Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Osquery Events | ✅ | ✅ | osquery_logs | NDJSON | S3 |
Overview
Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.
After the data is ingested, Hunters read the data from the shared bucket, parse it and allow the usage of this source to protect your users and your network in a more comprehensive way - both in detection and investigation phases in the Hunters’ pipeline.
Supported data types
Osquery Events
Table name: osquery_logs
The Osquery daemon uses a default filesystem logger plugin. Output from the filesystem plugin is written as ND-JSON, Event is the default result format. Each log line represents a state change.
Send data to Hunters
Hunters supports the ingestion of Osquery logs via an intermediary AWS S3 bucket.
To connect Osquery logs:
Export your logs to an AWS S3 bucket by following this resource.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The format of the logs is determined in the collection phase and might be in different formats between environments. This is the format that we expect to receive:
🚧 Note
Note that the key columns contain a dict. The format of the inner dict doesn’t have to be exact to the given example.
The expected names are as follows: