[Rule Tuning] Finder Sync Plugin Registered and Enabled (#2172)

2022-08-23 09:59:43 -04:00
parent 2326b30a87
commit 2204459e73
1 changed files with 16 additions and 16 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/18"
 maturity = "production"
-updated_date = "2021/08/25"
+updated_date = "2022/08/15"

 [rule]
 author = ["Elastic"]
@@ -27,21 +27,21 @@ tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
 type = "eql"

 query = '''
-sequence by host.id, user.id with maxspan = 5s
-  [process where event.type in ("start", "process_started") and process.name : "pluginkit" and process.args : "-a"]
-  [process where event.type in ("start", "process_started") and process.name : "pluginkit" and
-    process.args : "-e" and process.args : "use" and process.args : "-i" and
-    not process.args :
-    (
-      "com.google.GoogleDrive.FinderSyncAPIExtension",
-      "com.google.drivefs.findersync",
-      "com.boxcryptor.osx.Rednif",
-      "com.adobe.accmac.ACCFinderSync",
-      "com.microsoft.OneDrive.FinderSync",
-      "com.insynchq.Insync.Insync-Finder-Integration",
-      "com.box.desktop.findersyncext"
-    )
-  ]
+process where event.type in ("start", "process_started") and process.name : "pluginkit" and
+  process.args : "-e" and process.args : "use" and process.args : "-i" and
+  not process.args :
+  (
+    "com.google.GoogleDrive.FinderSyncAPIExtension",
+    "com.google.drivefs.findersync",
+    "com.boxcryptor.osx.Rednif",
+    "com.adobe.accmac.ACCFinderSync",
+    "com.microsoft.OneDrive.FinderSync",
+    "com.insynchq.Insync.Insync-Finder-Integration",
+    "com.box.desktop.findersyncext"
+  ) and
+  not process.parent.executable : (
+    "/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp"
+  )
 '''