My advice is to not compare osquery to EDR or XDR solutions. Osquery is just a small tool, it has a lot of features, but it is not an EDR.
09/26/2020, 7:06 PM
Thanks for the advice. But ppl are assuming that osquery can do everything.. So thought of getting some suggestions from this group.. Now I'm clear
09/27/2020, 3:25 PM
A hammer can do a lot given context and intent; it can frame a house, pry open a door, or smash a person's head in.
I think the questions that need to be asked when approaching osquery cannot begin with something akin to:
"What can a hammer do compared to a wrench?"
"I am trying to accomplish a specific task (eg. pull rusty nails out of a board), is it possible to do this with a hammer?"
For example, if you ask something like:
"Can osquery detect when a file in a specific directory has been modified?", you will receive much more productive responses.
Broad comparative or open-ended questions, necessitating exhaustive hypotheticals, accompanied by complex feature matrices and Venn diagrams are unlikely to be answered to any satisfying extent.
09/27/2020, 4:03 PM
But fritz, specifically osquery is not a product, it does not have concepts like user management, multi-host aggregation, visualization, etc. So I think it's fair to say osquery is not an EDR but rather a component of an EDR.
I think it is fair to ask questions like "compare and contrast these EDR solutions" outside the context of osquery.
09/27/2020, 4:43 PM
TBH I think you’re both right.
Sticking with fritz’s analogy… I think it’s reasonable to talk about how one might do X with a hammer.
And it’s reasonable to compare contractors.
But it’s hard to say “How does this hammer compare to what that contractor can do?”
09/27/2020, 7:56 PM
@theopolis that is a fair point, osquery in and of itself is definitely not a 'product' and distancing it from that classification does alleviate some of the lure of comparing it to other full-fledged products.
09/28/2020, 8:04 AM
@fritz thats a gr8 analogy .. I have seen some companies has both EDR and osquery and they end-up doing the same task using both the tools . it would be nice to identify the osquery capabilities that is missing in the EDR and make use of it effectively ... example use cases like "Identify Malicious browser extension", " Apps that has bypassed defence like xprotect, codesign, LSQuarantine ", Apps with bundle malicious packs, vulnerable apps for the hosts, Identify the origin of the file downloaded etc...
09/28/2020, 4:28 PM
In my experience typically EDR combines some sort of cloud-based data aggregation and analyzing product that also pulls in some form(s) of basic threat intelligence and cross-references the data from the EDR sensors with those data
These data that are pulled could come from anything clientside, even a copy of osquery baked into the EDR
And without this cloud product (which is often very very expensive) the EDR simply does not work at all, whereas osquery sensors can operate standalone
EDRs in my experience also like to use kernel extensions to hook into process or system level events which can have huge stability or performance concerns; in macOS 11 Big Sur kexts go away so a lot of EDRs may lose a lot of functionality