osquery

osquery is an operating system instrumentation, monitoring, and analytics framework that provides a table-like interface to devices in your organization. It presents the operating system as a relational database that allows SQL queries to return operating system data. Each device table represents running processes, loaded kernel modules, open network connections, browser plug-ins, hardware events, file hashes, and more. This information can be used to investigate, remediate, and prevent security threats to the devices.

 

Orbital uses osquery as its query engine and uses the osquery stock tables and Orbital-specific tables. The results can be sent to other applications like Secure Endpoint, Secure Malware Analytics, and Cisco XDR or Secure Client Cloud Management. You can store the results in remote data stores (RDS), including Amazon S3, Microsoft Azure, and Splunk.

 

All new and updated osquery versions will be listed in the Orbital Release Notes.

 

Differences in the Orbital osquery implementation

The Orbital implementation of osquery has certain features, functions, and tables that have been disabled for security and stability reasons. Orbital has added several custom osquery tables and features to enhance osquery functionality. These additions include:

• orbital_environment: This returns a list of system environment variables configured on the device.

• orbital_powershell_events: This returns all stored PowerShell event logs from the device instead of only returning non-evented PowerShell events. This is the default operation.

• WMI Class querying functionality: Refer to Windows Management Infrastructure Access Through Orbital for more information on supported WMI classes.

Refer to Orbital Yara Rules and System Configuration for more information on how Orbital is configured to work with osquery for each operating system platform.

More Info

• osquery.readthedocs.io - osquery documentation.