OSQuery integration

OSQuery is a popular open-source operating system integration framework. It was originally developed by Facebook engineers and is now available as a freely reusable open-source solution. It supports Windows, Mac, and Linux platforms. 

Like the 1E Platform, it exposes operating system resources as a set of SQLite tables. There are more than a hundred tables available. Some of these overlap capabilities provided by the 1E Platform (such as running processes), and others provide information which augments that provided natively by the 1E Client. The OSQuery integration feature lets you query any of these tables directly from PowerShell. For more information about OSQuery, refer to OSQuery documentation.

Getting started

The OSQuery integration makes use of a 1E Platform instruction, 1E-Exchange-OSQuery. This instruction is included in the 1E PowerShell Toolkit files. A cmdlet, Invoke-1EOSQuery, is then used to invoke this instruction.

Before you can use the cmdlet, you must upload the instruction to the 1E Platform and assign it to an active instruction set. You can either do this via the 1E Platform or you can use the 1E PowerShell Toolkit cmdlet, publish-1Einstruction, to upload and assign the instruction.

Invoking a query on an OSQuery table

You use the invoke-1Eosquery cmdlet to query a table with OSQuery. The syntax is the following:

Copy 
invoke-1Eosquery -query <query> targetscope <scope>|-targetfqdns <fqdns>

For example, we can query the table called startup_items as shown below:

Copy 
Invoke-1EOSQuery -query "select * from startup_items" -targetscope urth

The invoke-1Eosquery cmdlet returns output data in exactly the same format as other instruction invocation commands, so you can easily process it further via native PowerShell functionality.

For more information on available OSQuery tables, refer to OSQuery documentation.

OSQuery and forensics

OSQuery is popular with security personnel because it provides a rich variety of useful forensic detail about devices. For more information, refer to the following blog: Introduction to osquery for Threat Detection and DFIR.

Under the hood

The 1E-Exchange-OSQuery instruction which is executed by the invoke-1Eosquery cmdlet includes a copy of the OSQueryI.exe tool, packaged from a recent build of OSQuery. This is then run and the query is passed as an argument. The results in JSON format are then passed back to 1E, retrieved by the cmdlet and then reformatted to match the result set that other instruction invocation cmdlets return.

The OSQueryI.exe tool is about 13MB in size. It will efficiently be distributed to devices via Content Distribution, ensuring that redundant copies are not sent over the corporate network. Therefore, you can use this functionality against any devices in your estate efficiently.