osquery (originally Facebook, now a Linux Foundation project) is an endpoint instrumentation framework that exposes operating system state as SQL tables. Run a query like SELECT * FROM processes WHERE on_disk=0; and you get every running process whose backing binary has been deleted — a classic IOC.
Architecture:
- osqueryd — daemon that runs scheduled queries.
- osqueryi — interactive REPL.
- Fleet / Kolide / FleetDM — popular open-source management servers that distribute query packs to thousands of hosts.
Hundreds of tables cross-platform: processes, listening_ports, startup_items, users, logged_in_users, kernel_modules, deb_packages, windows_security_products, etc.