RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #281 from tstromberg/less-persist 

recently created: set cutoff to 12h, exclude SteelSeries
This commit is contained in:
Thomas Strömberg 2023-06-09 07:55:46 -04:00 committed by GitHub
parent 57cc0ec64d ccdd5e2d4f
commit 1654c03677
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/execution/recently-created-executables-long-lived-linux.sql
View File

@ -44,7 +44,7 @@ FROM
WHERE
p0.start_time > 0
AND f.ctime > 0
AND p0.start_time > (strftime('%s', 'now') - 1800)
AND p0.start_time > (strftime('%s', 'now') - 43200)
AND (p0.start_time - MAX(f.ctime, f.btime)) < 45
AND p0.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps

3
detection/execution/recently-created-executables-long-lived-macos.sql
View File

@ -66,7 +66,7 @@ WHERE
processes
WHERE
start_time > 0
AND start_time > (strftime('%s', 'now') - 1800)
AND start_time > (strftime('%s', 'now') - 43200)
AND pid > 0
AND path != ""
AND NOT path LIKE '/Applications/%'
@ -175,6 +175,7 @@ WHERE
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
'Developer ID Application: SteelSeries (6WGL6CHFH2)',
'Developer ID Application: RescueTime, Inc (FSY4RB8H39)',
'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',