Two years after introducing the open-source network monitoring tool for Linux and OS X users, Facebook has finally released the ‘osquery’ developer kit for Windows users on Tuesday. This will give cybersecurity teams to build free and customized osquery solutions to monitor and diagnose their Windows network infrastructure.
To add to your knowledge and ours, Facebook first introduced the SQL-powered open-source tool to users in 2014. The ‘osquery’ tool was initially released with support for Ubuntu, CentOS, and Mac OS X operating system, with immense demand from developers to port the tool to Windows as well.
As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security. We saw the long-held misconception of security by obscurity fall away as people started sharing tooling and experiences with other members of the community. Our initial release of osquery was supported for Linux and OS X, but the community was also excited for a Windows version — so we set out to build it.
says Nick Anderson, a security engineer at Facebook.
In March, the company confirmed that it working on building a version of the tool for Windows that’ll have complete functionality including cross-platform support, a monitoring daemon, and an active development system. Porting the osquery tool to Windows came with immense troubles, but developers from computer security firm Trail of Bits collaborated with the social media behemoth to oversee platform development.
The ‘osquery’ developer kit allows you to transform your operating system into a relational database. This means that SQL tables will now represent abstract concept such as running processes, loaded kernel modules, open network connections, browser plugins or file hashes. It can then be used to write SQL-based queries to explore OS data and detect intrusions, other types of malicious activity on your organisations network.
For example, if you’re the system admin and need to check and interpret the syslogs, then instead of watching the logs(so to say) you can directly check out system and process information by issuing SQL queries using osquery.
This functionality can also be extended to malicious browser extensions — a service not offered by many security agents. Anderson details the same using company’s internal example:
osquery allows our Facebook security team to fetch data about all browser extensions running on our corporate network. We then compare that information to threat intelligence data to quickly identify malicious extensions and remove them.
If you’ve been waiting to build and employ the services of this diagnostic tool on your Windows infrastructure, then here is the complete documentation to get you started right away. You can also join other Windows osquery developers on the Facebook Slack community right here.