Created
January 27, 2022 20:19
-
-
Save blakerouse/88c9e461c031fc089e0f8601b78b48de to your computer and use it in GitHub Desktop.
Simple Elastic Agent Fleet Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
id: 2016d7cc-135e-5583-9758-3ba01f5a06e5 | |
revision: 3 | |
outputs: | |
default: | |
type: elasticsearch | |
hosts: | |
- 'http://localhost:9200' | |
output_permissions: | |
default: | |
_elastic_agent_monitoring: | |
indices: | |
- names: | |
- logs-elastic_agent.apm_server-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.apm_server-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.auditbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.auditbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.elastic_agent-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.endpoint_security-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.endpoint_security-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.filebeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.filebeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.fleet_server-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.fleet_server-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.heartbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.heartbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.metricbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.metricbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.osquerybeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.osquerybeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-elastic_agent.packetbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-elastic_agent.packetbeat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
_elastic_agent_checks: | |
cluster: | |
- monitor | |
system-1: | |
indices: | |
- names: | |
- logs-system.auth-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-system.syslog-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-system.application-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-system.security-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-system.system-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.cpu-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.diskio-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.filesystem-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.fsstat-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.load-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.memory-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.network-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.process-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.process.summary-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.socket_summary-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-system.uptime-default | |
privileges: | |
- auto_configure | |
- create_doc | |
endpoint-1: | |
indices: | |
- names: | |
- .logs-endpoint.action.responses-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- .logs-endpoint.actions-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-endpoint.alerts-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- .logs-endpoint.diagnostic.collection-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-endpoint.events.file-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-endpoint.events.library-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-endpoint.metadata-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-endpoint.metrics-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-endpoint.events.network-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- metrics-endpoint.policy-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-endpoint.events.process-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-endpoint.events.registry-default | |
privileges: | |
- auto_configure | |
- create_doc | |
- names: | |
- logs-endpoint.events.security-default | |
privileges: | |
- auto_configure | |
- create_doc | |
osquery_manager-1: | |
indices: | |
- names: | |
- logs-osquery_manager.result-default | |
privileges: | |
- auto_configure | |
- create_doc | |
agent: | |
monitoring: | |
enabled: true | |
use_output: default | |
namespace: default | |
logs: true | |
metrics: true | |
inputs: | |
- id: default-system-policy | |
name: system-1 | |
revision: 1 | |
type: logfile | |
use_output: default | |
meta: | |
package: | |
name: system | |
version: 1.6.4 | |
data_stream: | |
namespace: default | |
streams: | |
- id: logfile-system.auth-default-system-policy | |
data_stream: | |
dataset: system.auth | |
type: logs | |
paths: | |
- /var/log/auth.log* | |
- /var/log/secure* | |
exclude_files: | |
- .gz$ | |
multiline: | |
pattern: ^\s | |
match: after | |
processors: | |
- add_locale: null | |
- id: logfile-system.syslog-default-system-policy | |
data_stream: | |
dataset: system.syslog | |
type: logs | |
paths: | |
- /var/log/messages* | |
- /var/log/syslog* | |
exclude_files: | |
- .gz$ | |
multiline: | |
pattern: ^\s | |
match: after | |
processors: | |
- add_locale: null | |
- id: default-system-policy | |
name: system-1 | |
revision: 1 | |
type: winlog | |
use_output: default | |
meta: | |
package: | |
name: system | |
version: 1.6.4 | |
data_stream: | |
namespace: default | |
streams: | |
- id: winlog-system.application-default-system-policy | |
name: Application | |
data_stream: | |
dataset: system.application | |
type: logs | |
condition: '${host.platform} == ''windows''' | |
ignore_older: 72h | |
tags: null | |
- id: winlog-system.security-default-system-policy | |
name: Security | |
data_stream: | |
dataset: system.security | |
type: logs | |
condition: '${host.platform} == ''windows''' | |
tags: null | |
- id: winlog-system.system-default-system-policy | |
name: System | |
data_stream: | |
dataset: system.system | |
type: logs | |
condition: '${host.platform} == ''windows''' | |
tags: null | |
- id: default-system-policy | |
name: system-1 | |
revision: 1 | |
type: system/metrics | |
use_output: default | |
meta: | |
package: | |
