Osquery

This is a brief introduction to the osquery.

Osquery is an operating system instrumentation framework that exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. It was originally developed by Facebook and later joined Linux Foundation.

Osquery is a perfect tool for HIDS once it is configured properly as it has the power to monitor thousands of machines simultaneously. Adding analytics and alerts on top of osquery logs will help in the quick detection and response.

Alternatively, osquery is an agent that will sit on your machines (Linux, Windows, Mac) and will transfer logs to your central server for security analytics and monitoring. Osquery treats your machines as a SQL database and subsequently provides SQL based query syntax to easily gather information out of it. You may use osquery as

1. osqueryd: Daemon, It will execute your queries in the background and save results to log source. 2. osqueryi : Interactive shell, You can execute queries on the shell and get results there only. In the further sections we will cover how to integrate and utilize osquery with easySIEM platform.