osquery.

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR. サイバーセキュリティの 防御と運用 カテゴリに属します。

An open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR.

osquery is an open-source agent that turns operating-system state into a SQL interface. Originally developed at Facebook and released in 2014, now under the Linux Foundation, it runs on macOS, Linux, Windows, and FreeBSD and exposes hundreds of tables — `processes`, `listening_ports`, `users`, `crontab`, `kernel_extensions`, `firefox_addons`, `chrome_extensions`, `dns_resolvers`, and many more — that a defender can query with familiar SELECTs. osquery can be run interactively (`osqueryi`) or as a daemon (`osqueryd`) that streams the results of scheduled queries to a fleet manager such as Fleet, Kolide, Zentral, or commercial XDRs. Use cases include asset inventory, compliance reporting (CIS Benchmark checks via SQL), threat hunting (e.g. 'show me all processes whose binary path is in a temp directory'), incident response (rapid fleet-wide IOC search), and configuration drift detection. Because the agent does not ship its own detections — only data — osquery is often paired with a separate detection layer (ELK, Sigma, EDR) or with a managed offering. It remains one of the most widely used open-source endpoint visibility tools.

osquery に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: osqueryd, osqueryi。