osquery/osquery

Performant endpoint visibility

applecentosubuntuwindowslinux
frame-overlayimac
shell-history-svgshell_history
10:03AM|sudo adduser gust
10:04AM|sudo visudo
mac-finder-svgos_version
Build|17A362
Version|10.1.13
Patch|6
imac-svgbrew_version
origin|Ethiopia
variety|yergachiffe
shell-history-svgetc_hosts
address|127.0.0.1
hostnames|localhost
shell-history-svgshell_history
10:03AM|sudo adduser gust
10:04AM|sudo visudo
mac-finder-svgos_version
Build|17A362
Version|10.1.13
Patch|6
imac-svgbrew_version
origin|Ethiopia
variety|yergachiffe
shell-history-svgetc_hosts
address|127.0.0.1
hostnames|localhost
shell-history-svgshell_history
10:03AM|sudo adduser gust
10:04AM|sudo visudo
mac-finder-svgos_version
Build|17A362
Version|10.1.13
Patch|6
imac-svgbrew_version
origin|Ethiopia
variety|yergachiffe
shell-history-svgetc_hosts
address|127.0.0.1
hostnames|localhost

Query your devices like a database

Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery> SELECT name, path, pid FROM processes WHERE on_disk = 0;name = Drop_Agentpath = /Users/jim/bin/dropagepid = 561

Processes running without a binary on disk

Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted, which could be an indicator of a suspicious process.

See Available Tables

Three things you should know about osquery

It's fast and tested

Our build infrastructure ensures that newly introduced code is benchmarked and tested. We perform continuous testing for memory leaks, thread safety, and binary reproducibility on all supported platforms.

View the Code

It runs everywhere

Windows, macOS, CentOS, and almost every Linux OS released since 2011 are supported with no dependencies. osquery powers some of the most demanding companies, including Facebook.

Download Osquery

It's open source

Osquery is released under the Apache License. Ever since we open-sourced it in 2014, organizations and individuals have contributed an ever-growing list of impressive features, useful tools, and helpful documentation.

Read Community Articles

Upcoming Community Events

See events related to Osquery that are being held in the near future.

Events are listed in reverse chronological order by date

Featured Community Projects

A curated list of community projects to help you use and extend osquery.

fleetdm / fleet

Star 4691

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
View on GitHub
palantir / osquery-configuration

Star 843

A repository for using osquery for incident detection and response
View on GitHub
teoseller / osquery-attck

Star 790

Mapping the MITRE ATT&CK Matrix with Osquery
View on GitHub
zentralopensource / zentral

Star 783

Zentral is a high-visibility platform for controlling Apple endpoints in enterprises. It brings great observability to IT and makes tracking & reporting compliance much less manual.
View on GitHub
kolide / launcher

Star 520

Osquery launcher, autoupdater, and packager
View on GitHub
jmpsec / osctrl

Star 433

Fast and efficient osquery management
View on GitHub
osquery / osquery-go

Star 407

Go bindings for osquery
View on GitHub
osquery / osquery-python

Star 297

Python bindings for osquery's Thrift API
View on GitHub
trailofbits / osquery-extensions

Star 264

osquery extensions by Trail of Bits
View on GitHub

Additional Resources

You're not alone when using osquery, please use one of the resources below reach out for help in installing, deploying and using osquery.

slack-logo-svg
Join the osquery Slack
osquery-docs-svg
Read the Osquery Docs
octocat-svg
View the GitHub Project