Put simply, Osquery is software that enables you to run SQL queries to provide information about your system. With Osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
The idea is that rather than running lots of different utilities to find out things about your system, you instead run an SQL query on one of the tables. Behind the scenes, Osquery has mapped the state of your system into lots of different tables.
How many tables? Well https://osquery.io/schema/5.12.1/ lets you select your OS type (Linux, Mac and Windows) and shows a clickable list. For Linux, there are 154 tables. A significant proportion of these are tied into software you have installed, so there are tables for Chrome, Firefox, Docker, npm packages and quite a few more.
Just click on a table name in the list to see all the fields. When you want to inspect a concept, you ‘select’ the data, and the associated OS APIs are called in real time.
Ironically, the query select * from cpu_info; returns nothing on our system because it’s running in a virtual machine, although cpuid does. Other queries, such as select * from deb_packages;, return many rows. In that case, you might find select count(*)