Created
January 27, 2022 20:19
-
-
Save blakerouse/88c9e461c031fc089e0f8601b78b48de to your computer and use it in GitHub Desktop.
Simple Elastic Agent Fleet Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 2016d7cc-135e-5583-9758-3ba01f5a06e5 | |
| revision: 3 | |
| outputs: | |
| default: | |
| type: elasticsearch | |
| hosts: | |
| - 'http://localhost:9200' | |
| output_permissions: | |
| default: | |
| _elastic_agent_monitoring: | |
| indices: | |
| - names: | |
| - logs-elastic_agent.apm_server-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.apm_server-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.auditbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.auditbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.elastic_agent-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.endpoint_security-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.endpoint_security-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.filebeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.filebeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.fleet_server-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.fleet_server-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.heartbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.heartbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.metricbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.metricbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.osquerybeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.osquerybeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-elastic_agent.packetbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-elastic_agent.packetbeat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| _elastic_agent_checks: | |
| cluster: | |
| - monitor | |
| system-1: | |
| indices: | |
| - names: | |
| - logs-system.auth-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-system.syslog-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-system.application-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-system.security-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-system.system-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.cpu-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.diskio-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.filesystem-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.fsstat-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.load-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.memory-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.network-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.process-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.process.summary-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.socket_summary-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-system.uptime-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| endpoint-1: | |
| indices: | |
| - names: | |
| - .logs-endpoint.action.responses-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - .logs-endpoint.actions-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-endpoint.alerts-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - .logs-endpoint.diagnostic.collection-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-endpoint.events.file-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-endpoint.events.library-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-endpoint.metadata-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-endpoint.metrics-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-endpoint.events.network-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - metrics-endpoint.policy-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-endpoint.events.process-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-endpoint.events.registry-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| - names: | |
| - logs-endpoint.events.security-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| osquery_manager-1: | |
| indices: | |
| - names: | |
| - logs-osquery_manager.result-default | |
| privileges: | |
| - auto_configure | |
| - create_doc | |
| agent: | |
| monitoring: | |
| enabled: true | |
| use_output: default | |
| namespace: default | |
| logs: true | |
| metrics: true | |
| inputs: | |
| - id: default-system-policy | |
| name: system-1 | |
| revision: 1 | |
| type: logfile | |
| use_output: default | |
| meta: | |
| package: | |
| name: system | |
| version: 1.6.4 | |
| data_stream: | |
| namespace: default | |
| streams: | |
| - id: logfile-system.auth-default-system-policy | |
| data_stream: | |
| dataset: system.auth | |
| type: logs | |
| paths: | |
| - /var/log/auth.log* | |
| - /var/log/secure* | |
| exclude_files: | |
| - .gz$ | |
| multiline: | |
| pattern: ^\s | |
| match: after | |
| processors: | |
| - add_locale: null | |
| - id: logfile-system.syslog-default-system-policy | |
| data_stream: | |
| dataset: system.syslog | |
| type: logs | |
| paths: | |
| - /var/log/messages* | |
| - /var/log/syslog* | |
| exclude_files: | |
| - .gz$ | |
| multiline: | |
| pattern: ^\s | |
| match: after | |
| processors: | |
| - add_locale: null | |
| - id: default-system-policy | |
| name: system-1 | |
| revision: 1 | |
| type: winlog | |
| use_output: default | |
| meta: | |
| package: | |
| name: system | |
| version: 1.6.4 | |
| data_stream: | |
| namespace: default | |
| streams: | |
| - id: winlog-system.application-default-system-policy | |
| name: Application | |
| data_stream: | |
| dataset: system.application | |
| type: logs | |
| condition: '${host.platform} == ''windows''' | |
| ignore_older: 72h | |
| tags: null | |
| - id: winlog-system.security-default-system-policy | |
| name: Security | |
| data_stream: | |
| dataset: system.security | |
| type: logs | |
| condition: '${host.platform} == ''windows''' | |
| tags: null | |
| - id: winlog-system.system-default-system-policy | |
| name: System | |
| data_stream: | |
| dataset: system.system | |
| type: logs | |
| condition: '${host.platform} == ''windows''' | |
| tags: null | |
| - id: default-system-policy | |
| name: system-1 | |
| revision: 1 | |
| type: system/metrics | |
| use_output: default | |
| meta: | |
| package: | |
| name: system | |
| version: 1.6.4 | |
| data_stream: | |
| namespace: default | |
| streams: | |
| - id: system/metrics-system.cpu-default-system-policy | |
| data_stream: | |
| dataset: system.cpu | |
| type: metrics | |
| metricsets: | |
| - cpu | |
| cpu.metrics: | |
| - percentages | |
| - normalized_percentages | |
| period: 10s | |
| - id: system/metrics-system.diskio-default-system-policy | |
| data_stream: | |
| dataset: system.diskio | |
| type: metrics | |
| metricsets: | |
| - diskio | |
| diskio.include_devices: null | |
| period: 10s | |
| - id: system/metrics-system.filesystem-default-system-policy | |
| data_stream: | |
| dataset: system.filesystem | |
| type: metrics | |
| metricsets: | |
| - filesystem | |
| period: 1m | |
| processors: | |
| - drop_event.when.regexp: | |
| system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) | |
| - id: system/metrics-system.fsstat-default-system-policy | |
| data_stream: | |
| dataset: system.fsstat | |
| type: metrics | |
| metricsets: | |
| - fsstat | |
| period: 1m | |
| processors: | |
| - drop_event.when.regexp: | |
| system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) | |
| - id: system/metrics-system.load-default-system-policy | |
| data_stream: | |
| dataset: system.load | |
| type: metrics | |
| metricsets: | |
| - load | |
| condition: '${host.platform} != ''windows''' | |
| period: 10s | |
| - id: system/metrics-system.memory-default-system-policy | |
| data_stream: | |
| dataset: system.memory | |
| type: metrics | |
| metricsets: | |
| - memory | |
| period: 10s | |
| - id: system/metrics-system.network-default-system-policy | |
| data_stream: | |
| dataset: system.network | |
| type: metrics | |
| metricsets: | |
| - network | |
| period: 10s | |
| network.interfaces: null | |
| - id: system/metrics-system.process-default-system-policy | |
| data_stream: | |
| dataset: system.process | |
| type: metrics | |
| metricsets: | |
| - process | |
| period: 10s | |
| process.include_top_n.by_cpu: 5 | |
| process.include_top_n.by_memory: 5 | |
| process.cmdline.cache.enabled: true | |
| process.cgroups.enabled: false | |
| process.include_cpu_ticks: false | |
| processes: | |
| - .* | |
| - id: system/metrics-system.process.summary-default-system-policy | |
| data_stream: | |
| dataset: system.process.summary | |
| type: metrics | |
| metricsets: | |
| - process_summary | |
| period: 10s | |
| - id: system/metrics-system.socket_summary-default-system-policy | |
| data_stream: | |
| dataset: system.socket_summary | |
| type: metrics | |
| metricsets: | |
| - socket_summary | |
| period: 10s | |
| - id: system/metrics-system.uptime-default-system-policy | |
| data_stream: | |
| dataset: system.uptime | |
| type: metrics | |
| metricsets: | |
| - uptime | |
| period: 10s | |
| - id: 69ecb9b6-ade0-41f0-8f54-dfa55c1853b6 | |
| name: endpoint-1 | |
| revision: 1 | |
| type: endpoint | |
| use_output: default | |
| meta: | |
| package: | |
| name: endpoint | |
| version: 1.3.0 | |
| data_stream: | |
| namespace: default | |
| artifact_manifest: | |
| manifest_version: 1.0.0 | |
| schema_version: v1 | |
| artifacts: | |
| endpoint-exceptionlist-macos-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-exceptionlist-windows-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-exceptionlist-linux-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-trustlist-macos-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-trustlist-windows-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-trustlist-linux-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-eventfilterlist-macos-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-eventfilterlist-windows-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-eventfilterlist-linux-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-hostisolationexceptionlist-macos-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-hostisolationexceptionlist-windows-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| endpoint-hostisolationexceptionlist-linux-v1: | |
| encryption_algorithm: none | |
| decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| decoded_size: 14 | |
| encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
| encoded_size: 22 | |
| relative_url: >- | |
| /api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
| compression_algorithm: zlib | |
| policy: | |
| windows: | |
| events: | |
| dll_and_driver_load: true | |
| dns: true | |
| file: true | |
| network: true | |
| process: true | |
| registry: true | |
| security: true | |
| malware: | |
| mode: prevent | |
| ransomware: | |
| mode: prevent | |
| supported: true | |
| memory_protection: | |
| mode: prevent | |
| supported: true | |
| behavior_protection: | |
| mode: prevent | |
| supported: true | |
| popup: | |
| malware: | |
| enabled: true | |
| message: '' | |
| ransomware: | |
| enabled: true | |
| message: '' | |
| memory_protection: | |
| enabled: true | |
| message: '' | |
| behavior_protection: | |
| enabled: true | |
| message: '' | |
| logging: | |
| file: info | |
| antivirus_registration: | |
| enabled: false | |
| mac: | |
| events: | |
| process: true | |
| file: true | |
| network: true | |
| malware: | |
| mode: prevent | |
| behavior_protection: | |
| mode: prevent | |
| supported: true | |
| memory_protection: | |
| mode: prevent | |
| supported: true | |
| popup: | |
| malware: | |
| enabled: true | |
| message: '' | |
| behavior_protection: | |
| enabled: true | |
| message: '' | |
| memory_protection: | |
| enabled: true | |
| message: '' | |
| logging: | |
| file: info | |
| linux: | |
| events: | |
| process: true | |
| file: true | |
| network: true | |
| malware: | |
| mode: prevent | |
| behavior_protection: | |
| mode: prevent | |
| supported: true | |
| memory_protection: | |
| mode: prevent | |
| supported: true | |
| popup: | |
| malware: | |
| enabled: true | |
| message: '' | |
| behavior_protection: | |
| enabled: true | |
| message: '' | |
| memory_protection: | |
| enabled: true | |
| message: '' | |
| logging: | |
| file: info | |
| - id: 9666ac0a-2486-4fdd-94e8-80e9819dd755 | |
| name: osquery_manager-1 | |
| revision: 1 | |
| type: osquery | |
| use_output: default | |
| meta: | |
| package: | |
| name: osquery_manager | |
| version: 1.0.0 | |
| data_stream: | |
| namespace: default | |
| fleet: | |
| hosts: | |
| - 'http://localhost:8220' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment