From ed473f438d5b4d9f63793f5faf45aefc90078c26 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Tue, 26 Sep 2023 16:41:47 -0400
Subject: [PATCH] Broaden the talker exception list

---
 detection/c2/unexpected-talker-events.sql | 33 ++++++++++++-----------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
index 9936617..af7f7ab 100644
--- a/detection/c2/unexpected-talker-events.sql
+++ b/detection/c2/unexpected-talker-events.sql
@@ -99,16 +99,19 @@ WHERE
     '~/work'
   )
   AND NOT exception_key IN (
+    '500,0,110,syncthing',
     '500,0,123,sntp',
-    '500,0,443,com.google.one.NetworkExtension',
     '500,0,22,ssh',
-    '500,0,443,com.apple.NRD.UpdateBrainService',
     '500,0,31488,sntp',
     '500,0,32768,ksfetch',
     '500,0,32768,syncthing',
+    '500,0,443,OneDriveStandaloneUpdater',
     '500,0,443,chrome',
+    '500,0,443,com.apple.NRD.UpdateBrainService',
+    '500,0,443,com.google.one.NetworkExtension',
     '500,0,443,curl',
     '500,0,443,firefox',
+    '500,0,443,fwupdmgr',
     '500,0,443,git-remote-http',
     '500,0,443,ksfetch',
     '500,0,443,launcher',
@@ -119,14 +122,15 @@ WHERE
     '500,0,443,velociraptor',
     '500,0,443,wget',
     '500,0,5228,chrome',
+    '500,0,53,NetworkManager',
     '500,0,53,chrome',
     '500,0,53,git',
     '500,0,53,launcher',
-    '500,0,53,NetworkManager',
     '500,0,53,slack',
     '500,0,53,wget',
     '500,0,80,chrome',
     '500,0,80,firefox',
+    '500,0,80,http',
     '500,0,9,launcher',
     '500,500,13568,Code Helper',
     '500,500,22,ssh',
@@ -134,34 +138,31 @@ WHERE
     '500,500,32768,cloud-sql-proxy',
     '500,500,32768,ksfetch',
     '500,500,4318,Code Helper (Plugin)',
-    '500,500,80,Code Helper (Plugin)',
-    '500,500,443,aws',
-    '500,500,443,cloud_sql_proxy',
     '500,500,443,Code Helper (Plugin)',
     '500,500,443,Code Helper',
-    '500,500,443,grype',
-    '500,500,443,copilot-agent-macos-arm64',
+    '500,500,443,DropboxMacUpdate',
     '500,500,443,Electron',
-    '500,500,443,chainctl',
-    '500,0,80,http',
-    '500,500,443,figma_agent',
-    '500,0,443,fwupdmgr',
     '500,500,443,GitX',
-    '500,0,110,syncthing',
-    '500,500,80,Code Helper (Plugin)',
-    '500,500,80,ksfetch',
+    '500,500,443,aws',
+    '500,500,443,chainctl',
+    '500,500,443,cloud_sql_proxy',
+    '500,500,443,copilot-agent-macos-arm64',
+    '500,500,443,figma_agent',
     '500,500,443,gitsign',
     '500,500,443,go',
-    '500,0,443,OneDriveStandaloneUpdater',
+    '500,500,443,grype',
     '500,500,443,ksfetch',
     '500,500,443,node',
     '500,500,443,old',
     '500,500,443,wolfictl',
+    '500,500,80,Code Helper (Plugin)',
     '500,500,80,cloud_sql_proxy',
     '500,500,80,copilot-agent-macos-arm64',
+    '500,500,80,ksfetch',
     '500,500,80,node'
   )
   AND NOT exception_key LIKE '500,500,443,terraform%'
+  AND NOT exception_key LIKE '500,0,%,syncthing'
   AND NOT exception_key LIKE '500,0,%,chrome'
   AND NOT (
     basename = "Python"