From 515f51daa6f657748e8b950869a28d5a0f5e83ef Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 21 Oct 2022 11:46:17 -0400
Subject: [PATCH] Raise bps limit, add exception for systemd

---
 detection/exfil/high_disk_bytes_read.sql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
index a5d6d86..d3c7a96 100644
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@@ -26,7 +26,7 @@ FROM
   processes p
   LEFT JOIN hash ON p.path = hash.path
 WHERE
-  bytes_per_second > 2000000
+  bytes_per_second > 2500000
   AND age > 180
   AND p.path NOT LIKE '/Applications/%.app/Contents/%'
   AND p.path NOT LIKE '/System/Library/%'
@@ -45,6 +45,7 @@ WHERE
     'launcher',
     'LogiFacecamService',
     'nautilus',
+    'systemd',
     'nessusd',
     'nix',
     'osqueryd',