From f36b7d4d6da0aaa93d5e4b80cd48d5459423714f Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Wed, 28 Feb 2024 10:50:10 -0600 Subject: [PATCH] Use gitops with dogfood. (#17098) #17043 Set up dogfood to use gitops. I copied the current dogfood configs/policies/queries into the gitops flow. Successful workflow run: https://github.com/fleetdm/fleet/actions/runs/8023101797/job/21918883543?pr=17098 --------- Co-authored-by: Noah Talerman --- .github/workflows/dogfood-gitops.yml | 55 + .github/workflows/example-workflow.yaml | 44 - .../fleetctl-workstations-canary.yml | 49 - .github/workflows/fleetctl-workstations.yml | 49 - it-and-security/default.yml | 86 + it-and-security/lib/agent-options.yml | 13 + .../collect-failed-login-attempts.queries.yml | 14 + it-and-security/lib/collect-fleetd-logs.sh | 7 + ...collect-fleetd-update-channels.queries.yml | 7 + .../lib/collect-usb-devices.queries.yml | 10 + .../collect-vs-code-extensions.queries.yml | 12 + it-and-security/lib/explore-data.queries.yml | 3210 +++++++++++++++++ .../lib/linux-device-health.policies.yml | 6 + .../lib/macos-device-health.policies.yml | 55 + .../macos-see-automatic-enrollment-profile.sh | 1 + it-and-security/lib/servers.agent-options.yml | 13 + .../lib/windows-device-health.policies.yml | 24 + it-and-security/lib/windows-remove-fleetd.ps1 | 110 + it-and-security/lib/windows-turn-off-mdm.ps1 | 27 + it-and-security/teams/explore-data.yml | 43 + it-and-security/teams/servers-canary.yml | 31 + it-and-security/teams/servers.yml | 31 + it-and-security/teams/workstations-canary.yml | 68 + it-and-security/teams/workstations.yml | 62 + 24 files changed, 3885 insertions(+), 142 deletions(-) create mode 100644 .github/workflows/dogfood-gitops.yml delete mode 100644 .github/workflows/example-workflow.yaml delete mode 100644 .github/workflows/fleetctl-workstations-canary.yml delete mode 100644 .github/workflows/fleetctl-workstations.yml create mode 100644 it-and-security/default.yml create mode 100644 it-and-security/lib/agent-options.yml create mode 100644 it-and-security/lib/collect-failed-login-attempts.queries.yml create mode 100644 it-and-security/lib/collect-fleetd-logs.sh create mode 100644 it-and-security/lib/collect-fleetd-update-channels.queries.yml create mode 100644 it-and-security/lib/collect-usb-devices.queries.yml create mode 100644 it-and-security/lib/collect-vs-code-extensions.queries.yml create mode 100644 it-and-security/lib/explore-data.queries.yml create mode 100644 it-and-security/lib/linux-device-health.policies.yml create mode 100644 it-and-security/lib/macos-device-health.policies.yml create mode 100644 it-and-security/lib/macos-see-automatic-enrollment-profile.sh create mode 100644 it-and-security/lib/servers.agent-options.yml create mode 100644 it-and-security/lib/windows-device-health.policies.yml create mode 100644 it-and-security/lib/windows-remove-fleetd.ps1 create mode 100644 it-and-security/lib/windows-turn-off-mdm.ps1 create mode 100644 it-and-security/teams/explore-data.yml create mode 100644 it-and-security/teams/servers-canary.yml create mode 100644 it-and-security/teams/servers.yml create mode 100644 it-and-security/teams/workstations-canary.yml create mode 100644 it-and-security/teams/workstations.yml diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml new file mode 100644 index 000000000..10953fe23 --- /dev/null +++ b/.github/workflows/dogfood-gitops.yml @@ -0,0 +1,55 @@ +name: 'Apply latest configuration to dogfood with gitops' + +on: + push: + branches: + - main + paths: + - 'it-and-security/**' + - 'mdm_profiles/**' + - '.github/workflows/dogfood-gitops.yml' + workflow_dispatch: # allows manual triggering + +defaults: + run: + shell: bash + +# Limit permissions of GITHUB_TOKEN. +permissions: + contents: read + +jobs: + fleet-gitops: + timeout-minutes: 5 + runs-on: ubuntu-latest + steps: + - name: Checkout our repository + uses: actions/checkout@v4 + + - name: Checkout GitOps repository + uses: actions/checkout@v4 + with: + repository: fleetdm/fleet-gitops + ref: main + path: fleet-gitops + + - name: Apply latest configuration to Fleet + uses: ./fleet-gitops/.github/gitops-action + with: + working-directory: ${{ github.workspace }}/fleet-gitops + env: + FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security + FLEET_URL: https://dogfood.fleetdm.com + FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} + DOGFOOD_APPLE_BM_DEFAULT_TEAM: Workstations + DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }} + DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }} + DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }} + DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }} + DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }} + DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }} + DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }} + DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }} + DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }} + DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }} + DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }} diff --git a/.github/workflows/example-workflow.yaml b/.github/workflows/example-workflow.yaml deleted file mode 100644 index 5a19e87b9..000000000 --- a/.github/workflows/example-workflow.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the provided team. -name: Apply latest configuration profiles (example) -on: - push: - branches: - - main - paths: - - "path/to/**.mobileconfig" - workflow_dispatch: # Manual - -# This allows a subsequently queued workflow run to interrupt previous runs -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} - cancel-in-progress: true - -defaults: - run: - # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference - shell: bash - -permissions: - contents: read - -env: - FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} - FLEET_URL: ${{ secrets.DOGFOOD_URL }} - TOKEN_USED_BY_PROFILE: ${{ secrets.TOKEN_USED_BY_PROFILE }} - -jobs: - apply-profiles: - timeout-minutes: 5 - runs-on: ubuntu-latest - steps: - - name: Apply configuration profiles and updates - uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b - with: - FLEET_API_TOKEN: $FLEET_API_TOKEN - FLEET_URL: $FLEET_URL - FLEET_TEAM_NAME: 💻🐣 Workstations (canary) - MDM_CONFIG_REPO: fleetdm/fleet - MDM_CONFIG_DIRECTORY: mdm_profiles - MAC_OS_MIN_VERSION: 13.3.2 - MAC_OS_VERSION_DEADLINE: 2023-06-15 - MAC_OS_ENABLE_DISK_ENCRYPTION: true diff --git a/.github/workflows/fleetctl-workstations-canary.yml b/.github/workflows/fleetctl-workstations-canary.yml deleted file mode 100644 index 26c391976..000000000 --- a/.github/workflows/fleetctl-workstations-canary.yml +++ /dev/null @@ -1,49 +0,0 @@ -# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the workstations (canary) team. -# It uses a fleet instance also built and executed from source. -# -# It runs automatically when a file is changed in /mdm_profiles. -name: Apply latest configuration profiles and macOS updates (Canary) - -on: - push: - branches: - - main - paths: - - "mdm_profiles/**.mobileconfig" - - ".github/workflows/fleetctl-workstations-canary.yml" - workflow_dispatch: # Manual - -# This allows a subsequently queued workflow run to interrupt previous runs -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} - cancel-in-progress: true - -defaults: - run: - # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference - shell: bash - -permissions: - contents: read - -env: - DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} - DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }} - CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }} - -jobs: - apply-profiles: - timeout-minutes: 5 - runs-on: ubuntu-latest - steps: - - name: Apply configuration profiles and updates - uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b # v1.1.0 - with: - FLEET_API_TOKEN: $DOGFOOD_API_TOKEN - FLEET_URL: $DOGFOOD_URL - FLEET_TEAM_NAME: 💻🐣 Workstations (canary) - MDM_CONFIG_REPO: fleetdm/fleet - MDM_CONFIG_DIRECTORY: mdm_profiles - MAC_OS_MIN_VERSION: "14.2" - MAC_OS_VERSION_DEADLINE: 2023-12-15 - MAC_OS_ENABLE_DISK_ENCRYPTION: true diff --git a/.github/workflows/fleetctl-workstations.yml b/.github/workflows/fleetctl-workstations.yml deleted file mode 100644 index fb45ddac9..000000000 --- a/.github/workflows/fleetctl-workstations.yml +++ /dev/null @@ -1,49 +0,0 @@ -# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the workstations team. -# It uses a Fleet instance also built and executed from source. -# -# It runs when the GitHub action is triggered manually -name: Apply latest configuration profiles and macOS updates - -on: - push: - branches: - - main - paths: - - "mdm_profiles/**.mobileconfig" - - ".github/workflows/fleetctl-workstations.yml" - workflow_dispatch: # Manual - -# This allows a subsequently queued workflow run to interrupt previous runs -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} - cancel-in-progress: true - -defaults: - run: - # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference - shell: bash - -permissions: - contents: read - -env: - DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} - DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }} - CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }} - -jobs: - apply-profiles: - timeout-minutes: 5 - runs-on: ubuntu-latest - steps: - - name: Apply configuration profiles and updates - uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b # v1.1.0 - with: - FLEET_API_TOKEN: $DOGFOOD_API_TOKEN - FLEET_URL: $DOGFOOD_URL - FLEET_TEAM_NAME: 💻 Workstations - MDM_CONFIG_REPO: fleetdm/fleet - MDM_CONFIG_DIRECTORY: mdm_profiles - MAC_OS_MIN_VERSION: "14.2" - MAC_OS_VERSION_DEADLINE: 2023-12-19 - MAC_OS_ENABLE_DISK_ENCRYPTION: true diff --git a/it-and-security/default.yml b/it-and-security/default.yml new file mode 100644 index 000000000..5a5a170fe --- /dev/null +++ b/it-and-security/default.yml @@ -0,0 +1,86 @@ +agent_options: + path: ./lib/agent-options.yml +controls: + enable_disk_encryption: true + macos_migration: + enable: true + mode: voluntary + webhook_url: $DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL + macos_settings: + custom_settings: null + macos_setup: + bootstrap_package: "" + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: "2023-06-13" + minimum_version: 13.4.1 + windows_enabled_and_configured: true + windows_settings: + custom_settings: [] + windows_updates: + deadline_days: 3 + grace_period_days: 2 + scripts: [] +org_settings: + features: + enable_host_users: true + enable_software_inventory: true + fleet_desktop: + transparency_url: https://fleetdm.com/transparency + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 7 + integrations: + jira: [ ] + zendesk: [ ] + mdm: + apple_bm_default_team: $DOGFOOD_APPLE_BM_DEFAULT_TEAM + org_info: + contact_url: https://fleetdm.com/company/contact + org_logo_url: "" + org_logo_url_light_background: "" + org_name: Fleet Device Management + secrets: + - secret: $DOGFOOD_GLOBAL_ENROLL_SECRET + server_settings: + debug_host_ids: + - 1 + - 3 + deferred_save_host: false + enable_analytics: true + live_query_disabled: false + query_reports_disabled: false + scripts_disabled: false + server_url: https://dogfood.fleetdm.com + sso_settings: + enable_jit_provisioning: true + enable_jit_role_sync: false + enable_sso: true + enable_sso_idp_login: false + entity_id: dogfood.fleetdm.com + idp_image_url: "" + idp_name: Google + issuer_uri: $DOGFOOD_SSO_ISSUER_URI + metadata: |- + $DOGFOOD_SSO_METADATA + metadata_url: "" + webhook_settings: + failing_policies_webhook: + destination_url: $DOGFOOD_FAILING_POLICIES_WEBHOOK_URL + enable_failing_policies_webhook: true + host_batch_size: 0 + policy_ids: [] + host_status_webhook: + days_count: 1 + destination_url: "" + enable_host_status_webhook: false + host_percentage: 25 + interval: 1m0s + vulnerabilities_webhook: + destination_url: $DOGFOOD_VULNERABILITIES_WEBHOOK_URL + enable_vulnerabilities_webhook: true + host_batch_size: 0 +policies: +queries: + - path: ./lib/collect-fleetd-update-channels.queries.yml diff --git a/it-and-security/lib/agent-options.yml b/it-and-security/lib/agent-options.yml new file mode 100644 index 000000000..61559952c --- /dev/null +++ b/it-and-security/lib/agent-options.yml @@ -0,0 +1,13 @@ +config: + decorators: + load: + - SELECT uuid AS host_uuid FROM system_info; + - SELECT hostname AS hostname FROM system_info; + options: + disable_distributed: false + distributed_interval: 10 + distributed_plugin: tls + distributed_tls_max_attempts: 3 + logger_tls_endpoint: /api/osquery/log + logger_tls_period: 10 + pack_delimiter: / diff --git a/it-and-security/lib/collect-failed-login-attempts.queries.yml b/it-and-security/lib/collect-failed-login-attempts.queries.yml new file mode 100644 index 000000000..a2242b7e7 --- /dev/null +++ b/it-and-security/lib/collect-failed-login-attempts.queries.yml @@ -0,0 +1,14 @@ +- name: Collect failed login attempts + automations_enabled: true + description: Lists the users at least one failed login attempt and timestamp of + failed login. Number of failed login attempts reset to zero after a user successfully + logs in. + discard_data: false + interval: 300 + logging: snapshot + min_osquery_version: "" + observer_can_run: false + platform: "" + query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp + FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count + > 0; \ No newline at end of file diff --git a/it-and-security/lib/collect-fleetd-logs.sh b/it-and-security/lib/collect-fleetd-logs.sh new file mode 100644 index 000000000..887af2ace --- /dev/null +++ b/it-and-security/lib/collect-fleetd-logs.sh @@ -0,0 +1,7 @@ +cp /var/log/orbit/orbit.stderr.log ~/Library/Logs/Fleet/fleet-desktop.log /Users/Shared + +echo "Successfully copied fleetd logs to the /Users/Shared folder." + +echo "To retrieve logs, ask the end user to open Finder and in the menu bar select Go > Go to Folder." + +echo "Then, ask the end user to type in /Users/Shared, press Return, and locate orbit.stderr.log (Orbit logs) and fleet-desktop.log (Fleet Desktop logs) files." \ No newline at end of file diff --git a/it-and-security/lib/collect-fleetd-update-channels.queries.yml b/it-and-security/lib/collect-fleetd-update-channels.queries.yml new file mode 100644 index 000000000..a90ea083a --- /dev/null +++ b/it-and-security/lib/collect-fleetd-update-channels.queries.yml @@ -0,0 +1,7 @@ +- name: Collect fleetd update channels + description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering." + query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info; + interval: 300 # 5 minutes + observer_can_run: true + automations_enabled: false + platform: darwin,linux,windows diff --git a/it-and-security/lib/collect-usb-devices.queries.yml b/it-and-security/lib/collect-usb-devices.queries.yml new file mode 100644 index 000000000..ab2b40732 --- /dev/null +++ b/it-and-security/lib/collect-usb-devices.queries.yml @@ -0,0 +1,10 @@ +- name: Collect USB devices + automations_enabled: false + description: Collects the USB devices that are currently connected to macOS and Linux hosts. + discard_data: false + interval: 300 + logging: snapshot + min_osquery_version: "" + observer_can_run: true + platform: "" + query: SELECT model, vendor FROM usb_devices; \ No newline at end of file diff --git a/it-and-security/lib/collect-vs-code-extensions.queries.yml b/it-and-security/lib/collect-vs-code-extensions.queries.yml new file mode 100644 index 000000000..29f97a2f7 --- /dev/null +++ b/it-and-security/lib/collect-vs-code-extensions.queries.yml @@ -0,0 +1,12 @@ +- name: Collect Visual Studio (VS) Code extensions + automations_enabled: false + description: Collects the name, publisher, and version of the VS Code extensions + installed on hosts. + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + observer_can_run: false + platform: "" + query: SELECT extension.name, extension.publisher, extension.version FROM users + JOIN vscode_extensions extension USING (uid); \ No newline at end of file diff --git a/it-and-security/lib/explore-data.queries.yml b/it-and-security/lib/explore-data.queries.yml new file mode 100644 index 000000000..deb070644 --- /dev/null +++ b/it-and-security/lib/explore-data.queries.yml @@ -0,0 +1,3210 @@ +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - account_policy_data' + observer_can_run: false + platform: "" + query: SELECT * FROM account_policy_data; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ad_config' + observer_can_run: false + platform: "" + query: SELECT * FROM ad_config; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - alf' + observer_can_run: false + platform: "" + query: SELECT * FROM alf; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - alf_exceptions' + observer_can_run: false + platform: "" + query: SELECT * FROM alf_exceptions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - alf_explicit_auths' + observer_can_run: false + platform: "" + query: SELECT * FROM alf_explicit_auths; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apfs_physical_stores' + observer_can_run: false + platform: "" + query: SELECT * FROM apfs_physical_stores; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apfs_volumes' + observer_can_run: false + platform: "" + query: SELECT * FROM apfs_volumes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - app_icons' + observer_can_run: false + platform: "" + query: SELECT * FROM app_icons; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - app_schemes' + observer_can_run: false + platform: "" + query: SELECT * FROM app_schemes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apparmor_events' + observer_can_run: false + platform: "" + query: SELECT * FROM apparmor_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apparmor_profiles' + observer_can_run: false + platform: "" + query: SELECT * FROM apparmor_profiles; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - appcompat_shims' + observer_can_run: false + platform: "" + query: SELECT * FROM appcompat_shims; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apps' + observer_can_run: false + platform: "" + query: SELECT * FROM apps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - apt_sources' + observer_can_run: false + platform: "" + query: SELECT * FROM apt_sources; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - arp_cache' + observer_can_run: false + platform: "" + query: SELECT * FROM arp_cache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - asl' + observer_can_run: false + platform: "" + query: SELECT * FROM asl; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - atom_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM atom_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - augeas' + observer_can_run: false + platform: "" + query: SELECT * FROM augeas; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authdb' + observer_can_run: false + platform: "" + query: SELECT * FROM authdb; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authenticode' + observer_can_run: false + platform: "" + query: SELECT * FROM authenticode; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authorization_mechanisms' + observer_can_run: false + platform: "" + query: SELECT * FROM authorization_mechanisms; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authorizations' + observer_can_run: false + platform: "" + query: SELECT * FROM authorizations; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - authorized_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM