osquery
๐ง Threat Intelligence ยท C++
osquery, developed at Facebook, exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data - running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and hundreds of other system attributes are all available as SQL tables. For security teams, this means you can query your fleet in real-time: 'SELECT * FROM processes WHERE name LIKE \'%miner%\'' finds cryptominers, 'SELECT * FROM listening_ports WHERE port = 4444' finds suspicious listeners. osquery supports scheduled queries that log differential changes over time, making it powerful for continuous security monitoring and compliance verification. It runs on Linux, macOS, Windows, and FreeBSD, and integrates with fleet management tools like Fleet (formerly Kolide) for centralized querying and alerting across thousands of endpoints.
Installation
brew (macOS)
$ brew install osqueryapt (Debian/Ubuntu)
$ sudo apt install osquerychoco (Windows)
$ choco install osqueryDownload
$ Download packages from https://osquery.io/downloadsUse Cases
- Querying running processes, network connections, and system state with SQL
- Detecting malware, cryptominers, and suspicious services across endpoint fleets
- Continuous compliance monitoring with scheduled differential queries
- Investigating incidents by querying file hashes, user sessions, and system logs
- Building custom detection rules as SQL queries for endpoint security monitoring
Tags
Details
- Category
- ๐ง Threat Intelligence
- Language
- C++
- Repository
- osquery/osquery
- Platforms
- ๐งlinux๐macos๐ชwindows
Links
Alternatives & Comparisons
Velociraptor
GoEndpoint visibility and collection tool. Hunt for artifacts across thousands of endpoints simultaneously.
Compare osquery vs VelociraptorMISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
Compare osquery vs MISPOpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
Compare osquery vs OpenCTITheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
Compare osquery vs TheHiveGRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Compare osquery vs GRR Rapid ResponseKAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Compare osquery vs KAPECortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
Compare osquery vs CortexMore in Threat Intelligence
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
OpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
TheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
GRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
KAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Cortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.