Fleet DM¶
About¶
Fleet makes it easy to optimize osquery. The lightweight agent lets you inspect all of your Mac, Windows, and Linux devices. Ask any question about any endpoint anywhere. Since Fleet is open source, you have complete control of your data.
Product Details¶
Vendor URL: Fleet DM
Product Type: Device Management
Product Tier: Tier III
Integration Method: Custom
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: FLEET_DM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Fleet DM | metadata.product_name |
| Fleet DM | metadata.vendor_name |
| record.hostname | security_result.about.hostname |
| record.url | security_result.about.url |
| vulnerability.cve | metadata.product_event_type |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all logs | GENERIC_EVENT |
Log Sample¶
{"timestamp":"2023-03-02T18:04:11.655841971Z","vulnerability":{"cve":"CVE-2022-48339","details_link":"url1","hosts_affected":[{"hostname":"hostname1","display_name":"displayname1","url":"url2","id":579},{"url":"url3","id":977,"hostname":"hostname2","display_name":"hostname2"},{"id":2695,"hostname":"hostname3","display_name":"hostname3","url":"url3"}]}}
Sample Parsing¶
metadata.event_timestamp.seconds = 1677780251
metadata.event_timestamp.nanos = 655841971
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Fleet DM"
metadata.product_name = "Fleet DM"
metadata.product_event_type = "CVE-2022-48339"
security_result.about.hostname = "hostname1"
security_result.about.url = "url2"
security_result.about.hostname = "hostname2"
security_result.about.url = "url3"
security_result.about.hostname = "hostname3"
security_result.about.url = "url3"