Osquery has become a popular source of instrumentation for a wide variety of use cases. On github security showcase, it is currently among the top most popular open source security projects. Given the popularity, a recurring question is what use cases can one address with osquery in an enterprise environment?
In this blog, I’ll discuss:
- Key attributes of osquery that make it an excellent universal agent of choice for collecting telemetry for multiple use cases
- Considerations for operationalizing osquery and collecting high volume telemetry from an endpoint and aggregation at scale across many endpoints
- Components of a solution for osquery-powered security analytics
Osquery: A Universal open source agent
Osquery is well-documented. In this blog, I’ll touch on a few key attributes of osquery that make it a pragmatic universal open source agent. As you explore osquery further and understand the depth and breadth of the collected data, you will realize the possible use cases are limited only by your imagination.
- Osquery interfaces with the kernel (e.g., openbsm, kaudit, etw) to capture kernel behavioral activity/events (e.g., processes launched, socket connections, file changes). This is done via event tables. The events and attributes provide a reliable source of telemetry for detecting intrusion and malicious behavior on an endpoint. These tables lay a sound foundation for Osquery-based EDR and FIM solutions.
- Osquery can scrape point-in-time OS state via scheduled queries. The queries can be scheduled to run as snapshot or differential (i.e., only changes are (Read more...)
*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Ganesh Pai. Read the original post at: https://www.uptycs.com/blog/osquery-security-use-cases-and-solutions