Osquery Logs

Connecting Osquery logs to your Panther Console

Overview

Panther supports ingesting Osquery logs via common Data Transport options: HTTP Source, Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Osquery logs to Panther

To connect these logs into Panther:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Osquery," then click its tile.
In the slide-out panel, select the Transport Mechanism you wish to use for this integration.
Click Start Setup.
Follow Panther's instructions for configuring your chosen Data Transport method:
- HTTP
  - Payloads sent to this source are subject to the payload requirements for all HTTP sources.
  - Do not proceed to the next step until the creation of your HTTP endpoint has completed.
- AWS CloudWatch
- AWS SQS
- AWS S3 bucket
Configure Osquery to push logs to the Data Transport source.
- See Osquery's documentation for instructions on pushing logs to your selected Data Transport source.

Panther-Built Detections

See Panther's built in rules for Osquery in panther-analysis in Github.

Supported log types

Osquery.Batch

Batch contains all the data included in Osquery batch logs.

Reference: Osquery Documentation on Logging. (scroll to Batch format section)

schema: Osquery.Batch
description: Batch contains all the data included in OsQuery batch logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
    - name: calendarTime
      required: true
      description: The time of the event (UTC).
      type: timestamp
      timeFormats:
        - '%a %b %d %H:%M:%S %Y %Z'
        - '%a %b  %d %H:%M:%S %Y %Z'
      isEventTime: true
    - name: counter
      required: true
      description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
      type: bigint
    - name: decorations
      description: Decorations
      type: json
    - name: diffResults
      required: true
      description: Computed differences.
      type: object
      fields:
        - name: added
          description: Added field
          type: array
          element:
            type: json
        - name: removed
          description: Removed field
          type: array
          element:
            type: json
    - name: epoch
      required: true
      description: Epoch. When 'epoch' changes, counter will be reset back to 0.
      type: bigint
    - name: hostname
      required: true
      description: Hostname
      type: string
      indicators:
        - hostname
    - name: name
      required: true
      description: Name
      type: string
    - name: unixTime
      required: true
      description: Unix epoch
      type: bigint

Osquery.Differential

Differential contains all the data included in Osquery differential logs.

Reference: Osquery Documentation on Logging. (scroll to Differential logs section)

schema: Osquery.Differential
description: Differential contains all the data included in OsQuery differential logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
    - name: action
      required: true
      description: Action is the type of the event
      type: string
    - name: calendarTime
      required: true
      description: The time of the event (UTC).
      type: timestamp
      timeFormats:
        - '%a %b %d %H:%M:%S %Y %Z'
        - '%a %b  %d %H:%M:%S %Y %Z'
      isEventTime: true
    - name: columns
      required: true
      description: Columns
      type: json
    - name: counter
      description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
      type: bigint
    - name: decorations
      description: Decorations
      type: json
    - name: epoch
      required: true
      description: Epoch. When 'epoch' changes, counter will be reset back to 0.
      type: bigint
    - name: hostIdentifier
      required: true
      description: HostIdentifier
      type: string
      indicators:
        - hostname
    - name: logType
      description: LogType
      type: string
    - name: log_type
      description: LogUnderscoreType
      type: string
    - name: name
      required: true
      description: Name
      type: string
    - name: unixTime
      required: true
      description: UnixTime
      type: bigint
    - name: logNumericsAsNumbers
      description: LogNumericsAsNumbers
      type: boolean

Osquery.Snapshot

Snapshot contains all the data included in Osquery differential logs.

Reference: Osquery Documentation on Logging. (scroll to Snapshot logs section)

schema: Osquery.Snapshot
description: Snapshot contains all the data included in OsQuery differential logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
    - name: calendarTime
      required: true
      description: The time of the event (UTC).
      type: timestamp
      timeFormats:
        - '%a %b %d %H:%M:%S %Y %Z'
        - '%a %b  %d %H:%M:%S %Y %Z'
      isEventTime: true
    - name: unixTime
      required: true
      description: UnixTime
      type: bigint
    - name: action
      required: true
      description: Action is the type of the event
      type: string
    - name: counter
      required: true
      description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
      type: bigint
    - name: decorations
      description: Decorations
      type: json
    - name: epoch
      required: true
      description: Epoch. When 'epoch' changes, counter will be reset back to 0.
      type: bigint
    - name: hostIdentifier
      required: true
      description: HostIdentifier. By default it's the hostname'
      type: string
      indicators:
        - domain
    - name: name
      required: true
      description: Name
      type: string
    - name: snapshot
      description: Snapshot
      type: array
      element:
        type: json

Osquery.Status

Status is a diagnostic osquery log about the daemon.

Reference: Osquery Documentation on Logging. (scroll to Status logs section)

schema: Osquery.Status
description: Status is a diagnostic osquery log about the daemon.
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
    - name: calendarTime
      required: true
      description: The time of the event (UTC).
      type: timestamp
      timeFormats:
        - '%a %b %d %H:%M:%S %Y %Z'
        - '%a %b  %d %H:%M:%S %Y %Z'
      isEventTime: true
    - name: decorations
      description: Decorations
      type: json
    - name: filename
      required: true
      description: Filename
      type: string
    - name: hostIdentifier
      required: true
      description: HostIdentifier
      type: string
      indicators:
        - domain
    - name: line
      required: true
      description: Line
      type: bigint
    - name: logType
      description: LogType
      type: string
    - name: log_type
      description: LogUnderScoreType
      type: string
    - name: message
      description: Message
      type: string
    - name: severity
      required: true
      description: Severity
      type: bigint
    - name: unixTime
      required: true
      description: UnixTime
      type: bigint
    - name: version
      required: true
      description: Version
      type: string

PreviousOrca Security Logs (Beta)NextOSSEC Logs

Last updated 1 year ago

Was this helpful?