Cortex vs osquery
GitHub Stats
About Cortex
Cortex is a powerful observable analysis and active response engine that pairs with TheHive to supercharge incident response workflows. It provides a unified API for running analyzers against observables - IP addresses, file hashes, domain names, URLs, email addresses, and more - using over 100 built-in analyzers that query services like VirusTotal, Shodan, PassiveTotal, MISP, MaxMind, AbuseIPDB, and many others. Analysts can submit observables individually or in bulk and receive structured reports with taxonomy-based classifications. Cortex also supports responders for active response actions like blocking IPs on firewalls, disabling user accounts, or quarantining endpoints. Its REST API and TheHive integration allow organizations to automate the tedious parts of IOC analysis while keeping analysts in control of decision-making.
About osquery
osquery, developed at Facebook, exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data - running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and hundreds of other system attributes are all available as SQL tables. For security teams, this means you can query your fleet in real-time: 'SELECT * FROM processes WHERE name LIKE \'%miner%\'' finds cryptominers, 'SELECT * FROM listening_ports WHERE port = 4444' finds suspicious listeners. osquery supports scheduled queries that log differential changes over time, making it powerful for continuous security monitoring and compliance verification. It runs on Linux, macOS, Windows, and FreeBSD, and integrates with fleet management tools like Fleet (formerly Kolide) for centralized querying and alerting across thousands of endpoints.
Platform Support
Tags
Cortex only
osquery only