What is osquery?
osquery is an operating system instrumentation, monitoring, and analytics framework that provides a table-like interface to clients' endpoints. It presents the endpoint's operating system as a high-performance relational database, allowing SQL queries to return detailed, organized operating system data. Each of the endpoint tables represent concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and more. This information then can be used for investigation, remediation, and prevention of security threats against the endpoint or endpoints.
Orbital uses osquery as its query engine and makes use of osquery's stock tables in addition to Orbital-specific tables. The results returned through Orbital can be sent to other applications, such as Secure Endpoint™, Secure Malware Analytics™, and Cisco's XDR™ or Secure Client Cloud Management™, and can be stored in remote data stores (RDS), such as Amazon S3™, Microsoft's Azure™, and Splunk™.
All new and updated osquery versions will be listed in the Orbital What's New? topic.
Differences Between Stock and Orbital's osquery
The Orbital-specific variant of osquery has certain features, functions, and tables that have been disabled for security and stability reasons. However, Orbital has added several of its own custom osquery tables and features to enhance osquery's functionality. These new additions include:
-
orbital_environment: This feature returns a list of system environment variables configured on the endpoint.
-
orbital_powershell_events: This feature will return all stored Powershell Event Logs from the endpoint instead of only returning non-evented Powershell Events. This is the default operation.
-
WMI Class querying functionality: Refer to Windows Management Infrastructure Access Through Orbital for more information on supported WMI classes.
You should also refer to Orbital Yara Rules and System Configuration for more information on how Orbital is configured to work with osquery, for each operating system platform.
More Info
-
osquery.readthedocs.io - osquery Documentation