From 5bbde18759ea207c4d699f4bfbb663bb10a33177 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 27 Oct 2022 16:26:43 -0400
Subject: [PATCH] webmail: Add JFIF, remove BZ2, TAR, GZ from expectations list

---
 detection/initial_access/unexpected-webmail-downloads.sql | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql
index 37d5217..c70e491 100644
--- a/detection/initial_access/unexpected-webmail-downloads.sql
+++ b/detection/initial_access/unexpected-webmail-downloads.sql
@@ -27,17 +27,16 @@ WHERE
   AND file.btime > (strftime('%s', 'now') -86400)
   -- Extensions that would not normally raise suspicion if sent by e-mail (excludes dmg, iso, lnk, exe)
   AND extension NOT IN (
-    'bz2',
     'cer',
     'csv',
     'doc',
     'docx',
     'eml',
     'gif',
-    'gz',
     'htm',
     'html',
     'icloud',
+    'jfif',
     'jpeg',
     'jpg',
     'mov',
@@ -54,7 +53,6 @@ WHERE
     'ppt',
     'pptx',
     'pub',
-    'tar',
     'tif',
     'tiff',
     'txt',
@@ -62,6 +60,5 @@ WHERE
     'xls',
     'xlsm',
     'xlsx',
-    'zip',
-    'zstd'
+    'zip'
   )