www.uptycs.com
Open in
urlscan Pro
2606:2c40::c73c:671e
Public Scan
URL:
https://www.uptycs.com/blog/osquery-security-use-cases-and-solutions
Submission: On November 06 via api from US — Scanned from US
Submission: On November 06 via api from US — Scanned from US
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2617658/0492e7b1-c029-4110-8042-598f482d9802
<form id="hsForm_0492e7b1-c029-4110-8042-598f482d9802_3758" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2617658/0492e7b1-c029-4110-8042-598f482d9802"
class="hs-form-private hsForm_0492e7b1-c029-4110-8042-598f482d9802 hs-form-0492e7b1-c029-4110-8042-598f482d9802 hs-form-0492e7b1-c029-4110-8042-598f482d9802_5ff1902f-b7f1-427e-bdca-73e57cb04a28 hs-form stacked hs-custom-form"
target="target_iframe_0492e7b1-c029-4110-8042-598f482d9802_3758" data-instance-id="5ff1902f-b7f1-427e-bdca-73e57cb04a28" data-form-id="0492e7b1-c029-4110-8042-598f482d9802" data-portal-id="2617658" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-0492e7b1-c029-4110-8042-598f482d9802_3758" class="" placeholder="Enter your Work Email" for="email-0492e7b1-c029-4110-8042-598f482d9802_3758"><span>Work
Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-0492e7b1-c029-4110-8042-598f482d9802_3758" name="email" required="" placeholder="email@work.com" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs-dependent-field">
<div class="hs_honeypot_queue hs-honeypot_queue hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-honeypot_queue-0492e7b1-c029-4110-8042-598f482d9802_3758" class="" placeholder="Enter your What color is the sky?"
for="honeypot_queue-0492e7b1-c029-4110-8042-598f482d9802_3758"><span>What color is the sky?</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="honeypot_queue" class="hs-input" type="hidden" value=""></div>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1699315080628","formDefinitionUpdatedAt":"1689357225520","lang":"en","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36","pageTitle":"Protect Your Cloud-Native Applications with Osquery EDR Solutions","pageUrl":"https://www.uptycs.com/blog/osquery-security-use-cases-and-solutions","pageId":"11761744813","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.uptycs.com/blog/osquery-security-use-cases-and-solutions","contentType":"blog-post","hutk":"c7831e4cb4b7cb2d3770696d73806b79","__hsfp":3081353101,"__hssc":"26386402.1.1699315081740","__hstc":"26386402.c7831e4cb4b7cb2d3770696d73806b79.1699315081740.1699315081740.1699315081740.1","formTarget":"#hs_form_target_form_235578626","formInstanceId":"3758","rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"6145cde2bbfe09751c710cad791a4c57","pageName":"Protect Your Cloud-Native Applications with Osquery EDR Solutions","rumScriptExecuteTime":1667.8999996185303,"rumTotalRequestTime":1806.3000001907349,"rumTotalRenderTime":1856.6999998092651,"rumServiceResponseTime":138.4000005722046,"rumFormRenderTime":50.39999961853027,"locale":"en","timestamp":1699315081754,"originalEmbedContext":{"portalId":"2617658","formId":"0492e7b1-c029-4110-8042-598f482d9802","region":"na1","target":"#hs_form_target_form_235578626","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"3758","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for submitting the form.","isMobileResponsive":true,"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"6145cde2bbfe09751c710cad791a4c57","pageName":"Protect Your Cloud-Native Applications with Osquery EDR Solutions","pageId":"11761744813","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"5ff1902f-b7f1-427e-bdca-73e57cb04a28","renderedFieldsIds":["email","honeypot_queue"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.4100","sourceName":"forms-embed","sourceVersion":"1.4100","sourceVersionMajor":"1","sourceVersionMinor":"4100","allPageIds":{"embedContextPageId":"11761744813","analyticsPageId":"11761744813","contentPageId":11761744813,"contentAnalyticsPageId":"11761744813"},"_debug_embedLogLines":[{"clientTimestamp":1699315080680,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1699315080681,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Protect Your Cloud-Native Applications with Osquery EDR Solutions\",\"pageUrl\":\"https://www.uptycs.com/blog/osquery-security-use-cases-and-solutions\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36\",\"pageId\":\"11761744813\",\"contentAnalyticsPageId\":\"11761744813\",\"contentPageId\":11761744813,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1699315080683,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"US\""},{"clientTimestamp":1699315081750,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"c7831e4cb4b7cb2d3770696d73806b79\",\"canonicalUrl\":\"https://www.uptycs.com/blog/osquery-security-use-cases-and-solutions\",\"contentType\":\"blog-post\",\"pageId\":\"11761744813\"}"}]}"><iframe
name="target_iframe_0492e7b1-c029-4110-8042-598f482d9802_3758" style="display: none;"></iframe>
</form>Text Content
×
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy
Accept
Tackle your most pressing Kubernetes, container security, and compliance
challenges. Meet with an Uptycs expert at KubeCon NA 2023. Meet with Us →
* Why Uptycs?
