Fibratus vs osquery
GitHub Stats
About Fibratus
Fibratus is a tool for exploration and tracing of the Windows kernel via Event Tracing for Windows (ETW). It captures process creation/termination, thread activity, file system operations, registry modifications, network connections, DLL loads, and driver events in real-time. Fibratus includes a rule engine for detecting suspicious behavior patterns (fileless malware indicators, persistence mechanisms, credential access). Events can be filtered with a powerful expression language and forwarded to Elasticsearch, AMQP, or console output. It provides deep kernel-level visibility for threat hunting, incident response, and understanding system behavior during malware detonation.
About osquery
osquery, developed at Facebook, exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data - running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and hundreds of other system attributes are all available as SQL tables. For security teams, this means you can query your fleet in real-time: 'SELECT * FROM processes WHERE name LIKE \'%miner%\'' finds cryptominers, 'SELECT * FROM listening_ports WHERE port = 4444' finds suspicious listeners. osquery supports scheduled queries that log differential changes over time, making it powerful for continuous security monitoring and compliance verification. It runs on Linux, macOS, Windows, and FreeBSD, and integrates with fleet management tools like Fleet (formerly Kolide) for centralized querying and alerting across thousands of endpoints.
Platform Support
Tags
Fibratus only
osquery only