Title
#windows
theopolis

theopolis

04/03/2021, 8:03 PM
The config supports
{
  "events": {
    "disable_subscribers": [
      "sysmon_wmievent_filtering_events"
    ]
  }
}
manu

manu

04/04/2021, 4:06 AM
thanks @theopolis it works. Awesome.
2:38 PM
Even though we can disable subscribers through config. I am assuming we still need to add the flags for individual subscribers and bail out without subscribing accordingly. If one requests to disable specific subscriber. Something like this.
--enable_sysmon_events_publisher=false
--enable_sysmon_process_create_events_subscriber=false
theopolis

theopolis

04/05/2021, 5:02 PM
You don’t “need” to do that, is there a reason you want those flags?
manu

manu

04/05/2021, 5:35 PM
As of now, i can't seem to think of any reason other than just code parity. The config option seems to work perfectly though.
8:24 AM
The default state of a subscriber via config ("disable->subscribers") is enabled. When the corresponding publisher is enabled, a vanilla config would require the user to specifically mention the subscribers it wishes to disable of all the possible subscribers.
{
  "events": {
    "disable_subscribers": [
            "sysmon_driver_loaded_events",
            "sysmon_file_created_events",
            "sysmon_image_load_events",
            "sysmon_network_connection_events",
            "sysmon_pipe_connected_events",
            "sysmon_pipe_created_events",
            "sysmon_process_accessed_events",
            "sysmon_process_create_events",
            "sysmon_process_tampering_events",
            "sysmon_process_terminate_events",
            "sysmon_remote_thread_events",
     ]
  }
}
Whereas the default state of a subscriber would be disabled (default), when done via flags (osquery.flags). In this case the vanilla config wouldn't need to describe anything about subscribers. Unless the user wishes to turn specific subscribers on (this is opposite to what the config way is). Also this seems to be similar theme in the current implementation. So circling back for thoughts again ? 🙂