* Products Show submenu for Products
CLOUD SECURITY
* Overview - Why CNAPP
* Workload Protection (CWPP)
* Posture Management (CSPM)
* Entitlement Management (CIEM)
* Threat Detection and Response (CDR)
* Container and K8s Security (KSPM)
ENDPOINT SECURITY
* Overview - Why XDR
* Workspace and Workload Security
* IBM Power, Linux on Z, LinuxONE, and AIX
* Uptycs XDR vs. The Old Way
* Solutions Show submenu for Solutions
SOLUTIONS
* Compliance
* Vulnerability Management
* Detection and Response
* Threat Hunting
* Forensic Investigation
* Managed Services (MDR)
ENVIRONMENTS
* AWS
* Azure
* Google Cloud
* IBM
* Resources Show submenu for Resources
RESOURCES
* Resource Center
* Customer Stories
* Blog
* Reviews
COMMUNITY
* Events
* osquery Community
* osquery: what is it
* Cybersecurity Standup
FEATURED
KuppingerCole positions Uptycs a CSPM Technology Leader
* Company Show submenu for Company
* Overview
* Partners
* Press and News
* Contact Us
* Support
* Training
* Careers
* Security Practices
* Why Uptycs?
* Products Show submenu for Products
CLOUD SECURITY
* Overview - Why CNAPP
* Workload Protection (CWPP)
* Posture Management (CSPM)
* Entitlement Management (CIEM)
* Threat Detection and Response (CDR)
* Container and K8s Security (KSPM)
ENDPOINT SECURITY
* Overview - Why XDR
* Workspace and Workload Security
* IBM Power, Linux on Z, LinuxONE, and AIX
* Uptycs XDR vs. The Old Way
* Solutions Show submenu for Solutions
SOLUTIONS
* Compliance
* Vulnerability Management
* Detection and Response
* Threat Hunting
* Forensic Investigation
* Managed Services (MDR)
ENVIRONMENTS
* AWS
* Azure
* Google Cloud
* IBM
* Resources Show submenu for Resources
RESOURCES
* Resource Center
* Customer Stories
* Blog
* Reviews
COMMUNITY
* Events
* osquery Community
* osquery: what is it
* Cybersecurity Standup
FEATURED
KuppingerCole positions Uptycs a CSPM Technology Leader
* Company Show submenu for Company
* Overview
* Partners
* Press and News
* Contact Us
* Support
* Training
* Careers
* Security Practices
Request a demo
OSQUERY EDR: UNIVERSAL OPEN SOURCE ENTERPRISE SECURITY ANALYTICS AGENT
Tags: Osquery, System Architecture, Open Source, Cloud Security
GANESH PAI
August 06, 2019
Share:
*
*
*
*
Osquery has become a popular source of instrumentation for a wide variety of use
cases. On the GitHub security showcase, it is currently among the top most
popular open source security projects. Given the popularity, a recurring
question is what use cases can one address with osquery in an enterprise
environment?
In this blog, I’ll discuss:
* Key attributes of osquery that make it an excellent universal agent of choice
for collecting telemetry for multiple use cases
* Considerations for operationalizing osquery and collecting high volume
telemetry from an endpoint and aggregation at scale across many endpoints
* Components of a solution for osquery-powered security analytics
OSQUERY: A UNIVERSAL OPEN SOURCE AGENT
Osquery is well-documented. In this blog, I’ll touch on a few key attributes of
osquery that make it a pragmatic universal open source agent. As you explore
osquery further and understand the depth and breadth of the collected data, you
will realize the possible use cases are limited only by your imagination.
* Osquery interfaces with the kernel (e.g., openbsm, kaudit, etw) to capture
kernel behavioral activity/events (e.g., processes launched, socket
connections, file changes). This is done via event tables. The events and
attributes provide a reliable source of telemetry for detecting intrusion and
malicious behavior on an endpoint. These tables lay a sound foundation for
Osquery-based EDR and FIM solutions.
* Osquery can scrape point-in-time OS state via scheduled queries. The queries
can be scheduled to run as snapshot or differential (i.e., only changes are
sent with differential for greater efficiency). The results of scheduled
queries provide a reliable source of telemetry for software asset inventory
and OS configured state inventory. These set of features and tables provide a
foundation for Osquery-based Asset Inventory and Vuln Detection.
* Over a remote TLS connection or via the CLI, one can ask live/ad-hoc queries.
These interfaces lay a sound foundation for incident investigation and for
debug and diagnostics. These capabilities along with the rich set of tables
lay the foundation for Osquery-based Incident Investigation.
* Using parsing lens (e.g., augeas), one can parse various configuration files.
These advanced capabilities provide a flexible and reliable source of data
for auditing and implementing benchmarks such as CIS. They can also provide
rich data for implementing supporting controls for compliance standards such
as PCI, SOC2, and FedRAMP. This flexible telemetry provides a solid basis for
data and evidence collection for Osquery-based Compliance.
* Using the thrift extension mechanism, one can write extensions using C++,
Python, Node, and Go. The extension mechanism provides a quick basis to add
new capabilities to the deployment using scripting (e.g., Python).
OPERATIONALIZING OSQUERY: ENDPOINT LOG CONSIDERATIONS
In any reasonably sized osquery deployment, no matter your end goal or use case,
you will need a mechanism to deploy osquery at some scale and manage a fleet of
osquery agents. There are many fleet management solutions and I’ll not cover
that topic here. Rather I’ll cover some of the key considerations of
configuration-related options on the endpoint and highlight the implications of
result logs. Osquery is very flexible and has many configuration options. Very
specifically, we’ll list some topics and delve a bit more into data collection
implications.
Osquery configuration management entails:
* Configuring of flags and options
* Configuring cert+secret for TLS-based remote control
* Scheduling queries
* Configure event tables and FIM
* Log destinations
A popular but challenging (for scaling) approach in dealing with osquery
telemetry is log forwarding. An alternate approach is to simply use HTTP/TLS for
everything. At Uptycs we specialize our solution around HTTP/TLS and we’ve built
our Endpoint Detection Network (EDN) to scale out osquery deployments.
Here are a few things to consider if you are planning to write to local disk/log
file for log forwarding (e.g., to Splunk or ELK):
* Depending on how many events (activity/load on the machine) and scheduled
queries, osquery can generate significant volume of telemetry that can result
in significant resource utilization on the endpoint.
* On the endpoint you will have to forward the logs reliably to a backend.
* If you use snapshot mode and capture with high frequency, it will be
prohibitively expense (CPU, storage and bandwidth), and if the frequency is
low, you will miss events/data.
* If you use differential mode, reconstructing timeline-based state in a
backend such as splunk or ELK is a significant challenge that you need to
consider. The differential data received by the backend is structured with
add/remove markers relative to an epoch. Thus the backend needs state
reconstruction logic based on discrete point-in-time events. Due to this
challenge, many may revert to snapshot and that mode is expensive and
inefficient.
OSQUERY-POWERED SECURITY ANALYTICS
As summarized earlier, osquery is extremely capable and can be used as a
universal agent for many uses cases including:
* Intrusion/Malicious activity detection (EDR)
* File Integrity Monitoring
* Incident Investigation
* Vulnerability Detection
* Audit and Compliance
In all of the above, osquery is a valuable part of a solution that provides
structured telemetry. To complete the solution, you will need:
* A mechanism to manage a fleet of osquery universal agents
* Ability to aggregate osquery telemetry securely and collect it at scale
across many agents
* A backend or data lake with streaming and historical analytics to solve the
broad set of security use cases
In this blog I focused on osquery use cases. Of critical importance for
enterprise-grade osquery deployments are considerations of scale. I’ll cover
that topic in my next blog post.
Learn more about osquery:
* Osquery: What it is, how it works, and how to use it
STAY IN THE LOOP
Get regular updates on all things Uptycs—
from product updates to expert articles and much more
Work Email*
What color is the sky?
FOLLOW US
*
*
*
*
WHY UPTYCS?
PRODUCTS
CLOUD SECURITY
* Overview
* Workload Protection (CWPP)
* Posture Management (CSPM)
* Entitlement Management (CIEM)
* Threat Detection and Response (CDR)
* Container and K8s Security (KSPM)
ENDPOINT SECURITY
* Overview
* Workspace and Workload Security
* IBM Power, Linux on Z, LinuxONE, and AIX
* Uptycs XDR vs. The Old Way
SOLUTIONS
CAPABILITIES
* Compliance
* Asset Management
* Vulnerability Management
* Detection and Response
* Threat Hunting
* Forensic Investigation
* Managed Services (MDR)
PLATFORMS
* AWS
* Azure
* Google Cloud
* IBM
RESOURCES
RESOURCE CENTER
* Resource Center
* Customer Stories
* Blog
COMMUNITY
* Events
* osquery Community
* osquery: what is it
* Cybersecurity Standup
COMPANY
* Overview
* Partners
* Press and News
* Contact Us
* Support
* Training
* Careers
* Security Practices
* Terms of Service
© 2023 Uptycs. All rights reserved.
* Privacy Policy
* Security Practices
* Contact Us
Also of Interest
* Streamlined Security Control with FIM Solutions
* Osquery Optimization Techniques
* Osquery Impact on Fragmented Security Market