From 3447f95d9e81a492881d19aa41d1e1a9b4a8159c Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 15 Mar 2024 19:06:16 -0400
Subject: [PATCH] Performance tuning, mark some Linux queries as 'extra'

---
 Makefile                                                  | 8 ++++----
 detection/c2/unexpected-icmp-socket-events.sql            | 2 +-
 detection/c2/unexpected-icmp-socket.sql                   | 2 +-
 detection/c2/unexpected-talker-events.sql                 | 2 +-
 detection/evasion/hidden-cwd-events-linux.sql             | 2 +-
 detection/execution/exotic-command-events-linux.sql       | 2 +-
 detection/execution/yara-unexpected-upx-process.sql       | 2 +-
 .../initial_access/yara-recently-downloaded-miner.sql     | 2 +-
 .../initial_access/yara-recently-downloaded-ransom.sql    | 2 +-
 .../yara-recently-downloaded-rust-http-exec.sql           | 2 +-
 .../initial_access/yara-recently-downloaded-stealer.sql   | 2 +-
 detection/initial_access/yara-recently-downloaded-upx.sql | 2 +-
 12 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/Makefile b/Makefile
index 1b734c5..b3c5d7f 100644
--- a/Makefile
+++ b/Makefile
@@ -9,16 +9,16 @@ out/osqtool-$(ARCH)-$(OSQTOOL_VERSION):
 	mv out/osqtool out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
 
 out/detection.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --verify -output out/detection.conf pack detection
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --verify --exclude-tags=disabled,disabled-privacy,extra --output  out/detection.conf pack detection
 
 out/policy.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard policy/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --verify --output out/policy.conf pack policy/
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra o --verify --output out/policy.conf pack policy/
 
 out/vulnerabilities.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard vulnerabilities/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --output out/vulnerabilities.conf pack vulnerabilities/
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/vulnerabilities.conf pack vulnerabilities/
 
 out/incident-response.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard incident_response/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy --output out/incident-response.conf pack incident_response/
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/incident-response.conf pack incident_response/
 
 out/osquery.conf:
 	cat osquery.conf | sed s/"out\/"/""/g > out/osquery.conf
diff --git a/detection/c2/unexpected-icmp-socket-events.sql b/detection/c2/unexpected-icmp-socket-events.sql
index 7ac2ec4..033dc3b 100644
--- a/detection/c2/unexpected-icmp-socket-events.sql
+++ b/detection/c2/unexpected-icmp-socket-events.sql
@@ -4,7 +4,7 @@
 --   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
 --
 -- interval: 300
--- tags: transient events net
+-- tags: transient events net extra
 SELECT
   se.*,
   p.path,
diff --git a/detection/c2/unexpected-icmp-socket.sql b/detection/c2/unexpected-icmp-socket.sql
index dd84a87..f89687c 100644
--- a/detection/c2/unexpected-icmp-socket.sql
+++ b/detection/c2/unexpected-icmp-socket.sql
@@ -3,7 +3,7 @@
 -- references:
 --   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
 --
--- tags: transient state net often
+-- tags: transient state net extra
 SELECT
   pop.pid AS p0_pid,
   pop.socket,
diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
index 89e7d86..800a38e 100644
--- a/detection/c2/unexpected-talker-events.sql
+++ b/detection/c2/unexpected-talker-events.sql
@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
--- tags: transient state net
+-- tags: transient state net extra
 -- interval: 601
 -- platform: posix
 SELECT
diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql
index 6e2e84e..28a019a 100644
--- a/detection/evasion/hidden-cwd-events-linux.sql
+++ b/detection/evasion/hidden-cwd-events-linux.sql
@@ -9,7 +9,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
 --
--- tags: transient
+-- tags: transient extra
 -- platform: linux
 -- interval: 600
 SELECT
diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql
index de97da2..4acca06 100644
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@@ -6,7 +6,7 @@
 -- false positives:
 --   * possible, but none known
 --
--- tags: transient process events
+-- tags: transient process events extra
 -- platform: linux
 -- interval: 600
 SELECT -- Child
diff --git a/detection/execution/yara-unexpected-upx-process.sql b/detection/execution/yara-unexpected-upx-process.sql
index 5e4d047..52a8338 100644
--- a/detection/execution/yara-unexpected-upx-process.sql
+++ b/detection/execution/yara-unexpected-upx-process.sql
@@ -1,7 +1,7 @@
 -- Currently running UPX executable
 -- 
 -- tags: persistent
--- interval: 3600
+-- interval: 7199
 -- platform: posix
 SELECT
   yara.*,
diff --git a/detection/initial_access/yara-recently-downloaded-miner.sql b/detection/initial_access/yara-recently-downloaded-miner.sql
index 3b799f7..06c2df0 100644
--- a/detection/initial_access/yara-recently-downloaded-miner.sql
+++ b/detection/initial_access/yara-recently-downloaded-miner.sql
@@ -1,4 +1,4 @@
--- Recently downloaded UPX file
+-- tags: volume filesystem seldom
 SELECT
   file.path,
   file.size,
diff --git a/detection/initial_access/yara-recently-downloaded-ransom.sql b/detection/initial_access/yara-recently-downloaded-ransom.sql
index 985c5aa..a1de9f5 100644
--- a/detection/initial_access/yara-recently-downloaded-ransom.sql
+++ b/detection/initial_access/yara-recently-downloaded-ransom.sql
@@ -1,4 +1,4 @@
--- Recently downloaded UPX file
+-- tags: volume filesystem seldom
 SELECT
   file.path,
   file.size,
diff --git a/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql b/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql
index a345875..ccec586 100644
--- a/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql
+++ b/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql
@@ -1,4 +1,4 @@
--- Recently downloaded cryptexec program
+-- tags: volume filesystem seldom
 SELECT
   file.path,
   file.size,
diff --git a/detection/initial_access/yara-recently-downloaded-stealer.sql b/detection/initial_access/yara-recently-downloaded-stealer.sql
index bc7202d..df71b67 100644
--- a/detection/initial_access/yara-recently-downloaded-stealer.sql
+++ b/detection/initial_access/yara-recently-downloaded-stealer.sql
@@ -1,4 +1,4 @@
--- Recently downloaded Stealer
+-- tags: volume filesystem seldom
 SELECT
   file.path,
   file.size,
diff --git a/detection/initial_access/yara-recently-downloaded-upx.sql b/detection/initial_access/yara-recently-downloaded-upx.sql
index ad7247e..6ad0177 100644
--- a/detection/initial_access/yara-recently-downloaded-upx.sql
+++ b/detection/initial_access/yara-recently-downloaded-upx.sql
@@ -1,4 +1,4 @@
--- Recently downloaded UPX file
+-- tags: volume filesystem seldom
 SELECT
   file.path,
   file.size,