osquery.

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR. Cette notion relève de la catégorie Défense et opérations en cybersécurité.

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR.

osquery is an open-source agent that turns operating-system state into a SQL interface. Originally developed at Facebook and released in 2014, now under the Linux Foundation, it runs on macOS, Linux, Windows, and FreeBSD and exposes hundreds of tables — `processes`, `listening_ports`, `users`, `crontab`, `kernel_extensions`, `firefox_addons`, `chrome_extensions`, `dns_resolvers`, and many more — that a defender can query with familiar SELECTs. osquery can be run interactively (`osqueryi`) or as a daemon (`osqueryd`) that streams the results of scheduled queries to a fleet manager such as Fleet, Kolide, Zentral, or commercial XDRs. Use cases include asset inventory, compliance reporting (CIS Benchmark checks via SQL), threat hunting (e.g. 'show me all processes whose binary path is in a temp directory'), incident response (rapid fleet-wide IOC search), and configuration drift detection. Because the agent does not ship its own detections — only data — osquery is often paired with a separate detection layer (ELK, Sigma, EDR) or with a managed offering. It remains one of the most widely used open-source endpoint visibility tools.

Les défenses contre osquery combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : osqueryd, osqueryi.