Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Alex Loewenthal
01/11/2023, 7:19 PMLooking for some pointers here (still learning SQL), I’m trying to exclude certain criteria from returning results within a policy, for example I only want to check if encryption is enabled for physical linux devices and exclude VM’s, a standalone query excludes the criteria ‘VirtualBox’, ‘Parallels Virtual Platform’ however the policy is returning YES/NO results for VM’s:
SELECT EXISTS(SELECT * FROM system_info WHERE board_model not in ('VirtualBox', 'Parallels Virtual Platform') AND (select 1 from disk_encryption WHERE encrypted = '1' AND name like '/dev/dm-1')) as is_desktop_encrypted;j
Jason
01/12/2023, 3:04 PMZach helped me out with something similar a while ago, so I should pay it forward 🙂 Here is an example of a simply policy query I have to check that the disk is encrypted on windows, but only if it's a laptop.
SELECT 1 WHERE
(SELECT protection_status from bitlocker_info) = 1
OR (SELECT chassis_types FROM chassis_info) NOT IN ("Notebook", "Laptop");Basically, you need to return "1" for all systems you want to ignore in the policy.
a
Alex Loewenthal
01/12/2023, 6:48 PMThanks y’all, appreciate the pointers! will definitely take a look at the teams functionality