-
Notifications
You must be signed in to change notification settings - Fork 119
/
Copy pathsecurity-tooling-checks.conf
executable file
·24 lines (24 loc) · 1.47 KB
/
security-tooling-checks.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
"queries": {
"endpoint_security_tool_backend_server_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\EndpointSecurityTool\\BackendServerLocation' AND data!='https://expected_endpoint.local';",
"interval": 3600,
"description": "Returns the content of the key if the backend server does not match the expected value",
"platform": "windows"
},
"endpoint_security_tool_not_running": {
"query": "SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as process_count from processes where path='/Applications/EndpointSecurityTool' OR lower(path)='c:\\endpointsecuritytool.exe') where process_exists!=1;",
"interval": 28800,
"description": "Returns an event if a EndpointSecurityTool process is not found running from /Applications/EndpointSecurityTool' (OSX) or 'c:\\endpointsecuritytool.exe' (Windows)",
"platform": "windows,darwin",
"snapshot": true
},
"backup_tool_not_running": {
"query": "SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as process_count from processes where path='/Applications/BackupTool' OR lower(path) LIKE 'c:\\backuptool.exe') where process_exists!=1;",
"interval": 28800,
"description": "Returns an event if a BackupTool process is not found running from '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)",
"platform": "windows,darwin",
"snapshot": true
}
}
}