split linux and macos tests for TT1518.001; update processes list

atomics/T1518.001/T1518.001.yaml

@@ -34,19 +34,46 @@ atomic_tests:
       get-process | ?{$_.Description -like "*defender*"}
       get-process | ?{$_.Description -like "*cylance*"}
     name: powershell
-- name: Security Software Discovery - ps
+- name: Security Software Discovery - ps (macOS)
   auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
   description: |
     Methods to identify Security Software on an endpoint
-    when sucessfully executed, command shell  is going to display AV software it is running( Little snitch or carbon black ).
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
   supported_platforms:
-  - linux
   - macos
   executor:
     command: |
       ps -ef | grep Little\ Snitch | grep -v grep
       ps aux | grep CbOsxSensorService
       ps aux | grep falcond
+      ps aux | grep nessusd
+      ps aux | grep santad
+      ps aux | grep CbDefense
+      ps aux | grep td-agent
+      ps aux | grep packetbeat
+      ps aux | grep filebeat
+      ps aux | grep auditbeat
+      ps aux | grep osqueryd
+      ps aux | grep BlockBlock
+      ps aux | grep LuLu
+    name: sh
+- name: Security Software Discovery - ps (Linux)
+  auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
+  description: |
+    Methods to identify Security Software on an endpoint
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      ps aux | grep falcond
+      ps aux | grep nessusd
+      ps aux | grep cbagentd
+      ps aux | grep td-agent
+      ps aux | grep packetbeat
+      ps aux | grep filebeat
+      ps aux | grep auditbeat
+      ps aux | grep osqueryd
     name: sh
 - name: Security Software Discovery - Sysmon Service
   auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9