What is osquery?

Adam Roeckl - September 10, 2024

In modern enterprise environments, numerous devices can connect to an organization’s infrastructure and networks. IT and security teams are tasked with tracking and gathering information from each of these devices, and doing this at scale is typically cumbersome and resource-intensive, particularly in organizations supporting multiple operating systems and devices.

Using a tool like osquery, you can add a new set of capabilities to any team’s cybersecurity toolkit through a familiar SQL-based syntax that slots into existing software development and review processes.

In this article, we’ll discuss osquery and its core functionalities. We’ll also look at use cases and best practices, examining how you can further leverage the data gained from osquery with an IT automation solution.

What is osquery?

Engineers at Meta initially developed osquery to assist with challenges related to operating system implementation, monitoring, and analytics. They sought a solution that could be useful at scale. Now an open-source tool, osquery uses SQL-like queries to explore operating system data. Importantly, osquery offers a unified interface for system security and endpoint device monitoring. This means different devices and operating systems can be inspected with the same queries.

Osquery generates queryable tables representing important system data for a device. These include tables about system users or hardware physically connected to that device. The tables are consistent across devices and operating systems, all queryable with a common language. Osquery supports macOS, Linux, Windows, and FreeBSD platforms, allowing you to use one tool across all the endpoint devices within your network. All of this comes in a single, lightweight, and easily configurable tool.

Learn More

Discover how CrowdStrike Falcon® for IT can help unify IT and security by breaking down silos between information technology and cybersecurity. White Paper: 3 Ways To Transform Security Operations with IT Automation

Core functionalities

Osquery offers several key functionalities to help you quickly explore endpoint devices in your organization. It saves IT and cybersecurity teams countless hours of manual effort.

SQL-based queries

A key feature of osquery is its support for familiar SQL syntax to fetch information from endpoint devices. Queries can be codified and reviewed to meet an organization’s needs, just like regular code review processes for application source code. This allows teams to reuse queries and scale their ability to fetch data from many devices — all without needing targeted expertise across all the operating systems and devices that may be present in the organization.

For more information, refer to the osquery documentation for crafting queries.

Real-time monitoring

Queries constructed and executed on a schedule or manually with osquery provide continuous visibility across system activities on endpoint devices running the osquery daemon.

Extensibility

Osquery is easily extensible through the Thrift-based extensions API. Teams can add custom tables and modules to extract the information they seek from endpoint devices. IT and cybersecurity teams can use osquery’s flexibility to fit their requirements, regardless of industry or application.

Integration capabilities

Osquery integrates with your organization’s existing security tools and platforms, providing a simplified export of data extracted with queries. This allows you to leverage queried data further by processing it through other security monitoring and incident management tools.

Key use cases

Osquery’s capabilities and extensibility are helpful in many use cases, particularly regarding system auditing, security monitoring, compliance, and incident response.

System auditing

With osquery, your team can define queries to represent a device’s ideal state. These queries can define all the required software, configurations, and system states for a secure system. This provides teams with an easy way to audit systems that meet an organization’s security policies in a scalable manner — even across all operating systems and device types.

Security monitoring

Osquery allows for discoverability and visibility of all connected devices across an organization, helping cybersecurity teams actively monitor and detect security anomalies and potential security incidents. Osquery excels at detecting unapproved installations or physical devices (like USB drives) that can be easily missed without active monitoring.

Compliance

In many regulated industries, organizations have reporting requirements to demonstrate that their systems meet organizational or regional security standards. With its SQL-like queries, osquery provides an efficient and reusable way to gather the necessary information for compliance reporting. Since queries are usable across all devices and operating systems in an organization, this can save cybersecurity teams hours of manual, tedious, and error-prone work. Osquery dramatically simplifies the task of generating reports to meet compliance standards.

Incident response

The increased observability gained through osquery’s information gathering is invaluable for incident response. By crafting ad hoc queries during the investigation phase of an incident response, security teams can identify all affected devices involved in a breach and quickly find systems already displaying suspicious behavior.

Best practices for using osquery

Below are the essential best practices when running osquery.

  • Craft and test queries for efficiency: When running queries on endpoint devices, it’s essential to assess the performance impact of queries on the system. Depending on their complexity and execution frequency, queries can impact devices, so organizations must weigh a query’s impact against the information or benefit gained.
  • Continuously monitor and adjust queries: Continuously monitoring, reviewing, and adjusting queries based on emerging and evolving threats is essential to ensure that your queries effectively detect these new threats.
  • Combine osquery with other security tools: Combining osquery with other security tools enhances its capabilities and your visibility of endpoint devices. You can achieve this by shipping osquery’s output data to other security platforms to organize, monitor, and respond effectively.

Learn More

Watch our on-demand CrowdCast to discover how CrowdStrike Falcon® for IT and the unified AI-native CrowdStrike Falcon platform, with its single agent and console, helps your organization save valuable time and money by consolidating point products and breaking down barriers between IT and security.CrowdCast: Introducing the Next Generation of IT Automation

Leverage osquery data with IT automation solutions

Osquery is a powerful device monitoring and analytics solution that organizations can use to understand the endpoint devices running on their network. Its key feature is the ability to query devices with a SQL-like language. With this device data, teams can complete real-time IT operations, security monitoring, and compliance activities in an automated fashion, saving them countless hours.

You can further enhance the data gained from osquery with CrowdStrike Falcon® for IT, a module that infuses AI and automation into daily IT and security workflows. Part of the AI-native CrowdStrike Falcon® platform, Falcon for IT allows teams to query their entire IT environment using osquery and generate fast, actionable insights that help improve decision-making.

To learn more about how Falcon for IT can help your organization break down barriers between IT and security teams, consolidate point products, and achieve superior ROI, visit our website and schedule a demo today.

GET TO KNOW THE AUTHOR

Adam Roeckl is a Sr. Product Marketing Manager at CrowdStrike focusing on IoT/OT Security and Risk Management. Throughout his career in cybersecurity, Adam has built expertise in Security Operations, Threat Intelligence, Managed Security Services, Network Security, and AI/ML. Prior to CrowdStrike, he held Product Marketing roles at Palo Alto Networks and Zscaler. Adam holds a B.A. in Economics and Business Legal Studies from Miami University of Ohio and is now a resident of Golden, CO.