Thomas Stromberg
|
99f8793169
|
Remove com.docker.backend (macOS specific)
|
2023-02-10 10:32:14 -05:00 |
|
Thomas Stromberg
|
e8d86af906
|
Make sure caddy & kubectl are in the wider listening range
|
2023-02-10 10:31:19 -05:00 |
|
Thomas Stromberg
|
4f4ae0ed38
|
False positive removal and minor query perf improvements
|
2023-02-10 10:21:06 -05:00 |
|
Thomas Stromberg
|
593991adb8
|
Purge observed false positives
|
2023-02-09 17:54:41 -05:00 |
|
Thomas Stromberg
|
a8ed058d4d
|
Query performance improvements, add pids, decrease frequency
|
2023-02-09 17:01:29 -05:00 |
|
Thomas Stromberg
|
72326c3b5c
|
Massive reduction of false positives across the board
|
2023-02-08 20:06:26 -05:00 |
|
Thomas Stromberg
|
e57f03b89f
|
fpr: Opera, TextExpander, socket_vmnet, elive, etc
|
2023-02-08 15:12:10 -05:00 |
|
Thomas Stromberg
|
5274198687
|
Add exceptions for socket_vmnet and pnpd
|
2023-02-08 14:44:22 -05:00 |
|
Thomas Stromberg
|
2634e9d45b
|
Monday morning false-positive purge
|
2023-02-08 14:37:09 -05:00 |
|
Thomas Stromberg
|
d302a9ff55
|
Purge false positives, again and again
|
2023-02-02 21:46:53 -05:00 |
|
Thomas Stromberg
|
2bdb9f2f3e
|
Add more macOS software authorities
|
2023-02-02 20:53:22 -05:00 |
|
Thomas Stromberg
|
41ee6feced
|
Merge remote-tracking branch 'upstream/main'
|
2023-02-02 20:33:46 -05:00 |
|
Thomas Stromberg
|
91b20a98fd
|
Add uid0 exception for Logitech
|
2023-02-02 20:33:34 -05:00 |
|
Thomas Strömberg
|
d885578e28
|
Merge pull request #158 from tstromberg/fpr-again
Rewrite unexpecetd uid0 for Linux, include cgroup info
|
2023-02-02 20:33:01 -05:00 |
|
Thomas Stromberg
|
a3ec1bf2bf
|
Rewrite unexpecetd uid0 for Linux, include cgroup info
|
2023-02-02 20:30:55 -05:00 |
|
Thomas Stromberg
|
bb3e1f964e
|
Run make reformat, update max rows for incident response
|
2023-02-02 17:58:19 -05:00 |
|
Thomas Stromberg
|
809645a3bf
|
Add new Kolide id, fix some debug lines
|
2023-02-02 17:42:46 -05:00 |
|
Thomas Stromberg
|
ba45449f7d
|
unexpected uid0: fix bug, make faster
|
2023-02-02 17:16:35 -05:00 |
|
Thomas Stromberg
|
2093a26423
|
Fix broken macOS queries
|
2023-02-02 15:33:25 -05:00 |
|
Thomas Stromberg
|
cdcb2d48f3
|
Slow queries down, minor improvements
|
2023-02-01 16:17:36 -05:00 |
|
Thomas Stromberg
|
393b83168f
|
Merge to head
|
2023-02-01 15:11:51 -05:00 |
|
Thomas Stromberg
|
23f436f906
|
Minor perf improvements for macOS queries
|
2023-02-01 15:06:58 -05:00 |
|
Thomas Stromberg
|
f9dce0a72d
|
Include more process information across queries
|
2023-02-01 13:55:55 -05:00 |
|
Thomas Stromberg
|
45ab183557
|
fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc
|
2023-01-30 14:58:47 -05:00 |
|
Thomas Stromberg
|
66ee3484c0
|
Remove unused active fields, add WhatsApp ioreg exception
|
2023-01-27 08:46:48 -05:00 |
|
Thomas Stromberg
|
d51bd731a1
|
fpr: Parallels, nerdctl, Xorg, nvidia, Stream, etc
|
2023-01-26 20:40:47 -05:00 |
