Panther supports ingesting Osquery logs via common options: HTTP Source, Amazon Web Services (AWS) S3, SQS, and CloudWatch.
How to onboard Osquery logs to Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Osquery," then click its tile.
In the slide-out panel, select the Transport Mechanism you wish to use for this integration.
Click Start Setup.
Follow Panther's instructions for configuring your chosen Data Transport method:
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Configure Osquery to push logs to the Data Transport source.
See Osquery's documentation for instructions on pushing logs to your selected Data Transport source.
Panther-Built Detections
Supported log types
Osquery.Batch
Batch contains all the data included in Osquery batch logs.
schema: Osquery.Batch
description: Batch contains all the data included in OsQuery batch logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
- name: calendarTime
required: true
description: The time of the event (UTC).
type: timestamp
timeFormats:
- '%a %b %d %H:%M:%S %Y %Z'
- '%a %b %d %H:%M:%S %Y %Z'
isEventTime: true
- name: counter
required: true
description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
type: bigint
- name: decorations
description: Decorations
type: json
- name: diffResults
required: true
description: Computed differences.
type: object
fields:
- name: added
description: Added field
type: array
element:
type: json
- name: removed
description: Removed field
type: array
element:
type: json
- name: epoch
required: true
description: Epoch. When 'epoch' changes, counter will be reset back to 0.
type: bigint
- name: hostname
required: true
description: Hostname
type: string
indicators:
- hostname
- name: name
required: true
description: Name
type: string
- name: unixTime
required: true
description: Unix epoch
type: bigint
Osquery.Differential
Differential contains all the data included in Osquery differential logs.
schema: Osquery.Differential
description: Differential contains all the data included in OsQuery differential logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
- name: action
required: true
description: Action is the type of the event
type: string
- name: calendarTime
required: true
description: The time of the event (UTC).
type: timestamp
timeFormats:
- '%a %b %d %H:%M:%S %Y %Z'
- '%a %b %d %H:%M:%S %Y %Z'
isEventTime: true
- name: columns
required: true
description: Columns
type: json
- name: counter
description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
type: bigint
- name: decorations
description: Decorations
type: json
- name: epoch
required: true
description: Epoch. When 'epoch' changes, counter will be reset back to 0.
type: bigint
- name: hostIdentifier
required: true
description: HostIdentifier
type: string
indicators:
- hostname
- name: logType
description: LogType
type: string
- name: log_type
description: LogUnderscoreType
type: string
- name: name
required: true
description: Name
type: string
- name: unixTime
required: true
description: UnixTime
type: bigint
- name: logNumericsAsNumbers
description: LogNumericsAsNumbers
type: boolean
Osquery.Snapshot
Snapshot contains all the data included in Osquery differential logs.
schema: Osquery.Snapshot
description: Snapshot contains all the data included in OsQuery differential logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
- name: calendarTime
required: true
description: The time of the event (UTC).
type: timestamp
timeFormats:
- '%a %b %d %H:%M:%S %Y %Z'
- '%a %b %d %H:%M:%S %Y %Z'
isEventTime: true
- name: unixTime
required: true
description: UnixTime
type: bigint
- name: action
required: true
description: Action is the type of the event
type: string
- name: counter
required: true
description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
type: bigint
- name: decorations
description: Decorations
type: json
- name: epoch
required: true
description: Epoch. When 'epoch' changes, counter will be reset back to 0.
type: bigint
- name: hostIdentifier
required: true
description: HostIdentifier. By default it's the hostname'
type: string
indicators:
- domain
- name: name
required: true
description: Name
type: string
- name: snapshot
description: Snapshot
type: array
element:
type: json
Osquery.Status
Status is a diagnostic osquery log about the daemon.
