-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathosquery.conf
64 lines (63 loc) · 3.84 KB
/
osquery.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
{
"options": {
"disable_events": "false",
"disable_audit": false,
"audit_persist": true,
"audit_allow_config": true
},
"schedule": {
"processes_created": {
"query": "SELECT count(*) as number, GROUP_CONCAT (DISTINCT path) as paths FROM process_events",
"interval": 60,
"snapshot": true
},
"number_processes": {
"query": "SELECT count(*) as number FROM processes",
"interval": 60,
"snapshot": true
},
"file_changes": {
"query": "SELECT count(*) as number, GROUP_CONCAT (DISTINCT target_path) as paths FROM file_events WHERE action IN ('UPDATED')",
"interval": 60,
"snapshot": true
},
"number_listening_ports": {
"query": "SELECT count(DISTINCT port) as number, GROUP_CONCAT (DISTINCT port) as ports FROM listening_ports WHERE port != 0",
"interval": 60,
"snapshot": true
},
"documents_touched": {
"query": "SELECT count(*) as number, GROUP_CONCAT (DISTINCT target_path) as paths FROM file_events WHERE action IN ('UPDATED', 'ATTRIBUTES_MODIFIED') AND (target_path LIKE '%.pdf' OR target_path LIKE '%.doc' OR target_path LIKE '%.docx' OR target_path LIKE '%.ppt' OR target_path LIKE '%.xls' OR target_path LIKE '%.txt' OR target_path LIKE '%.html' OR target_path LIKE '%.htm' OR target_path LIKE '%.txt' OR target_path LIKE '%.odt' OR target_path LIKE '%.ods' OR target_path LIKE '%.xlsx' OR target_path LIKE '%.pptx')",
"interval": 60,
"snapshot": true
},
"files_moved": {
"query": "SELECT count(*) as number, GROUP_CONCAT (DISTINCT target_path) as paths FROM file_events WHERE action IN ('MOVED_FROM', 'MOVED_TO')",
"interval": 60,
"snapshot": true
},
"decoys_activated": {
"query": "SELECT count(*) as number, GROUP_CONCAT (DISTINCT target_path) as paths FROM file_events WHERE target_path = '/home/ana/.cache/chromium/Default/Cache/079a095ca14f7de8_0' OR target_path = '/home/ana/.cache/thumbnails/normal/90c5e742ec9cdbf5d6438d925b6be581.png' OR target_path = '/home/ana/.cache/mozilla/firefox/n6fu3vn8.default/cache2/entries/DF9CD2700FCD8A7CEA62A713D59BE159882AD1F6' OR target_path = '/home/ana/.local/share/okular/docdata/1191240.RUU_Journal2.pdf.xml' OR target_path = '/home/ana/.cache/chromium/Default/Code Cache/js/c28d3175660a2d80_0' OR target_path = '/home/ana/.pyenv/versions/3.5.3/lib/python3.5/test/__pycache__/threaded_import_hangers.cpython-65.opt-2.pyc' OR target_path = '/home/ana/.pyenv/versions/3.5.3/lib/python3.5/test/zip_cp4398_header.zip' OR target_path = '/home/ana/.bundle/cache/compact_index/rubygems.org.443.29b0360b937aa4d161703e6160654e47/info/protobf-cucumber' OR target_path = '/home/ana/Documents/uni/1-semester/analysis_of_algorithms/lectures/23 approx.pdf' OR target_path = '/home/ana/.password'",
"interval": 60,
"snapshot": true
},
"shell_commands": {
"query": "SELECT CASE WHEN command LIKE 'sudo%' THEN 'sudo' WHEN command LIKE 'la%' THEN 'la' WHEN command LIKE 'vim%' THEN 'vim' WHEN command LIKE 'cd%' THEN 'cd' WHEN command LIKE 'git%' THEN 'git' WHEN command LIKE 'open%' THEN 'open' WHEN command LIKE 'cp%' THEN 'cp' WHEN command LIKE 'driveup%' THEN 'driveup' WHEN command LIKE 'irb%' THEN 'irb' ELSE 'other' END AS command, COUNT(*) AS number FROM shell_history GROUP BY CASE WHEN command LIKE 'sudo%' THEN 'sudo' WHEN command LIKE 'la%' THEN 'la' WHEN command LIKE 'vim%' THEN 'vim' WHEN command LIKE 'cd%' THEN 'cd' WHEN command LIKE 'git%' THEN 'git' WHEN command LIKE 'open%' THEN 'open' WHEN command LIKE 'cp%' THEN 'cp' WHEN command LIKE 'driveup%' THEN 'driveup' WHEN command LIKE 'irb%' THEN 'irb' ELSE 'other' END",
"interval": 60,
"snapshot": true
}
},
"file_paths": {
"home": [
"/home/ana/%%"
],
"tmp": [
"/tmp/%%"
]
},
"exclude_paths": {
"home": [
"/home/ana/uni"
]
}
}