osquery.

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR. It belongs to the Defense & Operations category of cybersecurity.

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR.

osquery is an open-source agent that turns operating-system state into a SQL interface. Originally developed at Facebook and released in 2014, now under the Linux Foundation, it runs on macOS, Linux, Windows, and FreeBSD and exposes hundreds of tables — `processes`, `listening_ports`, `users`, `crontab`, `kernel_extensions`, `firefox_addons`, `chrome_extensions`, `dns_resolvers`, and many more — that a defender can query with familiar SELECTs. osquery can be run interactively (`osqueryi`) or as a daemon (`osqueryd`) that streams the results of scheduled queries to a fleet manager such as Fleet, Kolide, Zentral, or commercial XDRs. Use cases include asset inventory, compliance reporting (CIS Benchmark checks via SQL), threat hunting (e.g. 'show me all processes whose binary path is in a temp directory'), incident response (rapid fleet-wide IOC search), and configuration drift detection. Because the agent does not ship its own detections — only data — osquery is often paired with a separate detection layer (ELK, Sigma, EDR) or with a managed offering. It remains one of the most widely used open-source endpoint visibility tools.

Defences for osquery typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: osqueryd, osqueryi.