{
  "platform": "all",
  "version": "1.0.0",
  "description": "Incident response triage queries for rapid forensic collection",
  "queries": {
    "system_info_snapshot": {
      "query": "SELECT * FROM system_info;",
      "interval": 0,
      "snapshot": true,
      "description": "Complete system information snapshot"
    },
    "users_snapshot": {
      "query": "SELECT uid, gid, username, description, directory, shell FROM users;",
      "interval": 0,
      "snapshot": true,
      "description": "All user accounts"
    },
    "logged_in_users": {
      "query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
      "interval": 300,
      "description": "Currently logged-in users"
    },
    "last_logins": {
      "query": "SELECT username, tty, pid, type, time, host FROM last ORDER BY time DESC LIMIT 50;",
      "interval": 600,
      "description": "Recent login history"
    },
    "running_processes": {
      "query": "SELECT pid, name, path, cmdline, cwd, uid, gid, parent, state, start_time FROM processes ORDER BY start_time DESC;",
      "interval": 300,
      "description": "All running processes with metadata"
    },
    "processes_deleted_binary": {
      "query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0;",
      "interval": 300,
      "description": "Processes with deleted executables (malware indicator)"
    },
    "network_connections": {
      "query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.local_address, ps.local_port, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
      "interval": 300,
      "description": "Active external network connections"
    },
    "listening_ports": {
      "query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
      "interval": 600,
      "description": "Network services listening on external interfaces"
    },
    "interface_addresses": {
      "query": "SELECT interface, address, mask, broadcast, type FROM interface_addresses;",
      "interval": 3600,
      "description": "Network interface configuration"
    },
    "arp_cache": {
      "query": "SELECT address, mac, interface, permanent FROM arp_cache;",
      "interval": 600,
      "description": "ARP cache entries"
    },
    "dns_resolvers": {
      "query": "SELECT * FROM dns_resolvers;",
      "interval": 3600,
      "description": "Configured DNS resolvers"
    },
    "tmp_directory_files": {
      "query": "SELECT path, filename, size, mtime, ctime, atime, uid, gid, mode FROM file WHERE path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\\Temp\\%' OR path LIKE 'C:\\Windows\\Temp\\%';",
      "interval": 900,
      "description": "Files in temporary directories",
      "snapshot": true
    },
    "recent_file_modifications": {
      "query": "SELECT path, filename, size, mtime, uid, gid FROM file WHERE (path LIKE '/etc/%' OR path LIKE '/usr/bin/%' OR path LIKE 'C:\\Windows\\System32\\%') AND mtime > (strftime('%s', 'now') - 86400) ORDER BY mtime DESC LIMIT 100;",
      "interval": 3600,
      "description": "Recently modified system files (last 24 hours)"
    },
    "user_groups": {
      "query": "SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root', 'Administrators');",
      "interval": 3600,
      "description": "Users in privileged groups"
    }
  }
}