Osquery

Inspect all operating systems activity for suspicious behavior.

Request a DemoRead the Docs

App Info

Monitor osquery logs with Panther’s osquery integration to gain complete security visibility into activity in operating systems.

Osquery is a powerful, host-based application that exposes the operating system as a set of SQLite tables. Panther can collect, normalize, and monitor osquery logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a data lake powered by AWS or the cloud-native data platform, Snowflake.

Use Panther’s built in rules to monitor activity, or write your own detections in Python to fit your internal business use cases.

Use Cases

Common security use cases for osquery with Panther include:

  • Track activity in your installed programs, running processes, network connections, or system logs
  • Monitor user activity such as failed logins and other user-related events
  • Monitor for chrome extensions that could lead to a credential compromise
  • Monitor listening ports on a production Linux host.

How it Works

The integration is simple and fast:

  • Send osquery log data to an AWS S3 bucket using the AWS Firehose plugin
  • Add your S3 Bucket as a data source in Panther
  • Panther will parse, normalize, and analyze your log data in real-time
  • As detections are triggered, alerts are sent to your configured destinations
  • Normalized logs are retained in a data lake to power investigations with Panther’s Data Explorer (Enterprise only)

Learn more about Panther's supported log schema for osquery. Also, check out our step-by-step tutorial for onboarding and analyzing osquery logs with Panther.