osquery wrapper for HubbleStack Nebula
Designed to run sets of osquery queries defined in pillar. These sets will have a unique identifier, and be targeted by identifier. Usually, this identifier will be a frequency. (‘15 minutes’, ‘1 day’, etc). Identifiers are case-insensitive.
You can then use the scheduler of your choice to run sets os queries at whatever frequency you choose.
Sample pillar data:
- crontab: query: select c.*,t.iso_8601 as _time from crontab as c join time as t;
- query_name: suid_binaries query: select sb.*, t.iso_8601 as _time from suid_bin as sb join time as t;
- query_name: rpm_packages query: select rpm.*, t.iso_8601 from rpm_packages as rpm join time as t;
queries(query_group, query_file=None, verbose=False, report_version_with_day=True, topfile_for_mask=None, mask_passwords=False)¶
Run the set of queries represented by
query_groupfrom the configuration in the file query_file
- Group of queries to run
- salt:// file which will be parsed for osquery queries
- Defaults to False. If set to True, more information (such as the query which was run) will be included in the result.
- This is the location of the top file from which the masking information will be extracted.
- Defaults to False. If set to True, passwords mentioned in the return object are masked.
salt '*' nebula.queries day salt '*' nebula.queries hour verbose=True salt '*' nebula.queries hour pillar_key=sec_osqueries