Update canary agent options (#17948)

Remove some columns that aren't super helpful from the tcc tables (see https://gist.github.com/rachaelshaw/74578f458ce89b3306777b8263357d69)
2024-11-06 00:45:19 +00:00 · 2024-03-29 15:17:25 -05:00 · 2024-03-29 15:17:25 -05:00 · 8f1f1b7eb9
commit 8f1f1b7eb9
parent 841350f556
1 changed files with 2 additions and 10 deletions
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@ -28,37 +28,29 @@ agent_options:
          auto_table_construction:
            tcc_system:
              path: /Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
              columns:
                - service
                - client
                - client_type
                - auth_value
                - auth_reason
-                - auth_version
-                - csreq
                - policy_id
                - indirect_object_identifier
                - indirect_object_identifier_type
-                - indirect_object_code_identity
-                - flags
                - last_modified
            tcc_user:
              path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
              columns:
                - service
                - client
                - client_type
                - auth_value
                - auth_reason
-                - auth_version
-                - csreq
                - policy_id
                - indirect_object_identifier
                - indirect_object_identifier_type
-                - indirect_object_code_identity
-                - flags
                - last_modified
 controls:
  enable_disk_encryption: true