MISP vs osquery
GitHub Stats
About MISP
MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, and counter-terrorism data. It provides a robust data model for structuring threat data, automatic correlation of attributes and indicators, flexible sharing groups for controlled distribution, and import/export in STIX, OpenIOC, and many other formats. MISP includes a built-in feed system for consuming external threat intelligence, a REST API for automation, and taxonomies and galaxies for consistent classification. It's used by CERTs, SOCs, threat intelligence teams, and law enforcement worldwide as their primary threat intelligence management platform.
About osquery
osquery, developed at Facebook, exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data - running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and hundreds of other system attributes are all available as SQL tables. For security teams, this means you can query your fleet in real-time: 'SELECT * FROM processes WHERE name LIKE \'%miner%\'' finds cryptominers, 'SELECT * FROM listening_ports WHERE port = 4444' finds suspicious listeners. osquery supports scheduled queries that log differential changes over time, making it powerful for continuous security monitoring and compliance verification. It runs on Linux, macOS, Windows, and FreeBSD, and integrates with fleet management tools like Fleet (formerly Kolide) for centralized querying and alerting across thousands of endpoints.
Platform Support
Tags
MISP only
osquery only