Difference between Process_open_socket and Socket_events.

Process_Open_Sockets v/s Socket_Events

This article explains the difference between socket information captured by Process_open_sockets and socket_events.


The article is also applicable in case of processes i.e process information captured by table 'Processes' and table 'Process_events'


Process_Open_sockets
Socket_events
  •  A Scheduled Query
  • Captures all sockets opened by all running processes when the query runs,.
  • It will the miss the process that was opened and closed between query intervals.
  • Captures all Connect, Accept, Bind and listen System calls.
  • Will Not miss any sockets that is created.


With socket events enabled, process_open_sockets is less useful, any process started before osquery started will captured by process_open_sockets. 

With socket_events enabled, the frequency of collection of process_open_sockets can be decreased.   


Please contact support@uptycs.com for any issues.

    • Related Articles

    • Tracing command execution back to a user across an ssh session

      Some IT shops have sysadmins logging into a Jumpbox or Bastion host (with their individual id’s) then logging into production servers as root and running commands. In such a case it can be difficult to trace command execution back to the sysadmin who ...

    • Query to find Inbound / Outbound connections on Mac

      Query WITH mac_assets AS (SELECT t.upt_asset_id FROM upt_asset_tags t WHERE t.key = 'upt-mac-edr') SELECT DISTINCT pos.upt_asset_id, ps.name, pos.pid, pos.local_address, pos.remote_address, pos.local_port, pos.remote_port, CASE WHEN pos.pid = lp.pid ...

    • Query to find the Process Tree

      Query WITH pstree AS (SELECT 0 AS LEVEL, pid, name, parent, Cast(pid AS TEXT) AS ppid, name AS pparent FROM processes WHERE parent = 0 UNION ALL SELECT LEVEL + 1, t.pid, t.name, t.parent, pstree.ppid || ', ' || Cast(t.pid AS TEXT), pstree.pparent || ...

    • Windows Forensic Analysis queries

      This article includes a  list of queries to conduct forensic analysis on Windows systems.  These are categorized into sections as -      processes,      services,      file system activities,     user login/session activities,     network traffic.   ...

    • Query for CVE-2020-1350 Vulnerability for Windows Domain Name Systems

      Microsoft released an update on July 14 2020 for CVE-2020-1350 , a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a ...