CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-05 19:08:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
ff900d1dc6d704a0a8980d6a731e63dedfd8d44e
securityonion/salt/fleet/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml
T
Mike Reeves ff900d1dc6 Fleet Module - Adding some Rule Packs
2019-01-24 10:41:40 -05:00

60 lines
2.3 KiB
YAML
Raw Blame History

---
apiVersion: v1
kind: pack
spec:
name: security-tooling-checks
queries:
- description: Returns an event if a EndpointSecurityTool process is not found running
from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe'
(Windows)
interval: 28800
name: endpoint_security_tool_not_running
platform: windows,darwin
query: endpoint_security_tool_not_running
snapshot: true
- description: "Returns an event if a BackupTool process is not found running from
'/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)"
interval: 28800
name: backup_tool_not_running
platform: windows,darwin
query: backup_tool_not_running
snapshot: true
- description: Returns the content of the key if the backend server does not match
the expected value
interval: 3600
name: endpoint_security_tool_backend_server_registry_misconfigured
platform: windows
query: endpoint_security_tool_backend_server_registry_misconfigured
targets:
labels: null
---
apiVersion: v1
kind: query
spec:
description: Returns an event if a EndpointSecurityTool process is not found running
from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe'
(Windows)
name: endpoint_security_tool_not_running
query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as
process_count from processes where path='/Applications/EndpointSecurityTool' OR
lower(path)='c:\endpointsecuritytool.exe') where process_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: "Returns an event if a BackupTool process is not found running from
'/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)"
name: backup_tool_not_running
query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as
process_count from processes where path='/Applications/BackupTool' OR lower(path)
LIKE 'c:\backuptool.exe') where process_exists!=1;
---
apiVersion: v1
kind: query
spec:
description: Returns the content of the key if the backend server does not match
the expected value
name: endpoint_security_tool_backend_server_registry_misconfigured
query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\EndpointSecurityTool\BackendServerLocation'
AND data!='https://expected_endpoint.local';
Reference in New Issue View Git Blame Copy Permalink