|
Thomas Stromberg
|
b671e30fce
|
Simplify unexpected-chrome-extensions exceptions for maintainability
|
2023-01-26 20:40:22 -05:00 |
|
Thomas Stromberg
|
7d8fa35eb4
|
fpr: Github Absolute Date, Snagit, Figma, Seagate, aws, etc
|
2023-01-26 16:30:14 -05:00 |
|
Thomas Stromberg
|
f5fe9a4aac
|
Refactor process_events queries for more accurate parenting
|
2023-01-26 11:40:54 -05:00 |
|
Thomas Stromberg
|
83cc38207e
|
fpr: minikube, tailscale, dex, pacman, virtualbox, steam, lsmod, busybox, etc
|
2023-01-23 20:33:52 -05:00 |
|
Thomas Stromberg
|
f7c1557aee
|
fpr: libinput, kue, updatedb, mariadb, terraform
|
2023-01-23 08:13:04 -05:00 |
|
Thomas Stromberg
|
280b187b20
|
fpr: systemctl calls, go tests, WebEx, MariaDB, Brave
|
2023-01-20 17:55:48 -05:00 |
|
Thomas Stromberg
|
d55bd17154
|
listening ports: Add goland exception
|
2023-01-20 10:00:40 -05:00 |
|
Thomas Stromberg
|
e6824d87e9
|
Run 'make reformat'
|
2023-01-20 09:24:24 -05:00 |
|
Thomas Stromberg
|
dc154a6199
|
FPR: Meta Pixel Helper, systemctl, pia-daemon, 1Passwd, iTerm, Brave
|
2023-01-20 09:04:00 -05:00 |
|
Thomas Stromberg
|
8e9ae0fda3
|
Less false positives: particularly among systemctl calls
|
2023-01-20 08:40:08 -05:00 |
|
Thomas Stromberg
|
67fb9cad14
|
Remove false positive: apt-helper calls to systemctl
|
2023-01-19 12:16:20 -05:00 |
|
Thomas Stromberg
|
710ca28ed9
|
False positives: apt-daily, github runner, Slack helper, Foxit, syncthing
|
2023-01-19 11:52:31 -05:00 |
|
Thomas Stromberg
|
24bdaa243a
|
New detector: unexpected systemctl calls
|
2023-01-19 11:39:52 -05:00 |
|
Thomas Stromberg
|
f5e08ceec2
|
False positives: Chrome extensions, Steam games, tmp files, Photoshop
|
2023-01-18 14:10:33 -05:00 |
|
Thomas Stromberg
|
7b79b19090
|
False positive reduction: Messenger, Chrome, Final Cut Pro, etc
|
2023-01-18 09:49:56 -05:00 |
|
Thomas Stromberg
|
42e9f2721b
|
FP removal: plymouth, 1Password, firejail, systemd
|
2023-01-16 13:55:53 -05:00 |
|
Thomas Stromberg
|
d415b36b57
|
FP removal: Selenium, PolKit helper, gephi, docker-credential-gcloud, firejail, etc
|
2023-01-16 12:56:39 -05:00 |
|
Thomas Stromberg
|
e3401a07c6
|
Weekend false-positive flush
|
2023-01-14 08:19:26 -05:00 |
|
Thomas Stromberg
|
1b79359b68
|
Friday False Positive Flush
|
2023-01-13 14:10:43 -05:00 |
|
Thomas Stromberg
|
c7e4252af1
|
Remove false positives, fix some queries that failed to show a parent pid
|
2023-01-09 10:46:30 -05:00 |
|
Thomas Stromberg
|
e8af31a348
|
false positives: dots, ipn, apport-gtk, homebrew, hyperkey, contexts
|
2023-01-09 09:34:20 -05:00 |
|
Thomas Stromberg
|
4eb6993272
|
Catch up to some older false positives we ran into
|
2023-01-06 17:11:24 -05:00 |
|
Thomas Stromberg
|
1aefbe5e91
|
More false positive removal
|
2023-01-06 16:01:35 -05:00 |
|
Thomas Stromberg
|
05a39a78d3
|
Flush out more false positives across the stack
|
2023-01-06 10:36:48 -05:00 |