- Manufacturer: osquery project
- Version: 4.1.2
- Website: https://osquery.io/
Description
Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive. Osquery exposes an operating system as a high-performance relational database. Osquery is a free open source, powerful and cross-platform SQL-based operating system instrumentation, monitoring, and analytics framework for Linux, FreeBSD, Windows, and Mac/OS X systems, built by Facebook. It is a simple and easy-to-use operating system explorer. Manufacturer: osquery project; Version: 4.1.2; Website: Description. Osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. Data Model Coverage driver. Osquery is an open-source tool originally developed at Facebook that exposes operating system configuration data in the form of relational database tables. By issuing SQL-like queries against these tables, users can collect valuable data about the current state of the system as well as changes applied to it over time. What Is Osquery. Osquery is a powerful security tool that provides a table-like interface to endpoint information that can be queried using SQL. It is an operating system instrumentation, monitoring, and analytics” framework powered by SQL.
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.
Data Model Coverage
driver
base_address | fqdn | hostname | image_path | md5_hash | module_name | pid | sha1_hash | sha256_hash | signature_valid | signer |
|---|
load | ✓ | ✓ | ✓ | ✓ | ✓ |
unload |
Osqueryd
file
company | content | creation_time | file_extension | file_gid | file_group | file_name | file_path | file_uid | file_user | fqdn | hostname | image_path | link_target | md5_hash | mime_type | mode | pid | ppid | previous_creation_time | sha1_hash | sha256_hash | signature_valid | signer | uid | user |
|---|
acl_modify |
create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
delete | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
modify | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
read |
timestomp | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
write | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
flow
Osquery Github
application_protocol | content | dest_fqdn | dest_hostname | dest_ip | dest_port | end_time | exe | fqdn | hostname | image_path | in_bytes | network_direction | out_bytes | packet_count | pid | ppid | proto_info | src_fqdn | src_hostname | src_ip | src_port | start_time | tcp_flags | transport_protocol | uid | user |
|---|
end | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
message |
start | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
process
access_level | call_trace | command_line | current_working_directory | env_vars | exe | fqdn | guid | hostname | image_path | integrity_level | md5_hash | parent_command_line | parent_exe | parent_guid | parent_image_path | pid | ppid | sha1_hash | sha256_hash | sid | signature_valid | signer | target_address | target_guid | target_name | target_pid | uid | user |
|---|
access |
create | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
terminate |
Analytic Coverage
Comments are closed.