OSQUERY

Osquery is an open-source tool from Facebook that allows querying endpoint data using SQL syntax. It works across multiple platforms and provides real-time monitoring for security teams. While Osquery is limited to querying local events, Kolide Fleet extends its capability to multiple endpoints, making it useful for enterprise-wide threat hunting and monitoring.

#download
PS C:\> $osqueryUrl = "https://pkg.osquery.io/windows/osquery.msi"
PS C:\> $downloadPath = "$env:TEMP\osquery.msi"
PS C:\> Invoke-WebRequest -Uri $osqueryUrl -OutFile $downloadPath

#installation
PS C:\> Start-Process msiexec.exe -ArgumentList "/i $downloadPath /quiet /norestart" -Wait Write-Output "Osquery installation completed."

PS C:\> osqueryi --version

PS C:\> osqueryi
 Using a virtual database. Need help, type 'help'
osquery> select pid,name,path from processes where name='lsass.exe';
 +-----+-----------+-------------------------------+
 | pid | name      | path                          |
 +-----+-----------+-------------------------------+
 | 748 | lsass.exe | C:\Windows\System32\lsass.exe |
 +-----+-----------+-------------------------------+

PreviousWINDOWS EVENT LOGS NextEDR

Last updated 21 days ago