From 37ce71b94f2e481512d12b2cbcb1c582a007b135 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@stromberg.org>
Date: Fri, 2 Jun 2023 18:03:44 -0400
Subject: [PATCH] Decrease download limits to begin with

---
 detection/collection/excess-google-drive-downloads-macos.sql    | 2 +-
 .../collection/excess-google-drive-folder-exports-macos.sql     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection/collection/excess-google-drive-downloads-macos.sql b/detection/collection/excess-google-drive-downloads-macos.sql
index 10f3170..16c843b 100644
--- a/detection/collection/excess-google-drive-downloads-macos.sql
+++ b/detection/collection/excess-google-drive-downloads-macos.sql
@@ -23,4 +23,4 @@ WHERE
   AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -604800) 
 -- "GROUP BY" should be unnecessary, but Kolide seems to require it
 GROUP BY ea.key
-HAVING total_size > (100*1024*1024) OR num_downloads > 5
\ No newline at end of file
+HAVING total_size > (100*1024*1024) OR num_downloads > 4
\ No newline at end of file
diff --git a/detection/collection/excess-google-drive-folder-exports-macos.sql b/detection/collection/excess-google-drive-folder-exports-macos.sql
index f2d0c06..b457c95 100644
--- a/detection/collection/excess-google-drive-folder-exports-macos.sql
+++ b/detection/collection/excess-google-drive-folder-exports-macos.sql
@@ -20,4 +20,4 @@ WHERE
   AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -604800)
 -- "GROUP BY" should be unnecessary, but Kolide seems to require it
 GROUP BY ea.key  
-HAVING total_size > (100*1024*1024) OR num_exports > 2
+HAVING total_size > (100*1024*1024) OR num_exports > 1