OpenPlgx
11/16/2021, 4:08 AMlvferdi
11/16/2021, 1:03 PM{
"options": {
"utc": "true",
"custom_plgx_EnableSSL": "true",
"custom_plgx_EnableAmsiStreamEventData": "true",
"custom_plgx_EnablePacketInspection": "true"
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT name AS os_name, version AS os_version FROM os_version;",
"SELECT config_hash from osquery_info;"
],
"interval": {
"300": [
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
}
},
"packs": {
"docker": "C:\\Program Files\\osquery\\packs\\docker.conf",
"osquery-monitoring": "C:\\Program Files\\osquery\\packs\\osquery-monitoring.conf",
"events":"C:\\Program Files\\osquery\\packs\\events.conf",
"combined": "C:\\Program Files\\osquery\\packs\\combined.conf",
"browser-extensions": "C:\\Program Files\\osquery\\packs\\browser-extensions.conf",
"windows": "C:\\Program Files\\osquery\\packs\\windows.conf"
},
"plgx_event_filters": {
"win_ssl_events": {
"process_name": {
"exclude": {
"values": [
"C:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe",
"C:\\Program Files\\SplunkForwarder\\bin\\splunkd.exe",
himanshu
11/16/2021, 1:30 PMplgx_event_control
JSON tag which specifies rules for blocking. this json has only plgx_event_filters
which specifies only event filters. since plgx_event_control
is not there in the json, extension is showing an Info
level message No event control (blocking) filter found in config
. this message has no relation to plgx_event_filters
. probably the message string could have been better to avoid confusion. if osquery is run without --verbose
flag, No event control (blocking) filter found in config
log wont show up since it is an Info
level log.lvferdi
11/16/2021, 3:15 PMplgx_event_control
flag specific to the event blocking rules for process/reg/and file events. Thanks for clearing it uphimanshu
11/17/2021, 4:55 AM