--- falco_rules.yaml	2023-07-05 11:42:09.732973942 +0000
+++ zdt_falco_rules.yaml	2023-07-05 13:30:14.184038126 +0000
@@ -270,7 +270,7 @@
 # A canonical set of processes that run other programs with different
 # privileges or as a different user.
 - list: userexec_binaries
-  items: [sudo, su, suexec, critical-stack, dzdo]
+  items: [doas, sudo, su, suexec, critical-stack, dzdo]
 
 - list: known_setuid_binaries
   items: [
@@ -2298,27 +2298,28 @@
 - macro: user_known_non_sudo_setuid_conditions
   condition: user.name=root
 
+# Disabled for now due to buysbox noise 
 # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
-- rule: Non sudo setuid
-  desc: >
-    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
-    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
-  condition: >
-    evt.type=setuid and evt.dir=>
-    and (known_user_in_container or not container)
-    and not (user.name=root or user.uid=0)
-    and not somebody_becoming_themselves
-    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
-                          nomachine_binaries)
-    and not proc.name startswith "runc:"
-    and not java_running_sdjagent
-    and not nrpe_becoming_nagios
-    and not user_known_non_sudo_setuid_conditions
-  output: >
-    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
-    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
-  priority: NOTICE
-  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
+#- rule: Non sudo setuid
+#  desc: >
+#    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
+#    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
+#  condition: >
+#    evt.type=setuid and evt.dir=>
+#    and (known_user_in_container or not container)
+#    and not (user.name=root or user.uid=0)
+#    and not somebody_becoming_themselves
+#    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
+#                          nomachine_binaries)
+#    and not proc.name startswith "runc:"
+#    and not java_running_sdjagent
+#    and not nrpe_becoming_nagios
+#    and not user_known_non_sudo_setuid_conditions
+#  output: >
+#    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
+#    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
+#  priority: NOTICE
+#  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
 
 - macro: user_known_user_management_activities
   condition: (never_true)