OsQuery

Introduction

From the OsQuery Github: "osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema."

Installation

There are multiple different ways to install OsQuery. If you are utilizing Security Onion, It comes with a pre-built installer for OsQuery which can be run on any desired machine. Be careful, this installer uses the IP of the Security Onion Sensor so if your sensor is behind a NAT, then the installer will not work out of the box and you will have to follow the guide linked below for more specific install instructions

Below is a link to the OsQuery documentation on how to install it on different operating systems.

Install on Windows - osquery

Querying

As stated in the introduction, OsQuery allows you to query a workstation like an SQL database. Below is a simple guide on how to write queries in OsQuery

SQL Introduction - osquery

It is highly recommended that you read the documentation on OsQuery as it is a very versatile tool that has a ton of functionality that is not gone over here.