refactoring alerts to reduce noise

2024-10-16 14:59:43 -04:00 · 2024-10-16 14:59:43 -04:00 · f71898ca70
parent 575261ac12
commit f71898ca70
3 changed files with 7 additions and 3 deletions
--- a/detection/evasion/unexpected-dev-entries.sql
+++ b/detection/evasion/unexpected-dev-entries.sql
@ -47,10 +47,14 @@ WHERE
      OR file.path LIKE '/dev/shm/jack_db%'
    )
  )
+  AND NOT (
+    file.size <= 32
+    AND file.path LIKE '/dev/shm/%'
+  )
  AND file.path NOT LIKE '/dev/shm/lttng-ust-wait-%'
  AND file.path NOT LIKE '/dev/shm/flatpak-%'
  AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%'
  AND file.path NOT LIKE '/dev/shm/sem.mp-%'
  AND file.path NOT LIKE '%/../%'
  AND file.path NOT LIKE '%/./%'
-  AND file.path NOT IN ('/dev/.mdadm/', '/dev/shm/libpod_lock')
+  AND file.path NOT IN ('/dev/.mdadm/', '/dev/shm/libpod_lock', '/dev/shm/sem.camlock')
--- a/detection/execution/recently-created-executables-long-lived-linux.sql
+++ b/detection/execution/recently-created-executables-long-lived-linux.sql
@ -3,7 +3,7 @@
 -- false-positives:
 --   * many
 --
-- tags: transient process state
+-- tags: transient process state extra
 -- platform: linux
 SELECT
  f.ctime AS p0_ctime,
--- a/detection/execution/recently-created-executables-long-lived-macos.sql
+++ b/detection/execution/recently-created-executables-long-lived-macos.sql
@ -3,7 +3,7 @@
 -- false-positives:
 --   * many
 --
-- tags: transient process state
+-- tags: transient process state extra
 -- platform: darwin
 SELECT
  f.ctime,