Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

screenshot-20240112-161840.png

Is it normal for OSQuery deployed through Orbit to have external connection access? Can I cancel this connection if it's normal?

Hey <@U03HEUZB15W>,
Fleetd will need an external connection for updates unless you're manually updating or have your own TUF (premium only). Is possible might be reaching out to get info on tables such as `sntp` or even `curl`. Not recognizing those IPs, is possibly the current CDN the host is hitting, but my hunch is the host has a service outside fleetd that is reaching out.

Could filter/drop those if you want, but may not give accurate data for those tables or break updates.

Also, can use CLI flags or flagfile to <https://osquery.readthedocs.io/en/stable/installation/cli-flags/#enable-and-disable-flags|disable tables> on `sntp_request` and `curl` to see if those go away.