authorized_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - autoexec' + observer_can_run: false + platform: "" + query: SELECT * FROM autoexec; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - azure_instance_metadata' + observer_can_run: false + platform: "" + query: SELECT * FROM azure_instance_metadata; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - azure_instance_tags' + observer_can_run: false + platform: "" + query: SELECT * FROM azure_instance_tags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - background_activities_moderator' + observer_can_run: false + platform: "" + query: SELECT * FROM background_activities_moderator; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - battery' + observer_can_run: false + platform: "" + query: SELECT * FROM battery; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - bitlocker_info' + observer_can_run: false + platform: "" + query: SELECT * FROM bitlocker_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - block_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM block_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - bpf_process_events' + observer_can_run: false + platform: "" + query: SELECT * FROM bpf_process_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - bpf_socket_events' + observer_can_run: false + platform: "" + query: SELECT * FROM bpf_socket_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - carbon_black_info' + observer_can_run: false + platform: "" + query: SELECT * FROM carbon_black_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - carves' + observer_can_run: false + platform: "" + query: SELECT * FROM carves; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - certificates' + observer_can_run: false + platform: "" + query: SELECT * FROM certificates; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chassis_info' + observer_can_run: false + platform: "" + query: SELECT * FROM chassis_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chocolatey_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM chocolatey_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chrome_extension_content_scripts' + observer_can_run: false + platform: "" + query: SELECT * FROM chrome_extension_content_scripts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - chrome_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM chrome_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cis_audit' + observer_can_run: false + platform: "" + query: SELECT * FROM cis_audit; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - connected_displays' + observer_can_run: false + platform: "" + query: SELECT * FROM connected_displays; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - connectivity' + observer_can_run: false + platform: "" + query: SELECT * FROM connectivity; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - corestorage_logical_volume_families' + observer_can_run: false + platform: "" + query: SELECT * FROM corestorage_logical_volume_families; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - corestorage_logical_volumes' + observer_can_run: false + platform: "" + query: SELECT * FROM corestorage_logical_volumes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cpu_info' + observer_can_run: false + platform: "" + query: SELECT * FROM cpu_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cpu_time' + observer_can_run: false + platform: "" + query: SELECT * FROM cpu_time; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cpuid' + observer_can_run: false + platform: "" + query: SELECT * FROM cpuid; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - crashes' + observer_can_run: false + platform: "" + query: SELECT * FROM crashes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - crontab' + observer_can_run: false + platform: "" + query: SELECT * FROM crontab; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cryptoinfo' + observer_can_run: false + platform: "" + query: SELECT * FROM cryptoinfo; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cryptsetup_status' + observer_can_run: false + platform: "" + query: SELECT * FROM cryptsetup_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - csrutil_info' + observer_can_run: false + platform: "" + query: SELECT * FROM csrutil_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cups_destinations' + observer_can_run: false + platform: "" + query: SELECT * FROM cups_destinations; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - cups_jobs' + observer_can_run: false + platform: "" + query: SELECT * FROM cups_jobs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - curl' + observer_can_run: false + platform: "" + query: SELECT * FROM curl; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - curl_certificate' + observer_can_run: false + platform: "" + query: SELECT * FROM curl_certificate; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - deb_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM deb_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - default_environment' + observer_can_run: false + platform: "" + query: SELECT * FROM default_environment; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_file' + observer_can_run: false + platform: "" + query: SELECT * FROM device_file; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_firmware' + observer_can_run: false + platform: "" + query: SELECT * FROM device_firmware; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_hash' + observer_can_run: false + platform: "" + query: SELECT * FROM device_hash; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - device_partitions' + observer_can_run: false + platform: "" + query: SELECT * FROM device_partitions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - disk_encryption' + observer_can_run: false + platform: "" + query: SELECT * FROM disk_encryption; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - disk_events' + observer_can_run: false + platform: "" + query: SELECT * FROM disk_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - disk_info' + observer_can_run: false + platform: "" + query: SELECT * FROM disk_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - dns_cache' + observer_can_run: false + platform: "" + query: SELECT * FROM dns_cache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - dns_resolvers' + observer_can_run: false + platform: "" + query: SELECT * FROM dns_resolvers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_envs' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_envs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_fs_changes' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_fs_changes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_mounts' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_mounts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_ports' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_ports; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_processes' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_processes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_container_stats' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_container_stats; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_containers' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_containers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_image_history' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_image_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_image_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_image_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_image_layers' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_image_layers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_images' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_images; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_info' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_network_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_network_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_version' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_version; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_volume_labels' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_volume_labels; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - docker_volumes' + observer_can_run: false + platform: "" + query: SELECT * FROM docker_volumes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - drivers' + observer_can_run: false + platform: "" + query: SELECT * FROM drivers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - dscl' + observer_can_run: false + platform: "" + query: SELECT * FROM dscl; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ec2_instance_metadata' + observer_can_run: false + platform: "" + query: SELECT * FROM ec2_instance_metadata; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ec2_instance_tags' + observer_can_run: false + platform: "" + query: SELECT * FROM ec2_instance_tags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - es_process_events' + observer_can_run: false + platform: "" + query: SELECT * FROM es_process_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - es_process_file_events' + observer_can_run: false + platform: "" + query: SELECT * FROM es_process_file_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - etc_hosts' + observer_can_run: false + platform: "" + query: SELECT * FROM etc_hosts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - etc_protocols' + observer_can_run: false + platform: "" + query: SELECT * FROM etc_protocols; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - etc_services' + observer_can_run: false + platform: "" + query: SELECT * FROM etc_services; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - event_taps' + observer_can_run: false + platform: "" + query: SELECT * FROM event_taps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - extended_attributes' + observer_can_run: false + platform: "" + query: SELECT * FROM extended_attributes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - falcon_kernel_check' + observer_can_run: false + platform: "" + query: SELECT * FROM falcon_kernel_check; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - falconctl_options' + observer_can_run: false + platform: "" + query: SELECT * FROM falconctl_options; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - fan_speed_sensors' + observer_can_run: false + platform: "" + query: SELECT * FROM fan_speed_sensors; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - file' + observer_can_run: false + platform: "" + query: SELECT * FROM file; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - file_events' + observer_can_run: false + platform: "" + query: SELECT * FROM file_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - file_lines' + observer_can_run: false + platform: "" + query: SELECT * FROM file_lines; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - filevault_prk' + observer_can_run: false + platform: "" + query: SELECT * FROM filevault_prk; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - filevault_status' + observer_can_run: false + platform: "" + query: SELECT * FROM filevault_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - filevault_users' + observer_can_run: false + platform: "" + query: SELECT * FROM filevault_users; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - find_cmd' + observer_can_run: false + platform: "" + query: SELECT * FROM find_cmd; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firefox_addons' + observer_can_run: false + platform: "" + query: SELECT * FROM firefox_addons; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firefox_preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM firefox_preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firmware_eficheck_integrity_check' + observer_can_run: false + platform: "" + query: SELECT * FROM firmware_eficheck_integrity_check; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - firmwarepasswd' + observer_can_run: false + platform: "" + query: SELECT * FROM firmwarepasswd; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - gatekeeper' + observer_can_run: false + platform: "" + query: SELECT * FROM gatekeeper; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - gatekeeper_approved_apps' + observer_can_run: false + platform: "" + query: SELECT * FROM gatekeeper_approved_apps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - geolocation' + observer_can_run: false + platform: "" + query: SELECT * FROM geolocation; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - google_chrome_profiles' + observer_can_run: false + platform: "" + query: SELECT * FROM google_chrome_profiles; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - groups' + observer_can_run: false + platform: "" + query: SELECT * FROM groups; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - hardware_events' + observer_can_run: false + platform: "" + query: SELECT * FROM hardware_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - hash' + observer_can_run: false + platform: "" + query: SELECT * FROM hash; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - homebrew_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM homebrew_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - hvci_status' + observer_can_run: false + platform: "" + query: SELECT * FROM hvci_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ibridge_info' + observer_can_run: false + platform: "" + query: SELECT * FROM ibridge_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - icloud_private_relay' + observer_can_run: false + platform: "" + query: SELECT * FROM icloud_private_relay; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ie_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM ie_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - intel_me_info' + observer_can_run: false + platform: "" + query: SELECT * FROM intel_me_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - interface_addresses' + observer_can_run: false + platform: "" + query: SELECT * FROM interface_addresses; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - interface_details' + observer_can_run: false + platform: "" + query: SELECT * FROM interface_details; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - interface_ipv6' + observer_can_run: false + platform: "" + query: SELECT * FROM interface_ipv6; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - iokit_devicetree' + observer_can_run: false + platform: "" + query: SELECT * FROM iokit_devicetree; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - iokit_registry' + observer_can_run: false + platform: "" + query: SELECT * FROM iokit_registry; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ioreg' + observer_can_run: false + platform: "" + query: SELECT * FROM ioreg; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_info' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_modules' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_modules; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kernel_panics' + observer_can_run: false + platform: "" + query: SELECT * FROM kernel_panics; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - keychain_acls' + observer_can_run: false + platform: "" + query: SELECT * FROM keychain_acls; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - keychain_items' + observer_can_run: false + platform: "" + query: SELECT * FROM keychain_items; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - known_hosts' + observer_can_run: false + platform: "" + query: SELECT * FROM known_hosts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - kva_speculative_info' + observer_can_run: false + platform: "" + query: SELECT * FROM kva_speculative_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - last' + observer_can_run: false + platform: "" + query: SELECT * FROM last; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - launchd' + observer_can_run: false + platform: "" + query: SELECT * FROM launchd; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - launchd_overrides' + observer_can_run: false + platform: "" + query: SELECT * FROM launchd_overrides; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - listening_ports' + observer_can_run: false + platform: "" + query: SELECT * FROM listening_ports; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - load_average' + observer_can_run: false + platform: "" + query: SELECT * FROM load_average; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - location_services' + observer_can_run: false + platform: "" + query: SELECT * FROM location_services; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - logged_in_users' + observer_can_run: false + platform: "" + query: SELECT * FROM logged_in_users; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - logical_drives' + observer_can_run: false + platform: "" + query: SELECT * FROM logical_drives; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - logon_sessions' + observer_can_run: false + platform: "" + query: SELECT * FROM logon_sessions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_certificates' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_certificates; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_cluster' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_cluster; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_cluster_members' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_cluster_members; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_images' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_images; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_instance_config' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_instance_config; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_instance_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_instance_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_instances' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_instances; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - lxd_storage_pools' + observer_can_run: false + platform: "" + query: SELECT * FROM lxd_storage_pools; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - macadmins_unified_log' + observer_can_run: false + platform: "" + query: SELECT * FROM macadmins_unified_log; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - macos_profiles' + observer_can_run: false + platform: "" + query: SELECT * FROM macos_profiles; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - macos_rsr' + observer_can_run: false + platform: "" + query: SELECT * FROM macos_rsr; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - magic' + observer_can_run: false + platform: "" + query: SELECT * FROM magic; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - managed_policies' + observer_can_run: false + platform: "" + query: SELECT * FROM managed_policies; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - md_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM md_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - md_drives' + observer_can_run: false + platform: "" + query: SELECT * FROM md_drives; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - md_personalities' + observer_can_run: false + platform: "" + query: SELECT * FROM md_personalities; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdfind' + observer_can_run: false + platform: "" + query: SELECT * FROM mdfind; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdls' + observer_can_run: false + platform: "" + query: SELECT * FROM mdls; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdm' + observer_can_run: false + platform: "" + query: SELECT * FROM mdm; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mdm_bridge' + observer_can_run: false + platform: "" + query: SELECT * FROM mdm_bridge; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_array_mapped_addresses' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_array_mapped_addresses; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_arrays' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_arrays; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_device_mapped_addresses' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_device_mapped_addresses; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_error_info' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_error_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_info' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - memory_map' + observer_can_run: false + platform: "" + query: SELECT * FROM memory_map; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - mounts' + observer_can_run: false + platform: "" + query: SELECT * FROM mounts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - msr' + observer_can_run: false + platform: "" + query: SELECT * FROM msr; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - munki_info' + observer_can_run: false + platform: "" + query: SELECT * FROM munki_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - munki_installs' + observer_can_run: false + platform: "" + query: SELECT * FROM munki_installs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - network_interfaces' + observer_can_run: false + platform: "" + query: SELECT * FROM network_interfaces; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - nfs_shares' + observer_can_run: false + platform: "" + query: SELECT * FROM nfs_shares; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - npm_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM npm_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ntdomains' + observer_can_run: false + platform: "" + query: SELECT * FROM ntdomains; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ntfs_acl_permissions' + observer_can_run: false + platform: "" + query: SELECT * FROM ntfs_acl_permissions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ntfs_journal_events' + observer_can_run: false + platform: "" + query: SELECT * FROM ntfs_journal_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - nvram' + observer_can_run: false + platform: "" + query: SELECT * FROM nvram; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - nvram_info' + observer_can_run: false + platform: "" + query: SELECT * FROM nvram_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - oem_strings' + observer_can_run: false + platform: "" + query: SELECT * FROM oem_strings; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - office_mru' + observer_can_run: false + platform: "" + query: SELECT * FROM office_mru; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - orbit_info' + observer_can_run: false + platform: "" + query: SELECT * FROM orbit_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - os_version' + observer_can_run: false + platform: "" + query: SELECT * FROM os_version; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_events' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_flags' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_flags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_info' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_packs' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_packs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_registry' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_registry; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - osquery_schedule' + observer_can_run: false + platform: "" + query: SELECT * FROM osquery_schedule; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - package_bom' + observer_can_run: false + platform: "" + query: SELECT * FROM package_bom; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - package_install_history' + observer_can_run: false + platform: "" + query: SELECT * FROM package_install_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - package_receipts' + observer_can_run: false + platform: "" + query: SELECT * FROM package_receipts; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - password_policy' + observer_can_run: false + platform: "" + query: SELECT * FROM password_policy; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - patches' + observer_can_run: false + platform: "" + query: SELECT * FROM patches; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pci_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM pci_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - physical_disk_performance' + observer_can_run: false + platform: "" + query: SELECT * FROM physical_disk_performance; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pipes' + observer_can_run: false + platform: "" + query: SELECT * FROM pipes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - platform_info' + observer_can_run: false + platform: "" + query: SELECT * FROM platform_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - plist' + observer_can_run: false + platform: "" + query: SELECT * FROM plist; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pmset' + observer_can_run: false + platform: "" + query: SELECT * FROM pmset; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - portage_keywords' + observer_can_run: false + platform: "" + query: SELECT * FROM portage_keywords; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - portage_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM portage_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - portage_use' + observer_can_run: false + platform: "" + query: SELECT * FROM portage_use; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - power_sensors' + observer_can_run: false + platform: "" + query: SELECT * FROM power_sensors; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - powershell_events' + observer_can_run: false + platform: "" + query: SELECT * FROM powershell_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - prefetch' + observer_can_run: false + platform: "" + query: SELECT * FROM prefetch; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - privacy_preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM privacy_preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_envs' + observer_can_run: false + platform: "" + query: SELECT * FROM process_envs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_etw_events' + observer_can_run: false + platform: "" + query: SELECT * FROM process_etw_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_events' + observer_can_run: false + platform: "" + query: SELECT * FROM process_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_file_events' + observer_can_run: false + platform: "" + query: SELECT * FROM process_file_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_memory_map' + observer_can_run: false + platform: "" + query: SELECT * FROM process_memory_map; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_namespaces' + observer_can_run: false + platform: "" + query: SELECT * FROM process_namespaces; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_open_files' + observer_can_run: false + platform: "" + query: SELECT * FROM process_open_files; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_open_pipes' + observer_can_run: false + platform: "" + query: SELECT * FROM process_open_pipes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - process_open_sockets' + observer_can_run: false + platform: "" + query: SELECT * FROM process_open_sockets; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - processes' + observer_can_run: false + platform: "" + query: SELECT * FROM processes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - programs' + observer_can_run: false + platform: "" + query: SELECT * FROM programs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - prometheus_metrics' + observer_can_run: false + platform: "" + query: SELECT * FROM prometheus_metrics; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - puppet_info' + observer_can_run: false + platform: "" + query: SELECT * FROM puppet_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - puppet_logs' + observer_can_run: false + platform: "" + query: SELECT * FROM puppet_logs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - puppet_state' + observer_can_run: false + platform: "" + query: SELECT * FROM puppet_state; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - pwd_policy' + observer_can_run: false + platform: "" + query: SELECT * FROM pwd_policy; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - python_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM python_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - quicklook_cache' + observer_can_run: false + platform: "" + query: SELECT * FROM quicklook_cache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - registry' + observer_can_run: false + platform: "" + query: SELECT * FROM registry; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - routes' + observer_can_run: false + platform: "" + query: SELECT * FROM routes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - rpm_package_files' + observer_can_run: false + platform: "" + query: SELECT * FROM rpm_package_files; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - rpm_packages' + observer_can_run: false + platform: "" + query: SELECT * FROM rpm_packages; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - running_apps' + observer_can_run: false + platform: "" + query: SELECT * FROM running_apps; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - safari_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM safari_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sandboxes' + observer_can_run: false + platform: "" + query: SELECT * FROM sandboxes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - scheduled_tasks' + observer_can_run: false + platform: "" + query: SELECT * FROM scheduled_tasks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - screenlock' + observer_can_run: false + platform: "" + query: SELECT * FROM screenlock; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - seccomp_events' + observer_can_run: false + platform: "" + query: SELECT * FROM seccomp_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - secureboot' + observer_can_run: false + platform: "" + query: SELECT * FROM secureboot; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - security_profile_info' + observer_can_run: false + platform: "" + query: SELECT * FROM security_profile_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - selinux_events' + observer_can_run: false + platform: "" + query: SELECT * FROM selinux_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - selinux_settings' + observer_can_run: false + platform: "" + query: SELECT * FROM selinux_settings; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - services' + observer_can_run: false + platform: "" + query: SELECT * FROM services; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shadow' + observer_can_run: false + platform: "" + query: SELECT * FROM shadow; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shared_folders' + observer_can_run: false + platform: "" + query: SELECT * FROM shared_folders; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shared_memory' + observer_can_run: false + platform: "" + query: SELECT * FROM shared_memory; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shared_resources' + observer_can_run: false + platform: "" + query: SELECT * FROM shared_resources; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sharing_preferences' + observer_can_run: false + platform: "" + query: SELECT * FROM sharing_preferences; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shell_history' + observer_can_run: false + platform: "" + query: SELECT * FROM shell_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shellbags' + observer_can_run: false + platform: "" + query: SELECT * FROM shellbags; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - shimcache' + observer_can_run: false + platform: "" + query: SELECT * FROM shimcache; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - signature' + observer_can_run: false + platform: "" + query: SELECT * FROM signature; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sip_config' + observer_can_run: false + platform: "" + query: SELECT * FROM sip_config; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - smbios_tables' + observer_can_run: false + platform: "" + query: SELECT * FROM smbios_tables; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - smc_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM smc_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sntp_request' + observer_can_run: false + platform: "" + query: SELECT * FROM sntp_request; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - socket_events' + observer_can_run: false + platform: "" + query: SELECT * FROM socket_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - software_update' + observer_can_run: false + platform: "" + query: SELECT * FROM software_update; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ssh_configs' + observer_can_run: false + platform: "" + query: SELECT * FROM ssh_configs; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - startup_items' + observer_can_run: false + platform: "" + query: SELECT * FROM startup_items; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sudo_info' + observer_can_run: false + platform: "" + query: SELECT * FROM sudo_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - sudoers' + observer_can_run: false + platform: "" + query: SELECT * FROM sudoers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - suid_bin' + observer_can_run: false + platform: "" + query: SELECT * FROM suid_bin; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - syslog_events' + observer_can_run: false + platform: "" + query: SELECT * FROM syslog_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_controls' + observer_can_run: false + platform: "" + query: SELECT * FROM system_controls; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_extensions' + observer_can_run: false + platform: "" + query: SELECT * FROM system_extensions; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_info' + observer_can_run: false + platform: "" + query: SELECT * FROM system_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - system_state' + observer_can_run: false + platform: "" + query: SELECT * FROM system_state; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - systemd_units' + observer_can_run: false + platform: "" + query: SELECT * FROM systemd_units; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - temperature_sensors' + observer_can_run: false + platform: "" + query: SELECT * FROM temperature_sensors; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - time' + observer_can_run: false + platform: "" + query: SELECT * FROM time; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - time_machine_backups' + observer_can_run: false + platform: "" + query: SELECT * FROM time_machine_backups; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - time_machine_destinations' + observer_can_run: false + platform: "" + query: SELECT * FROM time_machine_destinations; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - tpm_info' + observer_can_run: false + platform: "" + query: SELECT * FROM tpm_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ulimit_info' + observer_can_run: false + platform: "" + query: SELECT * FROM ulimit_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - unified_log' + observer_can_run: false + platform: "" + query: SELECT * FROM unified_log; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - uptime' + observer_can_run: false + platform: "" + query: SELECT * FROM uptime; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - usb_devices' + observer_can_run: false + platform: "" + query: SELECT * FROM usb_devices; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_events' + observer_can_run: false + platform: "" + query: SELECT * FROM user_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_groups' + observer_can_run: false + platform: "" + query: SELECT * FROM user_groups; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_interaction_events' + observer_can_run: false + platform: "" + query: SELECT * FROM user_interaction_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_login_settings' + observer_can_run: false + platform: "" + query: SELECT * FROM user_login_settings; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - user_ssh_keys' + observer_can_run: false + platform: "" + query: SELECT * FROM user_ssh_keys; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - userassist' + observer_can_run: false + platform: "" + query: SELECT * FROM userassist; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - users' + observer_can_run: false + platform: "" + query: SELECT * FROM users; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - video_info' + observer_can_run: false + platform: "" + query: SELECT * FROM video_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - virtual_memory_info' + observer_can_run: false + platform: "" + query: SELECT * FROM virtual_memory_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wifi_networks' + observer_can_run: false + platform: "" + query: SELECT * FROM wifi_networks; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wifi_status' + observer_can_run: false + platform: "" + query: SELECT * FROM wifi_status; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wifi_survey' + observer_can_run: false + platform: "" + query: SELECT * FROM wifi_survey; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - winbaseobj' + observer_can_run: false + platform: "" + query: SELECT * FROM winbaseobj; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_crashes' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_crashes; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_eventlog' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_eventlog; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_events' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_firewall_rules' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_firewall_rules; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_optional_features' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_optional_features; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_search' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_search; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_security_center' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_security_center; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_security_products' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_security_products; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_update_history' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_update_history; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - windows_updates' + observer_can_run: false + platform: "" + query: SELECT * FROM