Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types	3rd party detection	Hunters detection	IOC search	Search	Table name	Log format	Collection method
Osquery Events			✅	✅	osquery_logs	NDJSON	S3

Overview

Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.

After the data is ingested, Hunters read the data from the shared bucket, parse it and allow the usage of this source to protect your users and your network in a more comprehensive way - both in detection and investigation phases in the Hunters’ pipeline.

Supported data types

Osquery Events

Table name: osquery_logs

The Osquery daemon uses a default filesystem logger plugin. Output from the filesystem plugin is written as ND-JSON, Event is the default result format. Each log line represents a state change.

Send data to Hunters

Hunters supports the ingestion of Osquery logs via an intermediary AWS S3 bucket.

To connect Osquery logs:

Export your logs to an AWS S3 bucket by following this resource.
Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

The format of the logs is determined in the collection phase and might be in different formats between environments. This is the format that we expect to receive:

{"name":"process_events","hostIdentifier":"AAAA","calendarTime":"Mon Dec 20 14:00:12 2021 UTC","unixTime":1640008812,"epoch":0,"counter":9,"numerics":false,"columns":{"cmdline":"","cwd":"/","host":"","name":"kworker/","pid":"57761","root":"/","time":"1639788179","type":"dead","user":""},"action":"removed"}

🚧 Note

Note that the key columns contain a dict. The format of the inner dict doesn’t have to be exact to the given example.

The expected names are as follows:

iptables, last, socket_events, memory_info, process_events, cpu_time, crontab, hardware_events, file_events, kernel_modules, runtime_perf, shell_history