Update canary agent options (#17948)

Remove some columns that aren't super helpful from the tcc tables (see https://gist.github.com/rachaelshaw/74578f458ce89b3306777b8263357d69)
fleetdm · Mar 29, 2024 · 8f1f1b7 · 8f1f1b7
1 parent 841350f
commit 8f1f1b7
Showing 1 changed file with 2 additions and 10 deletions.
diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml
@@ -28,37 +28,29 @@ agent_options:
           auto_table_construction:
             tcc_system:
               path: /Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
               columns:
                 - service
                 - client
                 - client_type
                 - auth_value
                 - auth_reason
-                - auth_version
-                - csreq
                 - policy_id
                 - indirect_object_identifier
                 - indirect_object_identifier_type
-                - indirect_object_code_identity
-                - flags
                 - last_modified
             tcc_user:
               path: /Users/%/Library/Application Support/com.apple.TCC/TCC.db
-              query: 'select service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier, indirect_object_identifier_type, indirect_object_code_identity, flags, last_modified from access'
+              query: 'select service, client, client_type, auth_value, auth_reason, policy_id, indirect_object_identifier, indirect_object_identifier_type, last_modified from access'
               columns:
                 - service
                 - client
                 - client_type
                 - auth_value
                 - auth_reason
-                - auth_version
-                - csreq
                 - policy_id
                 - indirect_object_identifier
                 - indirect_object_identifier_type
-                - indirect_object_code_identity
-                - flags
                 - last_modified
 controls:
   enable_disk_encryption: true