Osquery

Osquery is an open source tool that lets you use SQL to query operating systems like a database. When you add the Osquery manager integration to an Elastic Agent policy, Osquery is deployed to all agents assigned to that policy. After completing this setup, you can run live queries and schedule recurring queries for agents and begin gathering data from your entire environment.

Osquery is supported for Linux, macOS, and Windows. You can use it with Elastic Security to perform real-time incident response, threat hunting, and monitoring to detect vulnerability or compliance issues. The following Osquery features are available from Elastic Security:

Osquery Response Actions - Use Osquery Response Actions to add live queries to custom query rules.
Live queries from investigation guides - Incorporate live queries into investigation guides to enhance your research capabilities while investigating possible security issues.
Live queries from alerts - Run live queries against an alert’s host to learn more about your infrastructure and operating systems.
Osquery settings - Navigate to Investigations → Osquery to manage project-level Osquery settings.

« Session View Add Osquery Response Actions »