Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Anyone actively using Binalyze/B!nalyze and making use of their OSQuery implementation? Trying to see if it there is much crossover with a fleet deployment thats mainly used for inventory. Only docs i could find were a list of query templates
<https://kb.binalyze.com/air/features/triage/triage-rule-templates/osquery-templates>

Answered my own question, Binalyze changes too many defaults out of the box. If anyone needs this in the future these are the modified settings from the OSQuery defaults

stderrthreshold
hash_delay
database_path
extensions_socket
csv
disable_caching
disable_database
disable_events
disable_extensions
disable_logging
disable_watchdog
logtostderr

I’m not familiar with binalyze, but <https://www.binalyze.com/blog/interact-a-remote-shell-solution-crafted-exclusively-for-modern-dfir> talks about creating a sorta-shell thing where you can run commands on a client. One command, is to run queries inside osquery.

That’s a fairly different model than how most osquery managers work. It’s not better or worse, just different.

It's certainly an interesting differentiation. From what I can see their OSquery implementation is still quite new with deployment at 5.5.1 and limited to non event table queries on am ad-hoc basis plus the interact shell. Hopefully they do more with it in the future.

Their docs have some really recent community work