Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

Facebook’s “Osquery” Security Tool Available for Windows

Facebook announced on Tuesday the availability of an osquery version that can be used by security teams to quickly identify and analyze threats on their Windows networks.

Facebook announced on Tuesday the availability of an osquery version that can be used by security teams to quickly identify and analyze threats on their Windows networks.

Osquery is an instrumentation framework designed to allow users to easily and efficiently explore their operating system via SQL-based queries. Basically, osquery exposes the operating system as a relational database where processes, network connections, loaded kernel modules, hardware events and browser plugins are represented in SQL tables that can be easily queried.

The framework was released as open source in October 2014, but until now it had only been available for OS X and Linux. Facebook says its security team has been using osquery to, among others, collect data on browser extensions running on its corporate network. The information is compared to threat intelligence data and potentially malicious extensions can be quickly identified and removed.

“This proactive technique, known as ‘threat hunting,’ is an important enhancement to traditional detection-based security, but not yet offered by many commercial agents,” Nick Anderson, security engineer at Facebook, said in a blog post.

Facebook ported osquery to Windows with the help of engineers from enterprise security company Trail of Bits, which published a blog post detailing the challenges and benefits.

“Since osquery is cross platform, network administrators will be able to monitor complex operating system states across their entire infrastructure. For those already running an osquery deployment, they’ll be able to seamlessly integrate their Windows machines, allowing for far greater efficiency in their work,” Trail of Bits explained.

Users who want to leverage osquery for their Windows networks will have to build the application themselves from the available source code. For the time being, the tool can only be built on Windows 10. The osquery developer kit includes all the information and scripts needed for the process.

Osquery is one of the open source projects covered by Facebook’s bug bounty program, which means researchers can earn rewards if they find vulnerabilities. It’s also worth noting that osquery is the most popular repository on GitHub in the “security” category – it is even more popular than Rapid7’s Metasploit framework.

Related: Facebook Simplifies Account Security Controls With New Tool

Related: Facebook Open Sources CTF Platform

Related: Google Releases New XSS Prevention Tools

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.