Nebula (nebula_osquery.py)

osquery wrapper for HubbleStack Nebula

Designed to run sets of osquery queries defined in pillar. These sets will have a unique identifier, and be targeted by identifier. Usually, this identifier will be a frequency. (‘15 minutes’, ‘1 day’, etc). Identifiers are case-insensitive.

You can then use the scheduler of your choice to run sets os queries at whatever frequency you choose.

Sample pillar data:

nebula_osquery:
hour:
  • crontab: query: select c.*,t.iso_8601 as _time from crontab as c join time as t;
  • query_name: suid_binaries query: select sb.*, t.iso_8601 as _time from suid_bin as sb join time as t;
day:
  • query_name: rpm_packages query: select rpm.*, t.iso_8601 from rpm_packages as rpm join time as t;
hubblestack.extmods.modules.nebula_osquery.queries(query_group, query_file=None, verbose=False, report_version_with_day=True, topfile_for_mask=None, mask_passwords=False)[source]

Run the set of queries represented by query_group from the configuration in the file query_file

query_group
Group of queries to run
query_file
salt:// file which will be parsed for osquery queries
verbose
Defaults to False. If set to True, more information (such as the query which was run) will be included in the result.
topfile_for_mask
This is the location of the top file from which the masking information will be extracted.
mask_passwords
Defaults to False. If set to True, passwords mentioned in the return object are masked.

CLI Examples:

salt '*' nebula.queries day
salt '*' nebula.queries hour verbose=True
salt '*' nebula.queries hour pillar_key=sec_osqueries