Adicione o script JSON a seguir ao seu Agent Client Collectorlista de permissões, para habilitar a execução das ações que vêm com o sistema base.

{
  "args": [
    "--logger_min_status 1",
    "--json",
    "SELECT p.name, p.state, p.pid, p.parent as ppid, p.path, p.total_size, p.start_time, p.elapsed_time as run_time, p.cmdline, p.uid, p.username, u.type as owner_domain, u.uuid FROM processes as p LEFT JOIN users as u ON u.uid = p.uid",
    "select name, process_open_sockets.pid, parent as ppid, processes.path, process_open_sockets.state, total_size, process_open_sockets.protocol, local_address, local_port, remote_address, remote_port from process_open_sockets, processes where process_open_sockets.pid = processes.pid",
    "select * from services order by service_type",
    "select computer_name, hardware_serial, hostname, name as os, build, version, mac, address from system_info, os_version, interface_details, interface_addresses where address like '%:%' and interface_addresses.type='manual' or interface_addresses.type ='dhcp' limit 1",
    "select * from logged_in_users order by time"
  ],
  "exec": "osqueryi",
  "skip_arguments": false
}