Osquery powers Kolide

Facebook's open-source security solution

Developed at Facebook, osquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Learn more at osquery.io

Why osquery?

  • Battle Tested Scalability

    Running on hundreds of thousands of endpoints, osquery sets the bar for performance at scale — Whether you are a startup or Fortune 100 company.

  • ####

    Transparency via Open Source

    100% community vetted, open source codebase. No wizard behind the curtains, no secret sauce. Security you can scrutinize.

  • Platform Agnostic

    Manage all of your endpoints in one place. Windows, Linux, Mac, all in the same dashboard. Streamline your security pipeline.

What does osquery do?

Experience Osquery

The best way to understand how osquery works is to see it in action. Below we have a faux interactive osquery console. Explore relevant example queries on the right.

  • Tab security Security
  • Tab compliance IT/Compliance
  • Tab devops DevOps

KeRanger is a ransomware that infected users who installed a specific release of the mac torrent client Transmission.app, this query looks for the presence of a known process name.

Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted or modified (which could be an indicator of a suspicious process).

On endpoints with well-defined behavior, the security team can use osquery to find any processes that do not fit within whitelisted network behavior, e.g. a process scp’ing traffic externally when it should only perform HTTP(s) connections outbound.


FROM processes

WHERE name = 'kernel_service';

SELECT name, path, pid

FROM processes

WHERE on_disk = 0;

SELECT s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port

FROM process_open_sockets s JOIN processes p ON s.pid = p.pid

WHERE remote_port NOT IN ( 80, 443 ) AND family = 2;

The application layer firewall allows macOS to control connections made to your computer from other computers on your network. Here we check to see if the firewall is currently enabled.

Knowing what apps are installed on an endpoint is often not enough, here we ask osquery to show us all hosts running a deprecated version of Adobe Acrobat with a known hijacking vulnerability.

Disk encryption is an organizational policy for many companies, this query returns hosts whose primary disk is currently unencrypted.


WHERE global_state = 0;

SELECT bundle_version FROM apps

WHERE name LIKE "Adobe Acrobat.app"

AND bundle_version <= "15.0.0";

SELECT * FROM mounts m, disk_encryption d

WHERE m.device_alias = d.name

AND m.path = "/"

AND d.encrypted = 0;

Critical processes require persistent uptime, using osquery we can check to see whether the Apache process is running on our web server.

Whether auditing or investigating, having access to historical user session data allows us to see where specific logins have occurred within your infrastructure.

The easiest way to troubleshoot resource utilization is to see it broken down by process across your fleet. Here we ask for the top 3 resource intensive processes currently running.


FROM processes

WHERE name LIKE "%Apache%";


WHERE username = "root"

AND time > (( SELECT unix_time FROM time ) - 3600 );

SELECT name, ROUND(SUM( resident_size ) * 1.0 / 1024 / 1024 / 1024, 2)

AS used_memory, ROUND(SUM( resident_size ) * 1.0 / system_info.physical_memory * 100, 2)

AS percentage, (system_time) + SUM(user_time)

AS cpu_time FROM processes, system_info

GROUP BY processes.pgroup

ORDER BY used_memory DESC LIMIT 3;

Different machines@4x

A lightweight, performant agent for every need.

Run osquery across every host in your organization

  • SQL Based Input

    Osquery utilizes basic SQL commands to leverage its relational data model. This makes crafting queries a simple and straight-forward process. Join tables for complex queries and reveal insights that aren't available with any other endpoint agent.

  • Different machines@4x
  • Persistent or Ad Hoc

    Build queries that run continuously to monitor critical systems and processes, or write queries on the fly to explore live issues in your infrastructure. Osquery allows the freedom to investigate and monitor your endpoints, your way.

  • Miniscule Footprint

    So small you'll forget it's there. Osquery was designed with performance in mind, and runs with very little overhead. Safety mechanisms ensure that your production workload comes first.

More osquery questions?

Choose from one of the many resources: