-
Notifications
You must be signed in to change notification settings - Fork 2
/
osquery-win-vars.yml
85 lines (73 loc) · 2.26 KB
/
osquery-win-vars.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# OSQuery Role
# See roles/juju4.win-osquery/defaults/main.yml
# And config given by wazuh (originally json)
# # osquery windows role vars
win_osquery_fim: false
win_osquery_logger_plugin: "filesystem"
win_osquery_upload_packs:
- osquery-windows-pack
- osquery-windows-snapshots-pack
- osquery-msoffice-pack
- osquery-chrome-pack
- osquery-windows-tunneling-pack
- performance-metrics-extras
- windows-hardening
# Attempt
# - "osquery-monitoring"
# - "it-compliance"
# - "vuln-management"
# - "hardware-monitoring"
# - unwanted-chrome-extensions
win_osquery_packs:
- windows-hardening
# enabled:
# | windows-hardening |
# | osquery-windows-pack |
# | osquery-windows-snapshots-pack |
# | osquery-msoffice-pack |
# | osquery-chrome-pack |
# | osquery-windows-tunneling-pack |
# | performance-metrics |
# | security-tooling-checks |
# | windows-application-security |
# | windows-compliance |
# | windows-registry-monitoring
# normally there:
# osquery-monitoring: "/usr/share/osquery/packs/osquery-monitoring.conf"
# it-compliance: "/usr/share/osquery/packs/it-compliance.conf"
# vuln-management: "/usr/share/osquery/packs/vuln-management.conf"
# not found
# - "osquery-monitoring"
# - "it-compliance"
# - "vuln-management"
# - "hardware-monitoring"
# - unwanted-chrome-extensions
- "osquery-windows-pack"
- "osquery-windows-snapshots-pack"
- osquery-msoffice-pack
- osquery-chrome-pack
- osquery-windows-tunneling-pack
# buggy
# - "incident-response"
# - windows-attacks
# - performance-metrics-extras
win_osquery_palantir: true
win_osquery_packs_palantir:
- performance-metrics
- security-tooling-checks
- windows-application-security
- windows-compliance
- windows-registry-monitoring
win_osquery_watch_drivers: true
win_osquery_watch_services: true
win_osquery_watch_startups: true
win_osquery_watch_schtasks: true
## ?
# osquery_testing: false
## profiling?
osquery_profiling: false
# full config?
# osquery_profiling_conf: "{{ win_osquery_dir }}\\osquery.conf"
# osquery_profiling_conf: c:\ProgramData\osquery\osquery.conf
# osquery_profiling_conf: "{{ win_osquery_dir }}\\packs\\osquery-windows-pack.conf"
# Loaded dashboards