From 0f0f16bdee146131bcfa75ddc1eda5f9a93091d3 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Tue, 9 Sep 2025 15:33:58 +0200
Subject: [PATCH] [Rule Tuning] D-Bus Service Created (#5076)

---
 rules/linux/persistence_dbus_service_creation.toml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml
index 81d20357d..3f14e690d 100644
--- a/rules/linux/persistence_dbus_service_creation.toml
+++ b/rules/linux/persistence_dbus_service_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/01/16"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/09"
 
 [rule]
 author = ["Elastic"]
@@ -117,7 +117,6 @@ file.extension in ("service", "conf") and file.path like~ (
     "/usr/sbin/sshd", "/usr/bin/gitlab-runner", "/opt/gitlab/embedded/bin/ruby", "/usr/sbin/gdm", "/usr/bin/install",
     "/usr/local/manageengine/uems_agent/bin/dcregister"
   ) or
-  file.Ext.original.extension == "dpkg-new" or
   process.executable : (
     "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
   ) or