From 8f1f1b7eb93e623540168d02b2bec3921a3c34bd Mon Sep 17 00:00:00 2001
From: Rachael Shaw <r@rachael.wtf>
Date: Fri, 29 Mar 2024 15:17:25 -0500
Subject: [PATCH] Update canary agent options (#17948)

Remove some columns that aren't super helpful from the tcc tables (see
https://gist.github.com/rachaelshaw/74578f458ce89b3306777b8263357d69)
---
 it-and-security/teams/workstations-canary.yml | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml
index e2550b4b8..22bb5fe7b 100644
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@@ -28,37 +28,29 @@ agent_options:
           auto_table_construction:
             tcc_system:
               path: /Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
               columns:
                 - service
                 - client
                 - client_type
                 - auth_value
                 - auth_reason
-                - auth_version
-                - csreq
                 - policy_id
                 - indirect_object_identifier
                 - indirect_object_identifier_type
-                - indirect_object_code_identity
-                - flags
                 - last_modified
             tcc_user:
               path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
               columns:
                 - service
                 - client
                 - client_type
                 - auth_value
                 - auth_reason
-                - auth_version
-                - csreq
                 - policy_id
                 - indirect_object_identifier
                 - indirect_object_identifier_type
-                - indirect_object_code_identity
-                - flags
                 - last_modified
 controls:
   enable_disk_encryption: true