osquery provides extensible endpoint visibility

osquery is a universal, light-weight, highly configurable endpoint agent which can collect and normalize data across macOS, Linux, Windows and container environments. First released by Facebook, the osquery project is today managed by The Linux Foundation and is widely adopted by IT security teams looking for an open platform for endpoint visibility. osquery increases visibility across your infrastructure, giving you the power to ask questions across any machine using SQL, such as “Which machines are running vulnerable software packages?” and “Where else are we seeing this malicious process?” In addition to its extensible nature, osquery also brings a unique richness to the data it extracts from endpoints, providing depth of visibility that cannot be accomplished with standard log files alone.


osquery Offers A Variety Of Security, DevOps & IT Uses:

  • Intrusion detection and threat hunting
  • Malware and vulnerability monitoring
  • Security configuration management
  • Attestation for compliance and audit checks
  • Post-deployment infrastructure monitoring
  • User and unknown login visibility 
  • Software and hardware inventory

How osquery Works

osquery is a small endpoint agent that makes your entire system configuration and runtime state available for query through an SQL interface, including a real-time stream of events.  With osquery, you can run SQL queries that can retrieve information from system calls, system APIs, configuration files, and your filesystem directly across your entire fleet of laptops, servers, or containers. You can schedule these queries to run periodically and be delivered to your storage destination of choice including files, sockets, AWS Kinesis, or Apache Kafka for alerting and after-the-fact investigation.

osquery-how it worksosquery can subscribe to event sources such as Audit, eBPF tracepoints, and iNotify to immediately detect new processes, network activity, and file changes. These events can be streamed to your specified destination for detection and investigation purposes.You can also run ad-hoc queries through your fleet manager to investigate your system in real time.

osquery’s communication to the fleet manager is only via outgoing connections to a server specified at install time, and it does not listen on any network ports. osquery deploys with a watchdog that enforces CPU and memory limits on the osquery worker process. The amount of data collected is completely configurable by adjusting your scheduled queries and even configuration. 

How Uptycs Supports And Uses osquery

Uptycs developers and engineers contribute features and bug fixes to the open source osquery project. Fun fact—way back in 2017, we contributed the original Docker tables extending osquery to containers. More recently, we’ve open-sourced two osquery extensions:

  • Cloudquery: extends osquery for AWS, GCP & Azure account services data
  • Kubequery: extends osquery for K8s cluster data

We have plans to release additional extensions in the future to broaden osquery’s visibility across the modern attack surface to include Identity Provider and SaaS Provider telemetry. To support the ongoing education and evangelism of osquery, we also host the annual osquery@scale conference, bringing osquery practitioners together with their osquery-curious peers for meaningful knowledge exchange focused on production use cases.   

When it comes to the Uptycs Security Analytics Platform, osquery provides the foundational telemetry for endpoints and containers that when augmented by cloudquery and kubequery, form the basis of our telemetry-powered security offering for Cloud Workload Protection, Cloud Security Posture Management, eXtended Detection & Response, Insight & Inventory, and Audit, Compliance & Governance. For the Uptycs Security Analytics Platform, we’ve enhanced the osquery agent—optimizing it for scale, reliability and performance. 


Intro to osquery Course

Experience osquery

The best way to learn is through play! Explore osquery in this complimentary course.

Start Course

Browse more resources

Browse practitioner created videos, blogs and training materials focused on a variety of osquery topics. 

Explore Now