steampipe-plugin-sdk VS OSQuery

🔧 The CLI is written in Go, as well as the Steampipe Plugins connecting to various APIs like AWS, GitHub, Zoom, Reddit, and 130+ more. https://hub.steampipe.io/plugins

It's fully open source with a thriving community of users and contributors. As of today, there are 111 plugins (including AWS & Azure). We also have thousands of open source queries, security benchmarks, resource graphs and dashboards available out of the box as mods. See the Steampipe Hub for full docs and details.

Steampipe is free, open source. It's a CLI used to SQL query & report across all your cloud APIs & data sources (e.g. AWS, GitHub, Slack, Kubernetes, Terraform, etc) along with a dashboards-as-code capability to run automated security & compliance benchmarks. Allows you to simply query & report without the overhead for log ingestion, ETL or a DB.

For some background, the Steampipe CLI provides an open source, common SQL interface to query join and report from your cloud APIs (e.g. Azure, AWS, GitHub, AzureAD, M365, etc).

Not the author, but a big fan of steampipe. You can use this example as a starting point to write integrations with a number of other services that are supported by steampipe plugins.

Since Steampipe provides a common SQL interface across plugins, there could be interesting 'joins' that you can do for querying & reporting -- any interesting joins you would consider across SPO, M365 or other plugins?

The CLI is written primarily in Go, as well as its plugins (e.g. AWS, GitHub, Slack, Zoom, Reddit, etc): https://hub.steampipe.io/plugins. You can extend an existing plugin by adding new 'tables', or you can write your own plugin for your favorite cloud service.

Perhaps the OP means OsQuery: https://github.com/osquery/osquery

OsQuery is an SQLite extension consisting of hundreds of virtual tables

There's at least one open data quality issue for `process_open_sockets` on macOS[1]. It's a few years old however and, if you aren't seeing that casting error, you probably aren't hitting it. But that's a good example of the kind of debt that's been built up over time.

(In terms of general purpose/flexible tooling, I'm not aware of a close replacement for osquery.)

[1]: https://github.com/osquery/osquery/issues/6319

The largest we have successfully deployed is on the OSQuery schema https://osquery.io/ which is 277 tables and lots of business context (malwares, vulnerabilities, Windows registry keys, etc).

From a self hosted standpoint OSQuery or Wazuh are your best bets for monitoring USB devices. Windows makes blocking really challenging and I’m not aware of any “free” solutions that attempt it.

Configure auditd to monitor host activity: https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 or osquery: https://osquery.io/ (or similar software: filebeat for example).

OS Query : Easily ask questions about your Linux, Windows, and macOS infrastructure

Osquery + Fleet. https://osquery.io/ https://fleetdm.com/, using the two allows you to build a query to answer what ever questions you (or an auditor) might have about your environment.