Osquery Resource Hub

Get an understanding of how to use Augeas with osquery to parse configuration files.

Go deep into the features and functions of osquery, a universal endpoint agent that exposes an operating system as a relational database.

Using Augeas with osquery allows you to scan the configuration of your entire fleet of hosts, easily adapting to new internal applications and their proprietary configuration files.

Using osquery to monitor system-level kernel extensions, modules, and drivers across all major desktop platforms is a great way to ensure IT compliance.

When it comes to Chrome extensions, knowing what you have is half the battle. But once you know what you have, how do you decide what you should keep?

Justin Mitzimberg explored osquery’s surprising and practical compliance capabilities in his talk at the 2020 osquery@scale event. 

Gathering software inventory is an important part of security and systems management. There’s a good reason software inventory is No. 2 in the list of CIS Critical Controls!

Learn how to use and scale osquery to (proactively) detect evasive malware, stealthy persistence, fileless malware, unseen attacks etc.

Join SANS Analyst, Dave Shackleford and Uptycs CTO, Milan Shah as they explore the new ways CSIRT teams are using osquery to provide a comprehensive, high-fidelity data set for incident investigation and more.

Defining Threat Intel, its various sources and how to apply it at scale.

Review example SQL queries for Threat Detection and DFIR using osquery.

Follow this guide for identifying bad launch daemons on macOS using osquery.

Using Osquery to explore the registry and startup_items tables to see another common technique that malware uses.

An analysis of different malware families, the types of events generated on the endpoint and how Osquery can detect them.

Hands on demonstration of basic SQL for osquery.

Orient yourself to core functions available in SQLite, used by osqueryi.

A technical look at how and why to run osquery as a DaemonSet container.

How to ingest osquery logs with Rsyslog V8 via the system journal (vs from disk).

In addition to configuring auditing, strategies for reducing the performance impact and logging volume are shared.

This post lays the foundation [for auditing] by expanding on the basic concepts of the Linux Audit Framework.

Dropbox provides a view into how they monitor macOS in their environment.

Learn how to monitor macOS with osquery and AWS Kinesis Firehose.

Protecting your organization and data against cyber attack vectors in the cloud requires new tools.

Advanced osquery functionality. File integrity monitoring, process auditing, and more.

Register for this open source security webinar to learn how to detect malware and improve security monitoring using JA3 and osquery.

When running containers in production with Docker, bad configurations can easily lead to vulnerable environments...

Learn how to setup FIM using osquery on Ubuntu 18.04 and CentOS 7.

Explore the benefits of running osquery as a DaemonSet container.

How to create an osquery config, centralize the log output, and start creating effective searches and alerts.

Download packages designed and signed by the Facebook team.

A dedicated Slack channel for users and developers to colloborate on osquery.

Learn how to gather information from the Windows registry using osquery.

Hands on guide to installing osquery on macOS.

Download the current known OS X vulnerabilities pruned by the osquery community.

dockerhub container download for osquery

Install the Chocolately osquery package

Osquery offers simple, yet profound ways to combine event and context data...

Learn about an extension for osquery that will let you dig deeper into the NTFS filesystem.

An overview of using osquery with docker from one of the original project contributors.

Diffy is a triage tool to help DFIR teams quickly identify compromised hosts on Cloud Workloads.

Teddy Reed reveals the fragile componenets of osquery and suggestions for how to improve.

View issues, pull requests and history of the open source project.

Proprietary, agent-based solution silos have created a fragmented and complex market...

Explore tables and data structure of open source osquery by version.

An open source tools guide for deploying osquery at scale.

Fernando Montenegro, Senior Analyst at 451 Research offers his view of osquery, its potential and risk in the security market.

Explore official project documentation from getting started to advaned configs.

Learn osquery for free in this instructor led video tutorial series.

The introduction of osquery to the open source community by Facebook

Security Breaches are happening every other week - understanding the anatomy of an attack is a daunting task that Incident Responders face. Attackers will leave behind breadcrumbs. Forensics tools can be time & resource intensive.

Using SQLite to ask osquery about inventory, disk encryption, remaining storage, active logins and more.

Fleet visibility with osquery and other f/oss tools

Osquery is a highly effective means to analyze malware across macOS, Linux, and Windows. In this blog post, we use OSX/Dummy as an example to analyze malware by collecting events data via osquery.

While Windows has a mature market for host instrumentation products, the options on macOS have been severely limited.

Install osquery on Ubuntu 16.04, use the 'osqueryi' interactive mode, and monitor a live system.

Learn how to bundle your custom configs with the osquery binary and output a customized MSI.

Incident detection and response across thousands of hosts requires a deep understanding of actions and behavior across users, applications, and devices.

Osquery extensions developed and maintained by Trail of Bits. Extensions add capabilities that go beyond osquery core.

In osquery, SQL tables, configuration retrieval, log handling, etc. are implemented via a robust plugin and extensions API. This project contains Go bindings for creating osquery extensions in Go.

In osquery, SQL tables, configuration retrieval, log handling, etc are implemented via a simple, robust plugin and extensions API. This project contains the official Python bindings for creating osquery extensions in Python.

The implementation of TLS Persistent Transport Support in osquery decreases the network traffic...

A look at how to create extensions for Windows.

StreamAlert is a real-time data analysis framework with point-in-time alerting...

Review and access the complete list of query packs provided for open source osquery.

An osquery endpoint management server designed to take advantage of the native scaling, performance, and reliability of the AWS cloud environment.

macOS system monitoring with osquery is quick and easy once you understand some SQLite commands.

Learn more about the architecture of the osquery system, how to step up your game, and contribute code.

FAQ for people considering or just getting started with osquery.

Feedback from five major tech firms using osquery on use cases and challenges.

A look at combining the MITRE ATT&CK framework with osquery for Windows.

Osquery’s approach of using SQL SELECT statements to investigate the state of a system makes for an excellent way to quickly add a significant amount of context into a Sensu check.

We'll explore how to set up a simple logging pipeline to detect maliciously downloaded files. If this pipeline detects a malicious file, a Slack alert will be triggered.

Learn how the Adobe security team uses osquery to investigate large groups infrastructure components for initial triage, basic forensic analysis, and proactively detect threats.

Register for this on-demand webinar to learn how to hunt for malware and IOC's using two powerful open source security tools: YARA and osquery

While osquery core is great for querying various system-level data remotely, forensics extensions will give it the ability to inspect to deeper-level data structures.

This is a review of 5 macOS malware techniques; Calisto, Dummy, HiddenLotus, LamePyre, and WireLurker. We'll review how to hunt them using osquery.

When analyzing malware & adversary activity in Windows, DLL injection techniques are commonly used, and there are plenty of resources on how to detect activities. When it comes to Linux, this is less commonly seen in the wild.

The Adobe security team is working on a new approach to DFIR that’s scalable, quick and cost-effective based on OSQuery.

Examples and use cases for osquery's most common table schemas.

SingHealth & Equifax breaches resulted in detailed reports. We'll look at the findings and map them to MITRE ATT&CK framework, then see how osquery could be used to detect these breaches.