#Osquery vs collectd how to#We then saw how to extend OSQuery queries seamlessly with the additional functionality built into Velociraptor, by capturing and uploading memory dumps as additional triaging artifacts. #Osquery vs collectd update#Users do not need to have OSQuery installed on the endpoint - Velociraptor manages the distribution and update of the binary as needed transparently behind the scenes. To use OSQuery with Velociraptor, one simply collects the relevant artifact from the endpoint. In this blog post I demonstrated how Velociraptor integrates OSQuery as a natural extension to the Velociraptor Query Language. Let’s have a look at the VQL artifact that implements OSQuery integration This allows one to filter and enrich the OSQuery query using standard VQL. That is, within Velociraptor, OSQuery output is indistinguishable from the output of native VQL queries. The goal of the OSQuery integration is to make OSQuery appear as a natural extension to VQL. In this sense OSQuery is very similar to VQL queries, which also return a result set. OSQuery itself is a query engine - it is distributed a single executable which is capable of evaluating a query, and returning a result set (essentially a table of rows and columns). This blog post explains how the integration is done, and we go though a typical example to how Velociraptor can use OSQuery to hunt through many machines quickly. In recent releases Velociraptor directly integrates OSQuery on all supported platforms - so you can issue the same OSQuery query you always did and it would work exactly the same within Velociraptor. Velociraptor and OSQuery are not an either or choice - you can use them both at the same time! Nevertheless, OSQuery has been around for a long time, and there are many existing queries that could be used immediately, without needing to convert then to VQL first. It is typically more complicated to deploy OSQuery at scale, use it to hunt widely and post-process the results. While, Velociraptor was designed to be a scalable DFIR tool that is easy to deploy (typically deployed in minutes). OSQuery itself does not provide a server, nor does it provide a GUI (there are a number of OSQuery servers, such as FleetDM/Fleet). However, while OSQuery provides a query engine with many plugins exposing machine state, it is not typically enough on its own. This flexibility has always been the inspiration for Velociraptor, and the development of the Velociraptor Query Language (VQL) followed the footsteps of OSQuery to provide a powerful and flexible query language. OSQuery has really transformed the state of endpoint visibility and DFIR by allowing analysts to flexibly issue queries to introspect endpoint state, just like a database. One of our favorite tools for endpoint visibility is OSQuery.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |