Osquery

Overview

Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.

After the data is ingested, Hunters read the data from the shared bucket, parse it and allow the usage of this source to protect your users and your network in a more comprehensive way - both in detection and investigation phases in the Hunters’ pipeline.

Supported data types

Osquery Events

Table name: osquery_logs

The Osquery daemon uses a default filesystem logger plugin. Output from the filesystem plugin is written as ND-JSON, Event is the default result format. Each log line represents a state change.

Send data to Hunters

Hunters supports the ingestion of Osquery logs via an intermediary AWS S3 bucket.

To connect Osquery logs:

1. Export your logs to an AWS S3 bucket by following this resource.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

The format of the logs is determined in the collection phase and might be in different formats between environments. This is the format that we expect to receive:

{"name":"process_events","hostIdentifier":"AAAA","calendarTime":"Mon Dec 20 14:00:12 2021 UTC","unixTime":1640008812,"epoch":0,"counter":9,"numerics":false,"columns":{"cmdline":"","cwd":"/","host":"","name":"kworker/","pid":"57761","root":"/","time":"1639788179","type":"dead","user":""},"action":"removed"}

The expected names are as follows:

iptables, last, socket_events, memory_info, process_events, cpu_time, crontab, hardware_events, file_events, kernel_modules, runtime_perf, shell_history