From 03ea3bcff249f719ffe04f0abe4e042580743cae Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Mon, 29 Apr 2024 09:33:06 -0400
Subject: [PATCH] mark command-events & execdir-events as 'extra' due to high
 CPU usage

---
 detection/execution/exotic-command-events-macos.sql     | 2 +-
 detection/execution/unexpected-execdir-events-macos.sql | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql
index 60013ed..cd7e198 100644
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@@ -6,7 +6,7 @@
 -- false positives:
 --   * possible, but none known
 --
--- tags: transient process events
+-- tags: transient process events extra
 -- platform: darwin
 -- interval: 180
 SELECT -- Child
diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql
index b6395ff..e54c681 100644
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@@ -9,7 +9,7 @@
 --
 -- interval: 240
 -- platform: darwin
--- tags: filesystem events
+-- tags: filesystem events extra
 SELECT
   COALESCE(
     REGEX_MATCH (REPLACE(pe.path, u.directory, '~'), '(.*)/', 1),