osquery
by osquery
osquery is a SQL-powered framework that exposes operating system data as a relational database for instrumentation, monitoring, and analytics.
SQL powered operating system instrumentation, monitoring, and analytics.
Primary Use Case
osquery is primarily used by security professionals and system administrators to query and monitor the state of endpoints across Linux, macOS, and Windows environments. It enables real-time intrusion detection, endpoint protection, and security automation by allowing users to write SQL queries to explore system data and automate monitoring tasks.
- Exposes operating system data as SQL tables for easy querying
- Cross-platform support for Linux, macOS, and Windows
- Plugin and extensions API for custom table implementations
- Ad-hoc querying via osqueryi interactive shell
- Scheduled queries for continuous monitoring with osqueryd
- Integration with custom applications through Thrift APIs
- Predefined table schemas representing processes, network, hardware, and more
- Community-driven query packs and schema resources
Installation
- Visit https://osquery.io/downloads to download the latest stable binaries for your platform
- Follow platform-specific installation guides available in the documentation at https://osquery.readthedocs.org
- Use the provided packages or binaries to install osquery on Linux, macOS, or Windows
- Verify installation by running the osqueryi shell or starting the osqueryd daemon
Usage
>_ SELECT * FROM users;Lists all users on the operating system.
>_ SELECT * FROM processes WHERE on_disk = 0;Checks for running processes whose executable has been deleted from disk.
>_ SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';Retrieves process names, ports, and PIDs for processes listening on all network interfaces.
>_ SELECT name, program || program_arguments AS executable FROM launchd WHERE (run_at_load = 1 AND keep_alive = 1) AND (program != '' OR program_arguments != '');Finds macOS LaunchDaemons that launch executables and keep them running.
>_ SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac HAVING count(mac) > 1;Detects ARP anomalies by identifying MAC addresses associated with multiple IP addresses.
- Leverage osquery's scheduled queries to automate continuous endpoint monitoring and anomaly detection.
- Integrate osquery with SIEM platforms to enrich telemetry with detailed endpoint state data.
- Use custom query packs to tailor detection capabilities to specific organizational threats and environments.
- Combine osquery with threat hunting workflows to proactively discover signs of compromise.
- Deploy osquery in purple team exercises to simulate attacker techniques and validate blue team detection rules.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about osquery. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
rustdesk
rustdesk/rustdesk
An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.
macOS-Security-and-Privacy-Guide
drduh/macOS-Security-and-Privacy-Guide
Community guide to securing and improving privacy on macOS.
How-To-Secure-A-Linux-Server
imthenachoman/How-To-Secure-A-Linux-Server
An evolving how-to guide for securing a Linux server.
Atlas
Atlas-OS/Atlas
🚀 An open and lightweight modification to Windows, designed to optimize performance, privacy and usability.
fail2ban
fail2ban/fail2ban
Daemon to ban hosts that cause multiple authentication errors
HackBrowserData
moonD4rk/HackBrowserData
Extract and decrypt browser data, supporting multiple data types, runnable on various operating systems (macOS, Windows, Linux).