From c26be487b844920dbbde99288b960ef7bbc25af4 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Mon, 23 Sep 2024 11:19:16 -0400
Subject: [PATCH] Mark udev as 'extra' for now (disabled by default)

---
 detection/persistence/suspicious-udev-runner-linux.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection/persistence/suspicious-udev-runner-linux.sql b/detection/persistence/suspicious-udev-runner-linux.sql
index 8b6c62f..3504032 100644
--- a/detection/persistence/suspicious-udev-runner-linux.sql
+++ b/detection/persistence/suspicious-udev-runner-linux.sql
@@ -4,7 +4,7 @@
 --  * https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
 --  * https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/
 --
--- tags: volume filesystem
+-- tags: volume filesystem extra
 -- platform: linux
 SELECT
   file.path,