Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Osquery

 

Use the JSA osquery Custom Properties Content Extension to closely monitor Linux devices using osquery.

Note

This content extension does not install when the Parent Filename custom property is present from Cisco AMP V.1.0.0. Delete Parent Filename before you install this content extension.

JSA Osquery Custom Properties Content Extension V1.0.0

The following table shows the custom properties in JSA osquery Custom Properties Content Extension V1.0.0.

Table 1: Custom Properties in JSA Osquery Custom Properties Content Extension V1.0.0

Name

Optimized

Regex Capture Group

Expressions

Container ID

Yes

1

  • Regex--\bid":"([^\s"]+)"\bcontainer_id":"([^\s"]+)"

  • JSON--/"columns"/"id"/"columns"/"container_id"

Container Image

No

1

  • Regex--\bimage":"([^\s"]+)".*action":"added"

  • JSON--/"columns"/"image"

Container Image ID

No

1

  • Regex--\bimage_id":"([^\s"]+)".*action":"added"

  • JSON--/"columns"/"image_id"

Container Name

No

1

  • Regex--\bcontainer_name":"\/{0,1}([^\"]+)

Destination Mount Point

No

 

  • JSON--/"columns"/"destination"

File Directory

Yes

1

  • Regex--\btarget_path[\":\s]+([^\"]+)\/[^\"]+

File Extension

Yes

1

  • Regex--\btarget_path":".*?\/[^\/]+\.([^\/\.]*?)"

File Permissions

Yes

 

  • JSON--/"columns"/"mode"

Filename

Yes

1

  • Regex--\btarget_path[\":\s]+[^\"]+\/([^\"\/]+)"

GroupID

Yes

 

  • JSON--/"columns"/"gid"

Image Tag

No

1

  • Regex--\btags":"([^\"]+)"

  • JSON--/"columns"/"tags"

Parent Process Name

Yes

1

  • Regex--\bparent_process_name":"([^\"]+)".*"action":"added"

  • JSON--/"columns"/"parent_process_name"

Parent Process Path

Yes

1

  • Regex--parent_process_path":"([^\"]+)".*?"action":"added"

  • JSON--/"columns"/"parent_process_path"

Privileged Container

Yes

1

  • Regex--\bprivileged":"(\d)".*"action":"added"

  • JSON--/"columns"/"privileged"

Process CommandLine

Yes

1

  • Regex--cmdline":"(.*?)".*"action":"added"

  • JSON--/"columns"/"cmdline"

Process Id

No

1

  • Regex--\bpid":"(\d+)"

  • JSON--/"columns"/"pid"

Process Name

Yes

1

  • Regex--\bprocess_name":"([^\"]+)".*action":"added

  • JSON--/"columns"/"process_name"

Rule Details

Yes

 

  • JSON--/"columns"/"rule_details"

SHA256 Hash

Yes

1

  • Regex--\bsha256":\s*"([^\"]+)".*action":"added

  • JSON--/"columns"/"sha256"

Source Mount Point

Yes

 

  • JSON--/"columns"/"source"

Target User Name

Yes

 

  • JSON--/"columns"/"header"/"columns"/"username"

User ID

Yes

 

  • JSON--/"columns"/"uid"

Related Documentation