Nebula (

osquery wrapper for HubbleStack Nebula

Designed to run sets of osquery queries defined in pillar. These sets will have a unique identifier, and be targeted by identifier. Usually, this identifier will be a frequency. (‘15 minutes’, ‘1 day’, etc). Identifiers are case-insensitive.

You can then use the scheduler of your choice to run sets os queries at whatever frequency you choose.

Sample pillar data:

  • crontab: query: select c.*,t.iso_8601 as _time from crontab as c join time as t;
  • query_name: suid_binaries query: select sb.*, t.iso_8601 as _time from suid_bin as sb join time as t;
  • query_name: rpm_packages query: select rpm.*, t.iso_8601 from rpm_packages as rpm join time as t;
hubblestack.extmods.modules.nebula_osquery.queries(query_group, query_file=None, verbose=False, report_version_with_day=True, topfile_for_mask=None, mask_passwords=False)[source]

Run the set of queries represented by query_group from the configuration in the file query_file

Group of queries to run
salt:// file which will be parsed for osquery queries
Defaults to False. If set to True, more information (such as the query which was run) will be included in the result.
This is the location of the top file from which the masking information will be extracted.
Defaults to False. If set to True, passwords mentioned in the return object are masked.

CLI Examples:

salt '*' nebula.queries day
salt '*' nebula.queries hour verbose=True
salt '*' nebula.queries hour pillar_key=sec_osqueries