Merge pull request #310 from tstromberg/fpr-sep18

unexpected talker events: address easy false positives
chainguard-dev · Sep 19, 2023 · ddb37c0 · ddb37c0
2 parents e958c9f + f656aef
commit ddb37c0
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
@@ -82,8 +82,11 @@ WHERE
         '/Library/Application Support',
         '/Library/Kandji',
         '/System/Volumes',
+        '~/bin',
+        '/usr/local',
         '/opt/homebrew',
         '~/Apps',
+        '~/code',
         '~/work',
         '~/github',
         '~/src',
@@ -97,8 +100,10 @@ WHERE
     AND NOT exception_key IN (
         '500,0,123,sntp',
         '500,0,22,ssh',
+        '500,0,443,velociraptor',
         '500,0,32768,ksfetch',
         '500,500,32768,ksfetch',
+        '500,500,443,old',
         '500,0,32768,syncthing',
         '500,0,443,chrome',
         '500,0,443,curl',
@@ -107,11 +112,18 @@ WHERE
         '500,0,443,launcher',
         '500,0,443,slack',
         '500,0,31488,sntp',
+        '500,500,443,go',
         '500,0,443,syncthing',
         '500,0,443,wget',
         '500,0,5228,chrome',
         '500,0,53,chrome',
         '500,0,53,git',
+        '500,0,443,firefox',
+        '500,0,80,firefox',
+        '500,0,443,node',
+        '500,500,2304,cloud_sql_proxy',
+        '500,500,443,cloud_sql_proxy',
+        '500,500,80,cloud_sql_proxy',
         '500,0,53,launcher',
         '500,0,53,NetworkManager',
         '500,0,53,slack',