zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/incident-response/forensics-osquery/assets/forensic-packs/ir-triage.conf
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

81 lines
3.6 KiB
Plaintext
Raw Blame History

{
"platform": "all",
"version": "1.0.0",
"description": "Incident response triage queries for rapid forensic collection",
"queries": {
"system_info_snapshot": {
"query": "SELECT * FROM system_info;",
"interval": 0,
"snapshot": true,
"description": "Complete system information snapshot"
},
"users_snapshot": {
"query": "SELECT uid, gid, username, description, directory, shell FROM users;",
"interval": 0,
"snapshot": true,
"description": "All user accounts"
},
"logged_in_users": {
"query": "SELECT user, tty, host, time, pid FROM logged_in_users;",
"interval": 300,
"description": "Currently logged-in users"
},
"last_logins": {
"query": "SELECT username, tty, pid, type, time, host FROM last ORDER BY time DESC LIMIT 50;",
"interval": 600,
"description": "Recent login history"
},
"running_processes": {
"query": "SELECT pid, name, path, cmdline, cwd, uid, gid, parent, state, start_time FROM processes ORDER BY start_time DESC;",
"interval": 300,
"description": "All running processes with metadata"
},
"processes_deleted_binary": {
"query": "SELECT pid, name, path, cmdline, parent FROM processes WHERE on_disk = 0;",
"interval": 300,
"description": "Processes with deleted executables (malware indicator)"
},
"network_connections": {
"query": "SELECT p.pid, p.name, p.path, p.cmdline, ps.local_address, ps.local_port, ps.remote_address, ps.remote_port, ps.protocol, ps.state FROM processes p JOIN process_open_sockets ps ON p.pid = ps.pid WHERE ps.remote_address NOT IN ('127.0.0.1', '::1', '0.0.0.0');",
"interval": 300,
"description": "Active external network connections"
},
"listening_ports": {
"query": "SELECT lp.pid, lp.port, lp.protocol, lp.address, p.name, p.path, p.cmdline FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.address NOT IN ('127.0.0.1', '::1');",
"interval": 600,
"description": "Network services listening on external interfaces"
},
"interface_addresses": {
"query": "SELECT interface, address, mask, broadcast, type FROM interface_addresses;",
"interval": 3600,
"description": "Network interface configuration"
},
"arp_cache": {
"query": "SELECT address, mac, interface, permanent FROM arp_cache;",
"interval": 600,
"description": "ARP cache entries"
},
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600,
"description": "Configured DNS resolvers"
},
"tmp_directory_files": {
"query": "SELECT path, filename, size, mtime, ctime, atime, uid, gid, mode FROM file WHERE path LIKE '/tmp/%' OR path LIKE '/var/tmp/%' OR path LIKE 'C:\\Temp\\%' OR path LIKE 'C:\\Windows\\Temp\\%';",
"interval": 900,
"description": "Files in temporary directories",
"snapshot": true
},
"recent_file_modifications": {
"query": "SELECT path, filename, size, mtime, uid, gid FROM file WHERE (path LIKE '/etc/%' OR path LIKE '/usr/bin/%' OR path LIKE 'C:\\Windows\\System32\\%') AND mtime > (strftime('%s', 'now') - 86400) ORDER BY mtime DESC LIMIT 100;",
"interval": 3600,
"description": "Recently modified system files (last 24 hours)"
},
"user_groups": {
"query": "SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE g.groupname IN ('sudo', 'wheel', 'admin', 'root', 'Administrators');",
"interval": 3600,
"description": "Users in privileged groups"
}
}
}
Reference in New Issue View Git Blame Copy Permalink