Your security engineering technical lead has asked you to investigate a potential security tool called OSQuery. They have asked that you be prepared to demonstrate the application itself and its integration into the corporate EDR platform (wazuh). You are expected to demo your results to the full security engineering team in one week.

Your team's task (pick another student from the section or go it alone).

• Conduct some high level research on OSQuery so that you can explain what it does to your team at a high level
• Figure out how to Install OSQuery on either web01 (rocky) or wks01 (windows 10)
• Investigate and demonstrate some of the features of the OSQuery client application
• Figure out how to integrate OSQuery with Wazuh
• Develop an end to end demonstration that shows the triggering of an event that is picked up by OSQuery and how that event eventually makes it to Wazuh.
• Lastly, conclude by discussing any pros and cons of this tool and integration.
• This is a One Week Project

Deliverable 1.

A demonstration video that touches base on all your team tasks. Provide a link to a highly professional video that the professor has access to. Under no circumstances, upload a video directly to CANVAS unless using CANVAS studio. If operating in a team, make sure both team members have a voice.

Deliverable 2. Provide a link to an exceptionally well prepared build document (this can be a google doc shared between team members or a github wiki entry) that covers the specific installation and configuration tasks associated with this project.

What is OSQuery:

OSQuery is an open-source tool that changes an operating system into a relational database that is high-performing. This tool allows users to write SQL-like queries to monitor and explore system data such as network connections, and hardware events. OSQuery also generates tables that can showcase system information such as users or hardware that is currently connected to the device.

What does it do:

OSQuery is meant to query your devices like a database. In this sense, it allows you to use SQL-like queries that provide detailed information on your devices. It allows you to monitor and analyze system data, logs, networking info, as well as structure this information in a digestible manner. Some main uses for this tool are for system auditing, security monitoring, compliance reporting, and incident response.

Features:

SQL-Based Queries: Fetch system information that uses SQL syntax. Real-Time Monitoring: Schedules queries for continuous monitoring and visibility into the system’s activities. Cross-Platform Support: Able to be used on macOS, Linux, Windows, and FreeBSD Extensibility: Integrates well with other tools and supports custom plugins.

Configuration

---

Pros:

Easy installation and implementation. Modular Code Base. Very simple query processing. Customizable w/ real-time event recording. Can provide endpoint data previously inaccessible.

Cons:

OSQuery is not very beginner-friendly for people who are just learning about SQL, as some of the information the tool gives are very complex. The configuration of this tool must be done carefully as to avoid performance issues High-cost data storage. Incremental data can be hard to translate. Does not support centralized deployment. Requires an extended infrastructure lift. Queries and query packs being optimized is crucial. 3rd party data and assistance are required in order to have threat protection.

Links: https://www.crowdstrike.com/en-us/cybersecurity-101/it-automation/osquery/

https://www.loginsoft.com/post/explicating-the-concepts-of-osquery

https://www.uptycs.com/osquery-how-it-works-and-how-to-use https://best-of-web.builder.io/library/osquery/osquery

https://stackshare.io/stackups/osquery-vs-wazuh