macOS osquery Daemon Configuration

{

"options": {

"config_plugin": "filesystem",

"logger_plugin": "filesystem",

"utc": "true",

"enable_file_events":"true",

"disable_events":"false"

},

"file_paths": {

"dir_system_app_support": [

"/Library/Application Support/%"

],

"dir_user_app_support": [

"/Users/%/Application Support/%"

],

"dir_shared": [

"/Users/Shared/%"

],

"dir_private_tmp": [

"/private/tmp/%"

],

"dir_user_downloads": [

"/Users/%/Downloads/%"

],

"dir_native_launchd": [

"/System/Library/LaunchDaemons/%"

],

"dir_third_party_launchd": [

"/Library/LaunchDaemons/%"

],

"dir_macos_launcha": [

"/System/Library/LaunchAgents/%"

],

"dir_all_users_launcha": [

"/Library/LaunchAgents/%"

],

"dir_apps": [

"/Applications/%%"

]

},

"yara": {

"signatures": {

"sig_group_1": [ "/var/run/cisco/orbital/config/yara_sigs/suspicious_app.yar" ]

},

"file_paths": {

"dir_apps": [ "sig_group_1" ]

}

}

}

Return to Orbital Yara Rules and System Configuration