Introduction to OSQuery

OSQuery is a set of libraries that compile information on a device operating system and store it in a relational database. OSQuery enables analysts to flexibly explore the stored data with SQL queries. The tables show essential operating system components, such as running processes, loaded kernel modules, open network connections, installed browser plugins, hardware events, or file hashes.

To build SQL queries compatible with OSQuery, you must understand the OSQuery data schema. For more information about the tables and fields used to organize the information collected from investigated devices, see https://osquery.io/schema/4.2.0/.

OSQuery Integration with Cytomic Orion

Cytomic Orion mainly uses notebooks to run OSQuery statements, compile the data received, and present it to analysts in a clear way. Analysts do not have to create notebooks from scratch. They have access to a set of templates that collect the required parameters, send queries to affected devices, and gather results. For more information about how to access the OSQuery feature, see Access OSQuery. For more information about how results are presented, see OSQuery Statement Results.

This feature is also available through the integration API. See OSQuery Access API

OSQuery Requirements

• Cytomic EPDR or Cytomic EDR version 3.71 and higher must be installed on the computers from which you want to retrieve infrastructure information.

• Windows operating system.

• You must send queries compatible with OSQuery version 4.02.00.