Osquery Log Monitoring

Integration Overview

Osquery is an operating system instrumentation framework that enables analytics, monitoring, and exploration of operating system data. Panther can collect, normalize, and monitor Osquery logs to help you identify suspicious operating system activity in real time. Your normalized data is then retained to enable future security investigations in a serverless data lake powered by Snowflake.

Use Cases for Osquery Logs

Panther supports four types of Osquery logs: Osquery.Batch, Osquery.Differential, Osquery.Snapshot, and Osquery.System. Common security use cases for monitoring Osquery logs include:

  • Track activity in your installed programs, running processes, network connections, or system logs
  • Monitor user activity such as failed logins and other user-related events
  • Monitor for Chrome extensions that could lead to a credential compromise
  • Monitor listening ports on a production Linux host

Onboarding Osquery with Panther

Panther’s integration for Osquery is simple and quick to configure, allowing you to onboard your logs in just a few minutes. Simply select Osquery from the list of pre-defined log sources, select your preferred data transport method, and configure Osquery to push logs to your data transport source.

For more details on onboarding Osquery logs or for supported log schema, you can view our Osquery documentation here.

Parsing, Normalizing, & Analyzing Osquery Logs

As Panther ingests your Osquery logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows your security team to build detections, identify anomalies, and conduct investigations on Osquery logs using days, weeks, or months of data.

Panther applies normalization fields to all log records, which standardizes names for attributes and allows you to correlate data across all log sources. You can use Panther’s intuitive search features to investigate your normalized Osquery logs for suspicious activity or vulnerabilities. For more on querying and searching normalized log data in Panther, check out our documentation on Investigations & Search.

Detection as Code

With Panther, your team won’t be confined to restrictive detection rules or proprietary languages as seen in many SIEMs. Panther is built around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate systems like CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detection logic for your team.

A number of pre-built detections are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for Osquery logs here.

Configuring Alerts

Panther fire alerts when your detection rules or policies are triggered, and integrates with a variety of alert destinations to allow for easy access and management of alerts for your security team. Alerts can also be sent to task management or SOAR platforms for more remediation options.

Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Security teams have the options to dynamically designate severity based on specific log event attributes.

Customer Support

If you have any questions about ingesting or monitoring Osquery logs in Panther, we’re here to help. All customers have access to our technical support team via a dedicated Slack channel, email, or in-app messenger.

You can view our detailed documentation on configuring and monitoring Osquery logs here, or customers can join the Panther Community to share best practices or custom detections for monitoring Osquery.

Replacing Traditional SIEM for Osquery Log Monitoring

With Panther, you don’t have to waste precious time and effort on operational overhead, accept limitations with SIEM detections, or pay skyrocketing costs to keep up with the growth of your data. Panther was founded by a team of veteran security practitioners who struggled with legacy SIEM challenges first-hand, and built a scalable, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts to keep up with the needs of today’s security teams. For a powerful, practical, and scalable SIEM solution for Osquery, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo