About Queries
Cloud Guard Queries let you create queries to get information about the state of your resources. You can rerun past queries, save favorite queries, and create on-demand queries.
Instance Security, which runs OSQuery under the hood, supports SQL queries as understood by SQLite. These SQL queries can inspect your hosts in near real-time for threat hunting, detections or general ops monitoring.
You can run queries once or convert queries you've already run to scheduled queries to run on a defined cadence and send results to the OCI Logging service to create Cloud Guard problems or export information to a 3P SIEM. And you can rerun queries that have already been run.
On-Demand Queries
An on-demand or custom query is a one off query written using OSQuery which uses SQLite-compliant SQL queries. The query is run by Instance Security across a target.
You can run an on-demand query on a single instance and validate the results before running it across the fleet.
You can rerun queries, and you can save them as favorites to run again.
Some things to be aware of when you create and use queries:
- Running queries production environments can impact CPU and memory resources, so:
- Limit the user groups with access to queries.
- Test queries on a single instance before running across the entire fleet.
Scheduled Queries
Scheduled Queries are created from previously executed queries that you now want to run periodically across your fleet so that you can collect the raw results for post processing. You select the query and choose the targets to run it over, and set the frequency for it to run, and configure the Logging service to record the results.
Controlling Access to Queries
You can control access to queries by creating dynamic groups and using policies. See:
About OSquery
Queries are SQLite understandable SQL constructed using the OSquery SQL language.
OSquery is a performant, open source, multi platform host agent that let you to gain visibility and insights to your fleet. It can collect and normalize data independent of OS while increasing visibility across your infrastructure. OSquery can help any security team with threat hunting, forensics, and intrusion detection by providing real-time views of every running process and network connection. OSquery comes with support from hundreds of tables covering everything from running processes to loaded kernel extensions.
Get Started with OSquery
Collecting the right data requires asking the right questions. For anyone getting started, they must know the data’s location to know how to ask for it. The only way to ask the right questions is to understand how to ask, and it comes back to knowing the schema.
Understand the schema: https://osquery.io/schema/5.5.1/.
As of May 7, 2024, there are 274 tables in the schema. You can use all tables with the exception of:
- Tables with
_events
in the name. - Tables that require YARA support.
curl
andcarves
tables.
Best Practices for Queries
Follow these best practices:
- Format the query so that it's easy to read, and keep it simple.
- Use Join and Sub searches judiciously.
- Define the information you want to collect and scope the query to that information.
For example, if you're interested in running processes which could consume a lot of resources on the instance, you could write
SELECT * from processes
but that would generate a large volume data, possibly most of it unnecessary.
Better practice would be to select only the columns you need, and to set an order by and limit.
Here's an example that gets you a nicely formatted table for top 10 processes by memory consumption.
SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS memory_used FROM processes ORDER BY total_size DESC LIMIT 10;
Query Packs
OSquery query packs are pre built or custom sets of queries that are organized by type, such as compliance, or vulnerability management. You can use query packs to help you understand how your system responds to sets of queries and if necessary tailor the queries to your environment.
Find out more about query packs at osquery.readthedocs.io, Query packs.
You can find useful query packs online, for example this one on GitHub, https://github.com/osquery/osquery/tree/master/packs.
Example Queries
You can get started by running some basic local queries such as SELECT * FROM
users or SELECT * FROM processed LIMIT 10
to learn how the tables work.
Also we have put together a list of suggested queries to help you get up and running.
- Users (
users
): Search for all local user accounts that exist on a machine.Linux (Ubuntu):
SELECT * FROM users WHERE gid < 65534 AND uid >= 1000;
Note
uid 1000
is where users typically start on LinuxLinux: This query finds all users who have actual login shells (not
bin/false
orbin/true
, with allowances for them living in different places, for example,/usr/bin/false
or/bin/false
.SELECT * FROM users WHERE shell NOT LIKE '%false' AND shell NOT LIKE '%true';
- Process Open Sockets (
process_open_sockets
): Searches for processes making network connections, other than web connections.SELECT s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port FROM process_open_sockets s JOIN processes p ON s.pid = p.pid WHERE remote_port NOT IN (80, 443) AND local_port NOT IN (0) AND family = 2;
- Listening Ports (
listening_ports
): Looks for open ports on a system.SELECT DISTINCT p.pid, p.name, l.port FROM listening_ports AS l JOIN processes as p ON l.pid = p.pid WHERE l.address = '0.0.0.0';
- Logged-In Users (
logged_in_users
): Shows who is currently logged in to a system.SELECT liu.*, p.name, p.cmdline, p.cwd, p.root FROM logged_in_users liu, processes p WHERE liu.pid = p.pid;
- File (
file
): Returns information about the specified file on disk. The following queries, finds all files in all user Downloads folders to one level of folder depth.Linux:
SELECT file.path, users.username AS owner, groups.groupname AS groups, datetime(file.btime,'unixepoch') AS created, datetime(file.mtime,'unixepoch') AS last_mod, ROUND((file.size * 10e-7),4) AS size_mb FROM file JOIN users USING (uid) JOIN groups USING (gid) WHERE path LIKE '/home/%/Downloads/%%' ORDER BY last_mod DESC;
Windows:
SELECT file.path, users.username AS owner, datetime(file.btime,'unixepoch') AS created, datetime(file.mtime,'unixepoch') AS last_mod, ROUND((file.size * 10e-7),4) AS size_mb FROM file JOIN users USING (uid) WHERE path LIKE 'c:\Users\%\Downloads\%%' ORDER BY last_mod DESC;