Because Osquery uses SQL you can join multiple tables together to perform detailed analysis.You can write tables if they currently does not exist. Anyone with the basic knowledge of SQL can start using it in minutes. Osquery expose system information as a relational database that you can query using SQL. The following are the main reasons why you would want to use osquery: Flexible: It means osquery should be flexible to meet different use cases like intrusion detection, vulnerability management, compliance, or any other use case specific to end user domain.Easy to integrate: It should be a good citizen so that it can integrate with existing infrastructure.Performant and reliable: This means services should not be impacted by osquery consuming more resources than required.Simple: This means users of the tool should be work with high level abstractions that are easy to use, deploy, and maintain.Once that done, you can make SQL queries to fetch relevant information. To use Osquery for monitoring your servers you need to install osquery agent. So, if you need more information about SQL syntax outside of what is covered in osquery documentation then you should give SQLite documentation a read. You can query for system intruders, system information, compliance, installed apps, running processes, and many more data points. It organises system data in tables that you can query using your favourite query language – SQL. It can instrument Mac, Linux, and Windows servers. Osquery is a an awesome host instrumentation framework from Facebook.
0 Comments
Leave a Reply. |