers more straightforward. Osquery is able to introspect into many areas in the operating system, and using JOINs, it allows you to gather quite a bit of context with a single query.
Configuration Details
- In DetectionLab, Osquery agents are enrolled into Fleet. The queries and configurations for the Osquery agent are supplied by Fleet over a TLS connection.
- The parameters for configuring this connection to Fleet are stored in
C:\Program Files\osquery\osquery.flags. - Osquery runs as a service via the
osquerydservice.
Data Location
- Splunk
- Query results:
index=osquery - INFO/WARN/ERROR logs:
index=osquery-status
- Query results: