{
  "options": {
    "disable_events": "false",
    "utc": "true",
    "logger_mode": "0640",
    "logger_format": "json"
  },
  "schedule": {
    "scheduled_task_persistence": {
      "query": "SELECT path, name, action, enabled, hidden FROM scheduled_tasks;",
      "interval": 3600
    },
    "startup_items": {
      "query": "SELECT name, path, status, source FROM startup_items;",
      "interval": 3600
    },
    "services_persistence": {
      "query": "SELECT name, display_name, path, start_type, status FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START');",
      "interval": 3600
    },
    "system_cron_jobs": {
      "query": "SELECT command, path, interval, time FROM crontab;",
      "interval": 3600
    },
    "user_cron_jobs": {
      "query": "SELECT username, command, path, interval, time FROM crontab WHERE username != 'root';",
      "interval": 3600
    },
    "logon_scripts": {
      "query": "SELECT script_path, username FROM logon_scripts;",
      "interval": 3600
    },
    "setuid_files": {
      "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '04000') = '04000';",
      "interval": 3600
    },
    "setgid_files": {
      "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '02000') = '02000';",
      "interval": 3600
    },
    "privilege_escalation_processes": {
      "query": "SELECT pid, name, path, cmdline, uid, gid, euid, egid, suid, sgid, cwd, start_time FROM processes WHERE (uid != euid OR gid != egid);",
      "interval": 300
    }
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT hostname FROM system_info;",
      "SELECT user AS username FROM logged_in_users WHERE user NOT IN ('_mbsetupuser', 'root') ORDER BY time DESC LIMIT 1;"
    ]
  },
  "packs": {}
}