1.6 KiB
1.6 KiB
| HOME | RESEARCH | INSTALLATION | CLIENT APP | INTEGRATION | DEMONSTRATION | CONCLUSION |
|---|
Research
Osquery is an open-source OS instrumentation framework that uses SQL-like syntax to query the OS as if it were a relational database. It was created by Facebook(Meta) in 2014.
Features
- Cross-platform: macOS, Linux, FreeBSD, and Windows
- Data collection: running processes, user logins, kernel modules, network connections, browser plugins, hardware events, file hashes, and more
- SQL-based queries: Users can write SQL queries to explore data across all operating systems and infrastructure
- Query packs: Pre-built collections of queries for specific tasks like incident response, vulnerability management, or compliance monitoring
Components
- Osqueryi: An interactive console shell for running ad-hoc queries and exploring the system
- Osqueryd: A daemon that schedules queries and monitors system changes
Warning
Osquery generates approximately 110MB of data per endpoint per day. This requires careful consideration of storage and management, especially for large-scale deployments.
Sources:
- https://www.uptycs.com/blog/threat-research-report-team/osquery-guide
- https://rearc.io/blog/osquery-introduction
- https://www.rapid7.com/blog/post/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/
| <<<< | >>>> |
|---|