name: system | |
version: 1.6.4 | |
data_stream: | |
namespace: default | |
streams: | |
- id: system/metrics-system.cpu-default-system-policy | |
data_stream: | |
dataset: system.cpu | |
type: metrics | |
metricsets: | |
- cpu | |
cpu.metrics: | |
- percentages | |
- normalized_percentages | |
period: 10s | |
- id: system/metrics-system.diskio-default-system-policy | |
data_stream: | |
dataset: system.diskio | |
type: metrics | |
metricsets: | |
- diskio | |
diskio.include_devices: null | |
period: 10s | |
- id: system/metrics-system.filesystem-default-system-policy | |
data_stream: | |
dataset: system.filesystem | |
type: metrics | |
metricsets: | |
- filesystem | |
period: 1m | |
processors: | |
- drop_event.when.regexp: | |
system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) | |
- id: system/metrics-system.fsstat-default-system-policy | |
data_stream: | |
dataset: system.fsstat | |
type: metrics | |
metricsets: | |
- fsstat | |
period: 1m | |
processors: | |
- drop_event.when.regexp: | |
system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) | |
- id: system/metrics-system.load-default-system-policy | |
data_stream: | |
dataset: system.load | |
type: metrics | |
metricsets: | |
- load | |
condition: '${host.platform} != ''windows''' | |
period: 10s | |
- id: system/metrics-system.memory-default-system-policy | |
data_stream: | |
dataset: system.memory | |
type: metrics | |
metricsets: | |
- memory | |
period: 10s | |
- id: system/metrics-system.network-default-system-policy | |
data_stream: | |
dataset: system.network | |
type: metrics | |
metricsets: | |
- network | |
period: 10s | |
network.interfaces: null | |
- id: system/metrics-system.process-default-system-policy | |
data_stream: | |
dataset: system.process | |
type: metrics | |
metricsets: | |
- process | |
period: 10s | |
process.include_top_n.by_cpu: 5 | |
process.include_top_n.by_memory: 5 | |
process.cmdline.cache.enabled: true | |
process.cgroups.enabled: false | |
process.include_cpu_ticks: false | |
processes: | |
- .* | |
- id: system/metrics-system.process.summary-default-system-policy | |
data_stream: | |
dataset: system.process.summary | |
type: metrics | |
metricsets: | |
- process_summary | |
period: 10s | |
- id: system/metrics-system.socket_summary-default-system-policy | |
data_stream: | |
dataset: system.socket_summary | |
type: metrics | |
metricsets: | |
- socket_summary | |
period: 10s | |
- id: system/metrics-system.uptime-default-system-policy | |
data_stream: | |
dataset: system.uptime | |
type: metrics | |
metricsets: | |
- uptime | |
period: 10s | |
- id: 69ecb9b6-ade0-41f0-8f54-dfa55c1853b6 | |
name: endpoint-1 | |
revision: 1 | |
type: endpoint | |
use_output: default | |
meta: | |
package: | |
name: endpoint | |
version: 1.3.0 | |
data_stream: | |
namespace: default | |
artifact_manifest: | |
manifest_version: 1.0.0 | |
schema_version: v1 | |
artifacts: | |
endpoint-exceptionlist-macos-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-exceptionlist-windows-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-exceptionlist-linux-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-trustlist-macos-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-trustlist-windows-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-trustlist-linux-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-eventfilterlist-macos-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-eventfilterlist-windows-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-eventfilterlist-linux-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-hostisolationexceptionlist-macos-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-hostisolationexceptionlist-windows-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
endpoint-hostisolationexceptionlist-linux-v1: | |
encryption_algorithm: none | |
decoded_sha256: d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
decoded_size: 14 | |
encoded_sha256: f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda | |
encoded_size: 22 | |
relative_url: >- | |
/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658 | |
compression_algorithm: zlib | |
policy: | |
windows: | |
events: | |
dll_and_driver_load: true | |
dns: true | |
file: true | |
network: true | |
process: true | |
registry: true | |
security: true | |
malware: | |
mode: prevent | |
ransomware: | |
mode: prevent | |
supported: true | |
memory_protection: | |
mode: prevent | |
supported: true | |
behavior_protection: | |
mode: prevent | |
supported: true | |
popup: | |
malware: | |
enabled: true | |
message: '' | |
ransomware: | |
enabled: true | |
message: '' | |
memory_protection: | |
enabled: true | |
message: '' | |
behavior_protection: | |
enabled: true | |
message: '' | |
logging: | |
file: info | |
antivirus_registration: | |
enabled: false | |
mac: | |
events: | |
process: true | |
file: true | |
network: true | |
malware: | |
mode: prevent | |
behavior_protection: | |
mode: prevent | |
supported: true | |
memory_protection: | |
mode: prevent | |
supported: true | |
popup: | |
malware: | |
enabled: true | |
message: '' | |
behavior_protection: | |
enabled: true | |
message: '' | |
memory_protection: | |
enabled: true | |
message: '' | |
logging: | |
file: info | |
linux: | |
events: | |
process: true | |
file: true | |
network: true | |
malware: | |
mode: prevent | |
behavior_protection: | |
mode: prevent | |
supported: true | |
memory_protection: | |
mode: prevent | |
supported: true | |
popup: | |
malware: | |
enabled: true | |
message: '' | |
behavior_protection: | |
enabled: true | |
message: '' | |
memory_protection: | |
enabled: true | |
message: '' | |
logging: | |
file: info | |
- id: 9666ac0a-2486-4fdd-94e8-80e9819dd755 | |
name: osquery_manager-1 | |
revision: 1 | |
type: osquery | |
use_output: default | |
meta: | |
package: | |
name: osquery_manager | |
version: 1.0.0 | |
data_stream: | |
namespace: default | |
fleet: | |
hosts: | |
- 'http://localhost:8220' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment