What Is osquery?

osquery is an operating system instrumentation, monitoring, and analytics framework that provides a table-like interface to clients' endpoints. It presents the endpoint’s operating system as a high-performance relational database, allowing SQL queries to return detailed, organized operating system data. Each of the endpoint tables represent concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and more. This information then can be used for investigation, remediation, and prevention of security threats against the endpoint or endpoints.

Orbital uses osquery as its query engine and makes use of osquery’s stock tables in addition to Orbital-specific tables. The results returned through Orbital can be sent to other applications, such as Secure Endpoint™, Secure Malware Analytics™, and Cisco’s XDR™ or SecureX™, and can be stored in remote data stores (RDS), such as Amazon S3™, Microsoft’s Azure™, and Splunk™.

All new and updated osquery versions are listed in the Orbital What’s New? topic.

Differences Between Stock and Orbital’s osquery

The Orbital-specific variant of osquery has certain features, functions, and tables that have been disabled for security and stability reasons. However, Orbital has added several of its own custom osquery tables and features to enhance osquery’s functionality. These new additions include:

You should also refer to Orbital Yara Rules and System Configuration for more information on how Orbital is configured to work with osquery, for each operating system platform.

More Info

Return to Table of Contents