osquery

Use the IBM Security QRadar osquery Custom Properties Content Extension to closely monitor Linux® devices using osquery.

Note: This content extension does not install when the Parent Filename custom property is present from Cisco AMP 1.0.0. Delete Parent Filename before you install this content extension.
Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar osquery Custom Properties Content Extension

IBM Security QRadar osquery Custom Properties Content Extension 1.0.2

The following table shows the new and updated custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.2.

Table 1. New and updated custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.2
Name Optimized Regex Capture Group Regex
Process ID Yes 1 x_forwarded_for_header_value="([^"]*)"

IBM Security QRadar osquery Custom Properties Content Extension 1.0.1

The following table shows the new and updated custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.1.

Table 2. New and updated custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.1
Name Optimized Regex Capture Group Expressions
Container Image Yes 1
Regex
\bimage":"([^\s"]+)".*action":"added"
JSON
/"columns"/"image"
Container Image ID Yes 1
Regex
\bimage_id":"([^\s"]+)".*action":"added"
JSON
/"columns"/"image_id"

IBM Security QRadar osquery Custom Properties Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.0.

Table 3. Custom Properties in IBM Security QRadar osquery Custom Properties Content Extension 1.0.0
Name Optimized Regex Capture Group Expressions
Container ID Yes 1
Regex
\bid":"([^\s"]+)"
\bcontainer_id":"([^\s"]+)"
JSON
/"columns"/"id"
/"columns"/"container_id"
Container Image No 1
Regex
\bimage":"([^\s"]+)".*action":"added"
JSON
/"columns"/"image"
Container Image ID No 1
Regex
\bimage_id":"([^\s"]+)".*action":"added"
JSON
/"columns"/"image_id"
Container Name No 1
Regex
\bcontainer_name":"\/{0,1}([^\"]+)
Destination Mount Point No  
JSON
/"columns"/"destination"
File Directory Yes 1
Regex
\btarget_path[\":\s]+([^\"]+)\/[^\"]+
File Extension Yes 1
Regex
\btarget_path":".*?\/[^\/]+\.([^\/\.]*?)"
File Permissions Yes  
JSON
/"columns"/"mode"
Filename Yes 1
Regex
\btarget_path[\":\s]+[^\"]+\/([^\"\/]+)"
GroupID Yes  
JSON
/"columns"/"gid"
Image Tag No 1
Regex
\btags":"([^\"]+)"
JSON
/"columns"/"tags"
Parent Process Name Yes 1
Regex
\bparent_process_name":"([^\"]+)".*"action":"added"
JSON
/"columns"/"parent_process_name"
Parent Process Path Yes 1
Regex
parent_process_path":"([^\"]+)".*?"action":"added"
JSON
/"columns"/"parent_process_path"
Privileged Container Yes 1
Regex
\bprivileged":"(\d)".*"action":"added"
JSON
/"columns"/"privileged"
Process CommandLine Yes 1
Regex
cmdline":"(.*?)".*"action":"added"
JSON
/"columns"/"cmdline"
Process Id No 1
Regex
\bpid":"(\d+)"
JSON
/"columns"/"pid"
Process Name Yes 1
Regex
\bprocess_name":"([^\"]+)".*action":"added
JSON
/"columns"/"process_name"
Rule Details Yes  
JSON
/"columns"/"rule_details"
SHA256 Hash Yes 1
Regex
\bsha256":\s*"([^\"]+)".*action":"added
JSON
/"columns"/"sha256"
Source Mount Point Yes  
JSON
/"columns"/"source"
Target User Name Yes  
JSON
/"columns"/"header"
/"columns"/"username"
User ID Yes  
JSON
/"columns"/"uid"