Difference between Process_open_socket and Socket_events.

Process_Open_Sockets v/s Socket_Events

This article explains the difference between socket information captured by Process_open_sockets and socket_events.

The article is also applicable in case of processes i.e process information captured by table 'Processes' and table 'Process_events'

  •  A Scheduled Query
  • Captures all sockets opened by all running processes when the query runs,.
  • It will the miss the process that was opened and closed between query intervals.
  • Captures all Connect, Accept, Bind and listen System calls.
  • Will Not miss any sockets that is created.

With socket events enabled, process_open_sockets is less useful, any process started before osquery started will captured by process_open_sockets. 

With socket_events enabled, the frequency of collection of process_open_sockets can be decreased.   

Please contact support@uptycs.com for any issues.

    • Related Articles

    • Tracing command execution back to a user across an ssh session

      Some IT shops have sysadmins logging into a Jumpbox or Bastion host (with their individual id’s) then logging into production servers as root and running commands. In such a case it can be difficult to trace command execution back to the sysadmin who ...
    • What are the Standard OSQuery Tables?

      Question: What are the standard osquery tables?  Answer: As of osquery version 4.5.1 the standard osquery schema tables are listed below: account_policy_data acpi_tables ad_config alf alf_exceptions alf_explicit_auths app_schemes apparmor_events ...
    • Query to find Inbound / Outbound connections on Mac

      Query WITH mac_assets AS (SELECT t.upt_asset_id FROM upt_asset_tags t WHERE t.key = 'upt-mac-edr') SELECT DISTINCT pos.upt_asset_id, ps.name, pos.pid, pos.local_address, pos.remote_address, pos.local_port, pos.remote_port, CASE WHEN pos.pid = lp.pid ...
    • Query to find the Process Tree

      Query WITH pstree AS (SELECT 0 AS LEVEL, pid, name, parent, Cast(pid AS TEXT) AS ppid, name AS pparent FROM processes WHERE parent = 0 UNION ALL SELECT LEVEL + 1, t.pid, t.name, t.parent, pstree.ppid || ', ' || Cast(t.pid AS TEXT), pstree.pparent || ...
    • Windows Forensic Analysis queries

      This article includes a  list of queries to conduct forensic analysis on Windows systems.  These are categorized into sections as -      processes,      services,      file system activities,     user login/session activities,     network traffic.   ...