Skip to content

add LocalOsquery driver based on LocalData one#624

Merged
ianhelle merged 16 commits intomicrosoft:mainfrom
juju4:devel-localosquery
Apr 18, 2023
Merged

add LocalOsquery driver based on LocalData one#624
ianhelle merged 16 commits intomicrosoft:mainfrom
juju4:devel-localosquery

Conversation

@juju4
Copy link
Collaborator

@juju4 juju4 commented Feb 4, 2023

  • load filesystem type osquery output, typically osqueryd.results.log and osqueryd.snapshots.log
  • osquery process schema
  • example notebook
  • example queries yaml file (very partial as depending on osquery config itself)

Known issues

  • resource intensive, part because log file contains all queries output and need to be split
  • datetime64 type is marked correctly in schema but not in some/all queries. ex: df_fim

@review-notebook-app
Copy link

review-notebook-app bot commented Feb 4, 2023

Check out this pull request on  ReviewNB

See visual diffs & provide feedback on Jupyter Notebooks.

Powered by ReviewNB

ianhelle
ianhelle requested changes Feb 9, 2023
View reviewed changes
Copy link
Contributor

@ianhelle ianhelle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is awesome but maybe we should iterate a little over the implementation

juju4 and others added 4 commits February 11, 2023 20:54
@juju4
split try/except, mypy json_out
d050b79
@ianhelle
Simplifed local_osquery_driver.py a little. Now loads query files to …
221b42b 
…memory on connect/query/schema access.

Changed name/enum of provider to OSQueryLogs
Added template unit test case test_load_osquery_driver.py
Added entry in msticpyconfig-test.yaml for OSQueryLogs (in DataProviders section)
@ianhelle
Merge branch 'main' into pr/juju4/624-1
4331ca4
@ianhelle
Skipping tests that will currently fail because no data in test_load_…
829b5d4 
…osquery_driver.py
@ianhelle
Copy link
Contributor

ianhelle commented Mar 7, 2023

@juju4 I've pushed some changes to the PR. I think these make it a bit cleaner but see what you think.
I've also added a couple of unit tests - but don't have any test data to use. Do you have a cut down OSQuery log file with a few tables/event types in it?

@juju4
Copy link
Collaborator Author

juju4 commented Mar 11, 2023

On test data, will review to have a dataset available

@juju4
Copy link
Collaborator Author

juju4 commented Mar 17, 2023

shared some data through discord

@ianhelle ianhelle merged commit f78bd67 into microsoft:main Apr 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianhelle ianhelle ianhelle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juju4 @ianhelle