Osquery¶
About¶
Osquery is a universal, light-weight, highly configurable endpoint agent which can collect and normalize data across macOS, Linux, Windows and container environments. It is managed by The Linux Foundation and is widely adopted by IT security teams looking for an open platform for endpoint visibility. osquery increases visibility across your infrastructure and gives you the power to ask questions using SQL across any machine, such as “Which machines are running vulnerable software packages?” and “Where else are we seeing this malicious process?”
Product Details¶
Vendor URL: Gain Open Source Security Tools With osquery - Uptycs
Product Type: EDR
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Logging - osquery - Read the Docs
Log Guide: Logging - osquery - Read the Docs
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 75%
Data Label: OSQUERY_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action_details |
| columns.address | target.hostname |
| columns.address | target.domain.name |
| columns.address | target.ip |
| columns.parent | principal.process.parent_pid |
| columns.path | target.process.file.mime_type |
| columns.path | target.process.file.full_path |
| columns.pid | target.process.pid |
| columns.port | target.port |
| columns.protection_type | metadata.description |
| columns.state | security_result.summary |
| counter | additional.counter |
| description | metadata.description |
| directory | principal.process.file.mime_type |
| epoch | additional.epoch |
| event_type | metadata.event_type |
| hostIdentifier | principal.hostname |
| key | target.registry.registry_key |
| name | principal.asset.software |
| name | security_result.summary |
| numerics | additional.numerics |
| Osquery | metadata.product_name |
| product_event | metadata.product_event_type |
| shell | principal.process.command_line |
| snapshot.0.name | principal.asset.platform_software.platform_version |
| snapshot.0.name | principal.asset.platform_software.platform_patch_level |
| snapshot.0.platform | principal.asset.platform_software.platform |
| source_url | src.file.full_path |
| suser | principal.user.userid |
| type | metadata.description |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | STATUS_UNCATEGORIZED | ||
| columns.pid, columns.path | PROCESS_LAUNCH | ||
| login-event | USER_LOGIN |
Log Sample¶
{"snapshot":[{"arch":"64-bit","build":"19041","codename":"Microsoft Windows 10 Pro","install_date":"1644465445","major":"10","minor":"0","name":"Microsoft Windows 10 Pro","patch":"","platform":"windows","platform_like":"windows","version":"10.0.19041"}],"action":"snapshot","name":"os_version","hostIdentifier":"DEVICENAMAE","calendarTime":"Sun Jun 12 16:32:40 2022 UTC","unixTime":1655051560,"epoch":0,"counter":0,"numerics":false}
Sample Parsing¶
metadata.event_timestamp = "2022-06-12T16:32:40Z"
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.product_name = "Osquery"
metadata.product_event_type = "os_version"
additional.numerics = "false"
additional.counter = "0"
additional.epoch = "0"
principal.hostname = "DEVICENAMAE"
principal.asset_id = "CS:a6v546v51r65f1v6e51v564b16000"
principal.asset.hostname = "DEVICENAMAE"
principal.asset.asset_id = "CS:a6v546v51r65f1v6e51v564b16000"
principal.asset.platform_software.platform = "WINDOWS"
principal.asset.platform_software.platform_version = "Microsoft Windows 10 Pro"
principal.asset.platform_software.platform_patch_level = "10.0.19041"
security_result.summary = "os_version"
security_result.action_details = "snapshot"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon