Battle Tested Scalability
Running on hundreds of thousands of endpoints, osquery sets the bar for performance at scale — Whether you are a startup or Fortune 100 company.
Transparency via Open Source
100% community vetted, open source codebase. No wizard behind the curtains, no secret sauce. Security you can scrutinize.
Manage all of your endpoints in one place. Windows, Linux, Mac, all in the same dashboard. Streamline your security pipeline.
What does osquery do?
The best way to understand how osquery works is to see it in action.Explore relevant example queries on the right or craft your own queries.
KeRanger is a ransomware that infected users who installed a specific release of the mac torrent client Transmission.app, this query looks for the presence of a known process name
Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted or modified (which could be an indicator of a suspicious process).
On endpoints with well-defined behavior, the security team can use osquery to find any processes that do not fit within whitelisted network behavior, e.g. a process scp’ing traffic externally when it should only perform HTTP(s) connections outbound.
WHERE name = 'kernel_service';
SELECT name, path, pid
WHERE on_disk = 0;
SELECT s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port
FROM process_open_sockets s JOIN processes p ON s.pid = p.pid
WHERE remote_port NOT IN ( 80, 443 ) AND family = 2;
The application layer firewall allows macOS to control connections made to your computer from other computers on your network. Here we check to see if the firewall is currently enabled.
Knowing what apps are installed on an endpoint is often not enough, here we ask osquery to show us all hosts running a deprecated version of Adobe Acrobat with a known hijacking vulnerability.
Disk encryption is an organizational policy for many companies, this query returns hosts whose primary disk is currently unencrypted.
SELECT * FROM alf
WHERE global_state = 0;
SELECT bundle_version FROM apps
WHERE name LIKE "Adobe Acrobat.app"
AND bundle_version <= "15.0.0";
SELECT * FROM mounts m, disk_encryption d
WHERE m.device_alias = d.name
AND m.path = "/"
AND d.encrypted = 0;
Critical processes require persistent uptime, using osquery we can check to see whether the Apache process is running on our web server.
Whether auditing or investigating, having access to historical user session data allows us to see where specific logins have occurred within your infrastructure.
The easiest way to troubleshoot resource utilization is to see it broken down by process across your fleet. Here we ask for the top 3 resource intensive processes currently running.
WHERE name LIKE "%Apache%";
SELECT * FROM last
WHERE username = "root"
AND time > (( SELECT unix_time FROM time ) - 3600 );
SELECT name, ROUND(SUM( resident_size ) * 1.0 / 1024 / 1024 / 1024, 2)
AS used_memory, ROUND(SUM( resident_size ) * 1.0 / system_info.physical_memory * 100, 2)
AS percentage, (system_time) + SUM(user_time)
AS cpu_time FROM processes, system_info
GROUP BY processes.pgroup
ORDER BY used_memory DESC LIMIT 3;
SQL Based Input
Osquery utilizes basic SQL commands to leverage its relational data model. This makes crafting queries a simple and straight-forward process. Join tables for complex queries and reveal insights that aren't available with any other endpoint agent.
Persistent or Ad Hoc
Build queries that run continuously to monitor critical systems and processes, or write queries on the fly to explore live issues in your infrastructure. Osquery allows the freedom to investigate and monitor your endpoints, your way.
So small you'll forget it's there. Osquery was designed with performance in mind, and runs with very little overhead. Safety mechanisms ensure that your production workload comes first.