Merge pull request #365 from tstromberg/fpr-apr25

mark command-events & execdir-events as 'extra' due to high CPU usage
2024-04-29 09:33:44 -04:00 · 2024-04-29 09:33:44 -04:00 · a0c49efb3f
parent 6dd798c4a0 03ea3bcff2
commit a0c49efb3f
2 changed files with 2 additions and 2 deletions
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -6,7 +6,7 @@
 -- false positives:
 --   * possible, but none known
 --
-- tags: transient process events
+-- tags: transient process events extra
 -- platform: darwin
 -- interval: 180
 SELECT -- Child
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -9,7 +9,7 @@
 --
 -- interval: 240
 -- platform: darwin
-- tags: filesystem events
+-- tags: filesystem events extra
 SELECT
  COALESCE(
    REGEX_MATCH (REPLACE(pe.path, u.directory, '~'), '(.*)/', 1),