Title
#eclecticiq-polylogyx-extension
o

OpenPlgx

11/16/2021, 4:08 AM
Can you share your blocking config?
l

lvferdi

11/16/2021, 1:03 PM
{
  "options": {
    "utc": "true",
    "custom_plgx_EnableSSL": "true",
    "custom_plgx_EnableAmsiStreamEventData": "true",
    "custom_plgx_EnablePacketInspection": "true"
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT name AS os_name, version AS os_version FROM os_version;",
      "SELECT config_hash from osquery_info;"
    ],
    "interval": {
      "300": [
        "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
      ]
    }
  },
  "packs": {
    "docker": "C:\\Program Files\\osquery\\packs\\docker.conf",
    "osquery-monitoring": "C:\\Program Files\\osquery\\packs\\osquery-monitoring.conf",
    "events":"C:\\Program Files\\osquery\\packs\\events.conf",
    "combined": "C:\\Program Files\\osquery\\packs\\combined.conf",
    "browser-extensions": "C:\\Program Files\\osquery\\packs\\browser-extensions.conf",
    "windows": "C:\\Program Files\\osquery\\packs\\windows.conf"
  },
  "plgx_event_filters": {
    "win_ssl_events": {
      "process_name": {
        "exclude": {
          "values": [
            "C:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe",
            "C:\\Program Files\\SplunkForwarder\\bin\\splunkd.exe",
1:03 PM
I removed a bunch to make it easier to paste.
h

himanshu

11/16/2021, 1:30 PM
this json does not have
plgx_event_control
JSON tag which specifies rules for blocking. this json has only
plgx_event_filters
which specifies only event filters. since
plgx_event_control
is not there in the json, extension is showing an
Info
level message
No event control (blocking) filter found in config
. this message has no relation to
plgx_event_filters
. probably the message string could have been better to avoid confusion. if osquery is run without
--verbose
flag,
No event control (blocking) filter found in config
log wont show up since it is an
Info
level log.
l

lvferdi

11/16/2021, 3:15 PM
ahhh I understand. I didn't realize there was a separate
plgx_event_control
flag specific to the event blocking rules for process/reg/and file events. Thanks for clearing it up
h

himanshu

11/17/2021, 4:55 AM
no problem