{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "disable_logging": false,
    "log_result_events": true,
    "schedule_splay_percent": 10,
    "pidfile": "/var/osquery/osquery.pidfile",
    "events_expiry": 3600,
    "database_path": "/var/osquery/osquery.db",
    "verbose": false,
    "worker_threads": 4,
    "enable_monitor": true,
    "disable_events": false,
    "disable_audit": false,
    "audit_allow_config": true,
    "audit_allow_sockets": true,
    "host_identifier": "hostname",
    "enable_syslog": false,
    "watchdog_level": 1,
    "watchdog_memory_limit": 250,
    "watchdog_utilization_limit": 20
  },

  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory, hardware_model FROM system_info;",
      "interval": 3600,
      "description": "Collect basic system information"
    },
    "os_version": {
      "query": "SELECT name, version, platform, build FROM os_version;",
      "interval": 3600,
      "description": "OS version information"
    },
    "logged_in_users": {
      "query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
      "interval": 600,
      "description": "Currently logged-in users"
    },
    "running_processes": {
      "query": "SELECT pid, name, path, cmdline, uid, parent FROM processes;",
      "interval": 300,
      "description": "Monitor running processes"
    },
    "suspicious_processes": {
      "query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0 OR path LIKE '%/tmp/%' OR path LIKE '%Temp%';",
      "interval": 300,
      "description": "Detect suspicious processes"
    },
    "network_connections": {
      "query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
      "interval": 600,
      "description": "Active network connections"
    },
    "listening_ports": {
      "query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
      "interval": 600,
      "description": "Listening network ports"
    }
  },

  "packs": {
    "ir-triage": "/etc/osquery/packs/ir-triage.conf",
    "persistence-hunt": "/etc/osquery/packs/persistence-hunt.conf",
    "lateral-movement": "/etc/osquery/packs/lateral-movement.conf",
    "credential-access": "/etc/osquery/packs/credential-access.conf"
  },

  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  }
}