Can you share your blocking config?
# eclecticiq-polylogyx-extensiono
OpenPlgx
11/16/2021, 4:08 AMCan you share your blocking config?
l
lvferdi
11/16/2021, 1:03 PM Copy code
{
"options": {
"utc": "true",
"custom_plgx_EnableSSL": "true",
"custom_plgx_EnableAmsiStreamEventData": "true",
"custom_plgx_EnablePacketInspection": "true"
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT name AS os_name, version AS os_version FROM os_version;",
"SELECT config_hash from osquery_info;"
],
"interval": {
"300": [
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
}
},
"packs": {
"docker": "C:\\Program Files\\osquery\\packs\\docker.conf",
"osquery-monitoring": "C:\\Program Files\\osquery\\packs\\osquery-monitoring.conf",
"events":"C:\\Program Files\\osquery\\packs\\events.conf",
"combined": "C:\\Program Files\\osquery\\packs\\combined.conf",
"browser-extensions": "C:\\Program Files\\osquery\\packs\\browser-extensions.conf",
"windows": "C:\\Program Files\\osquery\\packs\\windows.conf"
},
"plgx_event_filters": {
"win_ssl_events": {
"process_name": {
"exclude": {
"values": [
"C:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe",
"C:\\Program Files\\SplunkForwarder\\bin\\splunkd.exe",lvferdi
11/16/2021, 1:03 PMI removed a bunch to make it easier to paste.
h
himanshu
11/16/2021, 1:30 PMthis json does not have
plgx_event_controlplgx_event_filtersplgx_event_controlInfoNo event control (blocking) filter found in configplgx_event_filters--verboseNo event control (blocking) filter found in configInfol
lvferdi
11/16/2021, 3:15 PMahhh I understand. I didn't realize there was a separate
plgx_event_controlh
himanshu
11/17/2021, 4:55 AMno problem
12 Views