💻 Endpoint detection (EDR)
osquery
Query your operating system as if it were a database.
Why use it
osquery exposes hundreds of OS facts — running processes, listening ports, USB devices, persistence locations, file hashes — as SQL tables. Run ad-hoc queries on a single host or fleet-wide via Fleet, Kolide, or your own TLS server.
What you get
- 200+ tables across Linux, macOS, Windows
- Scheduled queries with diff-based reporting
- File integrity monitoring
- YARA scanning support
- Pack of detection queries from the community
System requirements
| Cpu | minimal |
|---|---|
| Ram | 128 MB |
| Disk | 50 MB |
| Os | Linux, macOS, Windows |
| Docker | Yes |
Installation
Download the package for your OS from osquery.io. Run osqueryi for an interactive shell, or configure osqueryd with a config file to schedule queries. Use Fleet (free) to manage many hosts: https://fleetdm.com.
Suggested configuration
Start with the community detection packs (osquery-attck, palantir/osquery-configuration). Schedule baseline queries (process_open_sockets, listening_ports, last_logged_in) every 5 minutes. Forward results to your SIEM via the TLS plugin.
Integration ideas
- Forward results to Wazuh, Elastic, or Graylog
- Manage at scale with Fleet (free)
- Combine with Velociraptor for hunt-grade collection
Alternatives
- Velociraptor — Heavier hunt platform built on osquery-style queries.
- Wazuh agent — Closer to a full EDR, less SQL-flexible.
Cyentrix verdict
The cleanest way to get fleet visibility on cheap hardware. Pair with Fleet for free management at homelab scale.