Title
#macos
theopolis

theopolis

09/26/2020, 3:21 PM
My advice is to not compare osquery to EDR or XDR solutions. Osquery is just a small tool, it has a lot of features, but it is not an EDR.
m

MaxosxOsquery

09/26/2020, 7:06 PM
Thanks for the advice. But ppl are assuming that osquery can do everything.. So thought of getting some suggestions from this group.. Now I'm clear
f

fritz

09/27/2020, 3:25 PM
A hammer can do a lot given context and intent; it can frame a house, pry open a door, or smash a person's head in. I think the questions that need to be asked when approaching osquery cannot begin with something akin to:"What can a hammer do compared to a wrench?" but rather:"I am trying to accomplish a specific task (eg. pull rusty nails out of a board), is it possible to do this with a hammer?" For example, if you ask something like: "Can osquery detect when a file in a specific directory has been modified?", you will receive much more productive responses. Broad comparative or open-ended questions, necessitating exhaustive hypotheticals, accompanied by complex feature matrices and Venn diagrams are unlikely to be answered to any satisfying extent.
theopolis

theopolis

09/27/2020, 4:03 PM
But fritz, specifically osquery is not a product, it does not have concepts like user management, multi-host aggregation, visualization, etc. So I think it's fair to say osquery is not an EDR but rather a component of an EDR. I think it is fair to ask questions like "compare and contrast these EDR solutions" outside the context of osquery.
s

seph

09/27/2020, 4:43 PM
TBH I think you’re both right.
4:44 PM
Sticking with fritz’s analogy… I think it’s reasonable to talk about how one might do X with a hammer. And it’s reasonable to compare contractors. But it’s hard to say “How does this hammer compare to what that contractor can do?”
f

fritz

09/27/2020, 7:56 PM
@theopolis that is a fair point, osquery in and of itself is definitely not a 'product' and distancing it from that classification does alleviate some of the lure of comparing it to other full-fledged products.
m

MaxosxOsquery

09/28/2020, 8:04 AM
@fritz thats a gr8 analogy .. I have seen some companies has both EDR and osquery and they end-up doing the same task using both the tools . it would be nice to identify the osquery capabilities that is missing in the EDR and make use of it effectively ... example use cases like "Identify Malicious browser extension", " Apps that has bypassed defence like xprotect, codesign, LSQuarantine ", Apps with bundle malicious packs, vulnerable apps for the hosts, Identify the origin of the file downloaded etc...
d

Derek W

09/28/2020, 4:28 PM
In my experience typically EDR combines some sort of cloud-based data aggregation and analyzing product that also pulls in some form(s) of basic threat intelligence and cross-references the data from the EDR sensors with those data
4:29 PM
These data that are pulled could come from anything clientside, even a copy of osquery baked into the EDR
4:30 PM
And without this cloud product (which is often very very expensive) the EDR simply does not work at all, whereas osquery sensors can operate standalone
4:31 PM
EDRs in my experience also like to use kernel extensions to hook into process or system level events which can have huge stability or performance concerns; in macOS 11 Big Sur kexts go away so a lot of EDRs may lose a lot of functionality
4:31 PM
OSQ is user space so ❤️