Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.
After the data is ingested, Hunters read the data from the shared bucket, parse it and allow the usage of this source to protect your users and your network in a more comprehensive way - both in detection and investigation phases in the Hunters’ pipeline.

Supported Data Types

  • Osquery Events - The osquery daemon uses a default filesystem logger plugin. Output from the filesystem plugin is written as JSON, Event is the default result format. Each log line represents a state change.

Hunters Ingestion

In order to enable Hunters' collection & ingestion of Osquery for your account, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.
Here you can find documentation for OSQuery logging .

Expected Format

The format of the logs is determined in the collection phase and might be in different formats between environments. This is the format that we expect to receive:

{"name":"process_events","hostIdentifier":"AAAA","calendarTime":"Mon Dec 20 14:00:12 2021 UTC","unixTime":1640008812,"epoch":0,"counter":9,"numerics":false,"columns":{"cmdline":"","cwd":"/","host":"","name":"kworker/","pid":"57761","root":"/","time":"1639788179","type":"dead","user":""},"action":"removed"}
  • Notice that the key columns contains a dict, the format of the inner dict doesn’t have to be exact to the given example.

  • The expected names are:
    iptables, last, socket_events, memory_info, process_events, cpu_time, crontab, hardware_events, file_events, kernel_modules, runtime_perf, shell_history