Merge pull request #310 from tstromberg/fpr-sep18

unexpected talker events: address easy false positives
2025-02-16 17:37:06 +00:00 · 2023-09-19 17:48:09 -04:00 · 2023-09-19 17:48:09 -04:00 · ddb37c066a
commit ddb37c066a
parent e958c9f2ac f656aef8be
1 changed files with 12 additions and 0 deletions
--- a/detection/c2/unexpected-talker-events.sql
+++ b/detection/c2/unexpected-talker-events.sql
@ -82,8 +82,11 @@ WHERE
        '/Library/Application Support',
        '/Library/Kandji',
        '/System/Volumes',
+        '~/bin',
+        '/usr/local',
        '/opt/homebrew',
        '~/Apps',
+        '~/code',
        '~/work',
        '~/github',
        '~/src',
@ -97,8 +100,10 @@ WHERE
    AND NOT exception_key IN (
        '500,0,123,sntp',
        '500,0,22,ssh',
+        '500,0,443,velociraptor',
        '500,0,32768,ksfetch',
        '500,500,32768,ksfetch',
+        '500,500,443,old',
        '500,0,32768,syncthing',
        '500,0,443,chrome',
        '500,0,443,curl',
@ -107,11 +112,18 @@ WHERE
        '500,0,443,launcher',
        '500,0,443,slack',
        '500,0,31488,sntp',
+        '500,500,443,go',
        '500,0,443,syncthing',
        '500,0,443,wget',
        '500,0,5228,chrome',
        '500,0,53,chrome',
        '500,0,53,git',
+        '500,0,443,firefox',
+        '500,0,80,firefox',
+        '500,0,443,node',
+        '500,500,2304,cloud_sql_proxy',
+        '500,500,443,cloud_sql_proxy',
+        '500,500,80,cloud_sql_proxy',
        '500,0,53,launcher',
        '500,0,53,NetworkManager',
        '500,0,53,slack',