We start with, “What’s wrong?” Then, it’s possible to have an adequate answer to “Why?”. Since monitoring is intrinsically linked to the visibility of the environment, it’s important that we have good questions in mind so that the answers are the most appropriate. Illustration of the tables available through Osquery’s official site A breakdown of the Osquery tables can be found on the official Osquery page. Currently, Osquery has 273 tables (and this changes and increases all the time), which in combination with the queries, can answer countless questions about the environment so that, through FleetDM, you can maintain continuous monitoring through scheduled queries. By having centralized management, we can have efficient monitoring for hundreds of endpoints through the queries made to Osquery.
KOLIDE OSQUERY FULL
The fact is that Osquery doesn’t provide a server or even a GUI (an acronym for Graphical User Interface) for easy management. While Osquery brings the necessary visibility into endpoints so that it can assist Information Security or IT teams and can provide a robust query mechanism to expose information, this is usually not enough for it to be used in proper monitoring. What is the hardware configuration of the endpoint?.
KOLIDE OSQUERY WINDOWS
Windows OS endpoints have which KBs installed?.In addition, visibility will allow you to better understand the environment in order to answer questions such as: The visibility capability is critical not only for monitoring but also for making decisions when something is off track. Osquery can provide a very clear view, ensuring the state of the endpoints as well as whether they are working properly. As a consequence, some teams don’t know exactly which endpoints are in their environment, or even the physical configuration of each of them, what programs are running, or if the operating system updates are kept up to date. Visibility and MonitoringĪs already mentioned at the beginning of this article, a common problem in organizations is the low visibility of their endpoints. If it’s not quite clear yet, we will elaborate on these possibilities in the topics of monitoring and anomaly detection. These can be used minimally to improve the logs in a SIEM and build use cases. Now it may be easier to see the tool’s potential and what we can try to generate with the inputs from the results. And this is just the tip of the iceberg for what Osquery can do as a monitoring and anomaly detection tool. In the example shown above, you can see the result of a simple query that provides details of users ‘logged in’ to the operating system in question. Demo of a Query on ‘Logged On’ Users on Windows Operating System Next, we see a query referring to the table “logged_in_users,” representing users ‘logged in’ to the operating system. In Osquery, the tables correspond to a certain set of data representing components and OS states with the respective attributes of the objects. For example, with it, you can monitor the integrity of files, socket connections, running processes, and much more. This behavior opens up a huge range of query possibilities that can return valuable information about the system’s state. All this occurs through SQL queries, similar to what is done when a database is queried. Basically, it makes it possible to understand a particular operating system that is running and what is happening on a machine.
Osquery is a tool that allows you to monitor the operating system and several of its attributes and configurations differently. The main problem is that we can’t always find low-cost tools to meet this need.įortunately, in the middle of 2014, Facebook released an open-source tool called Osquery that makes it possible to meet this need and can be used for monitoring security anomalies, checking compliance and security policies, performance analysis, or even in the response and analysis of a security incident. This happens because of the importance that a real-time view can provide for a company’s defensive security teams. It’s very common these days to want to have visibility into the technology assets or endpoints of a network, especially when there’s a concern with security and their respective monitoring.