windows_updates; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_bios_info' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_bios_info; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_cli_event_consumers' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_cli_event_consumers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_event_filters' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_event_filters; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_filter_consumer_binding' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_filter_consumer_binding; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - wmi_script_event_consumers' + observer_can_run: false + platform: "" + query: SELECT * FROM wmi_script_event_consumers; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - xprotect_entries' + observer_can_run: false + platform: "" + query: SELECT * FROM xprotect_entries; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - xprotect_meta' + observer_can_run: false + platform: "" + query: SELECT * FROM xprotect_meta; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - xprotect_reports' + observer_can_run: false + platform: "" + query: SELECT * FROM xprotect_reports; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - yara' + observer_can_run: false + platform: "" + query: SELECT * FROM yara; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - yara_events' + observer_can_run: false + platform: "" + query: SELECT * FROM yara_events; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - ycloud_instance_metadata' + observer_can_run: false + platform: "" + query: SELECT * FROM ycloud_instance_metadata; +- automations_enabled: true + description: "" + discard_data: false + interval: 3600 + logging: snapshot + min_osquery_version: "" + name: '[Explore data] - yum_sources' + observer_can_run: false + platform: "" + query: SELECT * FROM yum_sources; diff --git a/it-and-security/lib/linux-device-health.policies.yml b/it-and-security/lib/linux-device-health.policies.yml new file mode 100644 index 000000000..0d9e2f8aa --- /dev/null +++ b/it-and-security/lib/linux-device-health.policies.yml @@ -0,0 +1,6 @@ +- name: Linux - Enable disk encryption + query: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1'; + critical: false + description: This policy checks if disk encryption is enabled. + resolution: As an IT admin, deploy an image that includes disk encryption. + platform: linux \ No newline at end of file diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml new file mode 100644 index 000000000..85d046a84 --- /dev/null +++ b/it-and-security/lib/macos-device-health.policies.yml @@ -0,0 +1,55 @@ +- name: macOS - Enable FileVault + query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.'; + critical: false + description: This policy checks if FileVault (disk encryption) is enabled. + resolution: As an IT admin, turn on disk encryption in Fleet. + platform: darwin +- name: macOS - Enable Firewall + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1; + critical: false + description: This policy checks if Firewall is enabled. + resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true. + platform: darwin +- name: macOS - Disable guest account + query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1; + critical: false + description: This policy checks if the guest account is disabled. + resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true. + platform: darwin +- name: macOS - Require 10 character password + query: SELECT 1 WHERE + EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='askForPassword' AND + CAST(value AS INT) + ) + AND EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='minLength' AND + CAST(value AS INT) <= 10 + ); + critical: false + description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. + resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10. + platform: darwin +- name: macOS - Enable screen saver after 20 minutes + query: SELECT 1 WHERE + EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='idleTime' AND + CAST(value AS INT) <= 1200 AND + username = '' + ) + AND NOT EXISTS ( + SELECT 1 FROM managed_policies WHERE + domain='com.apple.screensaver' AND + name='idleTime' AND + CAST(value AS INT) > 1200 + ); + critical: false + description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. + resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes. + platform: darwin \ No newline at end of file diff --git a/it-and-security/lib/macos-see-automatic-enrollment-profile.sh b/it-and-security/lib/macos-see-automatic-enrollment-profile.sh new file mode 100644 index 000000000..1960b0264 --- /dev/null +++ b/it-and-security/lib/macos-see-automatic-enrollment-profile.sh @@ -0,0 +1 @@ +profiles show -type enrollment \ No newline at end of file diff --git a/it-and-security/lib/servers.agent-options.yml b/it-and-security/lib/servers.agent-options.yml new file mode 100644 index 000000000..61559952c --- /dev/null +++ b/it-and-security/lib/servers.agent-options.yml @@ -0,0 +1,13 @@ +config: + decorators: + load: + - SELECT uuid AS host_uuid FROM system_info; + - SELECT hostname AS hostname FROM system_info; + options: + disable_distributed: false + distributed_interval: 10 + distributed_plugin: tls + distributed_tls_max_attempts: 3 + logger_tls_endpoint: /api/osquery/log + logger_tls_period: 10 + pack_delimiter: / diff --git a/it-and-security/lib/windows-device-health.policies.yml b/it-and-security/lib/windows-device-health.policies.yml new file mode 100644 index 000000000..4b92f5841 --- /dev/null +++ b/it-and-security/lib/windows-device-health.policies.yml @@ -0,0 +1,24 @@ +- name: Windows - Enable screen saver after 20 minutes + query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/MaxInactivityTimeDeviceLock" and CAST(mdm_command_output AS INT) <= 20; + critical: false + description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. + resolution: "As an IT admin, to deploy a Windows profile with the MaxInactivityTimeDeviceLock option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#maxinactivitytimedevicelock" + platform: windows +- name: Windows - Enable BitLocker + query: SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status = 1; + critical: false + description: As an IT admin, turn on disk encryption in Fleet. + resolution: Ask your system administrator to turn on disk encryption in Fleet + platform: windows +- name: Windows - Disable guest account + query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus" and CAST(mdm_command_output AS INT) = 0; + critical: false + description: This policy checks if the guest account is disabled. The Guest account allows unauthenticated network users to gain access to the system. + resolution: "As an IT admin, deploy a Windows profile with the Accounts_EnableGuestAccountStatus option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#accounts_enableguestaccountstatus" + platform: windows +- name: Windows - Require 10 character password + query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/DevicePasswordEnabled" and CAST(mdm_command_output AS INT) = 0; + critical: false + description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. + resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock" + platform: windows \ No newline at end of file diff --git a/it-and-security/lib/windows-remove-fleetd.ps1 b/it-and-security/lib/windows-remove-fleetd.ps1 new file mode 100644 index 000000000..f532843c0 --- /dev/null +++ b/it-and-security/lib/windows-remove-fleetd.ps1 @@ -0,0 +1,110 @@ +function Test-Administrator +{ + [OutputType([bool])] + param() + process { + [Security.Principal.WindowsPrincipal]$user = [Security.Principal.WindowsIdentity]::GetCurrent(); + return $user.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator); + } +} + +# borrowed from Jeffrey Snover http://blogs.msdn.com/powershell/archive/2006/12/07/resolve-error.aspx +function Resolve-Error-Detailed($ErrorRecord = $Error[0]) { + $error_message = "========== ErrorRecord:{0}ErrorRecord.InvocationInfo:{1}Exception:{2}" + $formatted_errorRecord = $ErrorRecord | format-list * -force | out-string + $formatted_invocationInfo = $ErrorRecord.InvocationInfo | format-list * -force | out-string + $formatted_exception = "" + $Exception = $ErrorRecord.Exception + for ($i = 0; $Exception; $i++, ($Exception = $Exception.InnerException)) { + $formatted_exception += ("$i" * 70) + "-----" + $formatted_exception += $Exception | format-list * -force | out-string + $formatted_exception += "-----" + } + + return $error_message -f $formatted_errorRecord, $formatted_invocationInfo, $formatted_exception +} + +#Stops Orbit service and related processes +function Stop-Orbit { + + # Stop Service + Stop-Service -Name "Fleet osquery" -ErrorAction "Continue" + Start-Sleep -Milliseconds 1000 + + # Ensure that no process left running + Get-Process -Name "orbit" -ErrorAction "SilentlyContinue" | Stop-Process -Force + Get-Process -Name "osqueryd" -ErrorAction "SilentlyContinue" | Stop-Process -Force + Get-Process -Name "fleet-desktop" -ErrorAction "SilentlyContinue" | Stop-Process -Force + Start-Sleep -Milliseconds 1000 +} + +#Remove Orbit footprint from registry and disk +function Force-Remove-Orbit { + + try { + + #Stoping Orbit + Stop-Orbit + + #Remove Service + $service = Get-WmiObject -Class Win32_Service -Filter "Name='Fleet osquery'" + if ($service) { + $service.delete() | Out-Null + } + + #Removing Program files entries + $targetPath = $Env:Programfiles + "\\Orbit" + Remove-Item -LiteralPath $targetPath -Force -Recurse -ErrorAction "Continue" + + #Remove HKLM registry entries + Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" -Recurse -ErrorAction "SilentlyContinue" | Where-Object {($_.ValueCount -gt 0)} | ForEach-Object { + + # Filter for osquery entries + $properties = Get-ItemProperty $_.PSPath -ErrorAction "SilentlyContinue" | Where-Object {($_.DisplayName -eq "Fleet osquery")} + if ($properties) { + + #Remove Registry Entries + $regKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" + $_.PSChildName + + Get-Item $regKey -ErrorAction "SilentlyContinue" | Remove-Item -Force -ErrorAction "SilentlyContinue" + + return + } + } + } + catch { + Write-Host "There was a problem running Force-Remove-Orbit" + Write-Host "$(Resolve-Error-Detailed)" + return $false + } + + return $true +} + +function Main { + + try { + # Is Administrator check + if (-not (Test-Administrator)) { + Write-Host "Please run this script with adming privileges." + Exit -1 + } + + Write-Host "About to uninstall fleetd..." + + if (Force-Remove-Orbit) { + Write-Host "fleetd was uninstalled." + Exit 0 + } else { + Write-Host "There was a problem uninstalling fleetd." + Exit -1 + } + + } catch { + Write-Host "Errorr: Entry point" + Write-Host "$(Resolve-Error-Detailed)" + Exit -1 + } +} + +$null = Main diff --git a/it-and-security/lib/windows-turn-off-mdm.ps1 b/it-and-security/lib/windows-turn-off-mdm.ps1 new file mode 100644 index 000000000..2ffc3be05 --- /dev/null +++ b/it-and-security/lib/windows-turn-off-mdm.ps1 @@ -0,0 +1,27 @@ +Add-Type -TypeDefinition @" +using System; +using System.Runtime.InteropServices; + +public class MdmRegistration +{ + [DllImport("mdmregistration.dll", SetLastError = true)] + public static extern int UnregisterDeviceWithManagement(IntPtr pDeviceID); + + public static int UnregisterDevice() + { + return UnregisterDeviceWithManagement(IntPtr.Zero); + } +} +"@ -Language CSharp + +try { + $result = [MdmRegistration]::UnregisterDevice() + + if ($result -ne 0) { + throw "UnregisterDeviceWithManagement failed with error code: $result" + } + + Write-Host "Device unregistration called successfully." +} catch { + Write-Error "Error calling UnregisterDeviceWithManagement: $_" +} diff --git a/it-and-security/teams/explore-data.yml b/it-and-security/teams/explore-data.yml new file mode 100644 index 000000000..4fef4ef02 --- /dev/null +++ b/it-and-security/teams/explore-data.yml @@ -0,0 +1,43 @@ +name: "Explore data (fleetdm.com) [DO NOT DELETE]" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_EXPLORE_DATA_ENROLL_SECRET +agent_options: + config: + decorators: + load: + - SELECT uuid AS host_uuid FROM system_info; + - SELECT hostname AS hostname FROM system_info; + options: + disable_distributed: false + distributed_interval: 5 + distributed_plugin: tls + distributed_tls_max_attempts: 3 + logger_tls_endpoint: /api/v1/osquery/log + pack_delimiter: / +controls: + enable_disk_encryption: false + macos_settings: + custom_settings: + macos_setup: + bootstrap_package: null + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: null + minimum_version: null + windows_settings: + custom_settings: null + windows_updates: + deadline_days: null + grace_period_days: null + scripts: +policies: +queries: + - path: ../lib/explore-data.queries.yml diff --git a/it-and-security/teams/servers-canary.yml b/it-and-security/teams/servers-canary.yml new file mode 100644 index 000000000..a009d9dcf --- /dev/null +++ b/it-and-security/teams/servers-canary.yml @@ -0,0 +1,31 @@ +name: "Servers (canary)" +team_settings: + features: + enable_host_users: false + enable_software_inventory: false + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_SERVERS_CANARY_ENROLL_SECRET +agent_options: + path: ../lib/servers.agent-options.yml +controls: + enable_disk_encryption: false + macos_settings: + custom_settings: + macos_setup: + bootstrap_package: null + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: null + minimum_version: null + windows_settings: + custom_settings: null + windows_updates: + deadline_days: null + grace_period_days: null + scripts: +policies: +queries: diff --git a/it-and-security/teams/servers.yml b/it-and-security/teams/servers.yml new file mode 100644 index 000000000..b10d25d3e --- /dev/null +++ b/it-and-security/teams/servers.yml @@ -0,0 +1,31 @@ +name: "Servers" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_SERVERS_ENROLL_SECRET +agent_options: + path: ../lib/servers.agent-options.yml +controls: + enable_disk_encryption: false + macos_settings: + custom_settings: + macos_setup: + bootstrap_package: null + enable_end_user_authentication: false + macos_setup_assistant: null + macos_updates: + deadline: null + minimum_version: null + windows_settings: + custom_settings: null + windows_updates: + deadline_days: null + grace_period_days: null + scripts: +policies: +queries: diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml new file mode 100644 index 000000000..bd34a4f4a --- /dev/null +++ b/it-and-security/teams/workstations-canary.yml @@ -0,0 +1,68 @@ +name: "Workstations (canary)" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET +agent_options: + path: ../lib/agent-options.yml +controls: + enable_disk_encryption: true + macos_settings: + custom_settings: + - path: ../../mdm_profiles/automatic_updates.mobileconfig + - path: ../../mdm_profiles/chrome_enrollment.mobileconfig + - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig + - path: ../../mdm_profiles/disable_content_caching.mobileconfig + - path: ../../mdm_profiles/disable_guest_account.mobileconfig + - path: ../../mdm_profiles/disable_guest_shares.mobileconfig + - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig + - path: ../../mdm_profiles/disable_media_sharing.mobileconfig + - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig + - path: ../../mdm_profiles/enable_doh.mobileconfig + - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig + - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig + - path: ../../mdm_profiles/enforce_library_validation.mobileconfig + - path: ../../mdm_profiles/firewall.mobileconfig + - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig + - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig + - path: ../../mdm_profiles/misc.mobileconfig + - path: ../../mdm_profiles/password_policy.mobileconfig + - path: ../../mdm_profiles/prevent_autologon.mobileconfig + - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig + - path: ../../mdm_profiles/time_and_date.mobileconfig + macos_setup: + bootstrap_package: "" + enable_end_user_authentication: true + macos_setup_assistant: null + macos_updates: + deadline: "2023-12-15" + minimum_version: "14.2" + windows_settings: + custom_settings: null + windows_updates: + deadline_days: 7 + grace_period_days: 2 + scripts: + - path: ../lib/collect-fleetd-logs.sh + - path: ../lib/macos-see-automatic-enrollment-profile.sh + - path: ../lib/windows-remove-fleetd.ps1 + - path: ../lib/windows-turn-off-mdm.ps1 +policies: + - path: ../lib/macos-device-health.policies.yml + - path: ../lib/windows-device-health.policies.yml + - path: ../lib/linux-device-health.policies.yml + - name: chromeOS/macOS - Screenlock enabled + query: SELECT 1 FROM screenlock WHERE enabled = 1; + critical: false + description: "" + resolution: "" + platform: darwin,chrome +queries: + - path: ../lib/collect-failed-login-attempts.queries.yml + - path: ../lib/collect-usb-devices.queries.yml + - path: ../lib/collect-vs-code-extensions.queries.yml diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml new file mode 100644 index 000000000..65fe53fdc --- /dev/null +++ b/it-and-security/teams/workstations.yml @@ -0,0 +1,62 @@ +name: "Workstations" +team_settings: + features: + enable_host_users: true + enable_software_inventory: true + host_expiry_settings: + host_expiry_enabled: false + host_expiry_window: 0 + secrets: + - secret: $DOGFOOD_WORKSTATIONS_ENROLL_SECRET +agent_options: + path: ../lib/agent-options.yml +controls: + enable_disk_encryption: true + macos_settings: + custom_settings: + - path: ../../mdm_profiles/automatic_updates.mobileconfig + - path: ../../mdm_profiles/chrome_enrollment.mobileconfig + - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig + - path: ../../mdm_profiles/disable_content_caching.mobileconfig + - path: ../../mdm_profiles/disable_guest_account.mobileconfig + - path: ../../mdm_profiles/disable_guest_shares.mobileconfig + - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig + - path: ../../mdm_profiles/disable_media_sharing.mobileconfig + - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig + - path: ../../mdm_profiles/enable_doh.mobileconfig + - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig + - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig + - path: ../../mdm_profiles/enforce_library_validation.mobileconfig + - path: ../../mdm_profiles/firewall.mobileconfig + - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig + - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig + - path: ../../mdm_profiles/misc.mobileconfig + - path: ../../mdm_profiles/password_policy.mobileconfig + - path: ../../mdm_profiles/prevent_autologon.mobileconfig + - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig + - path: ../../mdm_profiles/time_and_date.mobileconfig + macos_setup: + bootstrap_package: "" + enable_end_user_authentication: true + macos_setup_assistant: null + macos_updates: + deadline: "2023-12-19" + minimum_version: "14.2" + windows_settings: + custom_settings: null + windows_updates: + deadline_days: 7 + grace_period_days: 2 + scripts: + - path: ../lib/collect-fleetd-logs.sh + - path: ../lib/macos-see-automatic-enrollment-profile.sh + - path: ../lib/windows-remove-fleetd.ps1 + - path: ../lib/windows-turn-off-mdm.ps1 +policies: + - path: ../lib/macos-device-health.policies.yml + - path: ../lib/windows-device-health.policies.yml + - path: ../lib/linux-device-health.policies.yml +queries: + - path: ../lib/collect-failed-login-attempts.queries.yml + - path: ../lib/collect-usb-devices.queries.yml + - path: ../lib/collect-vs-code-extensions.queries.yml