[Rule Tuning] Sublime Plugin or Application Script Modification (#2180)

* expand filter to sublime text contents

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 058f11f650)

rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/26"
 
 [rule]
 author = ["Elastic"]
@@ -35,11 +35,11 @@ file where event.type in ("change", "creation") and file.extension : "py" and
     ) and
   not process.executable :
     (
-      "/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*",
+      "/Applications/Sublime Text*.app/Contents/*",
       "/usr/local/Cellar/git/*/bin/git",
+      "/Library/Developer/CommandLineTools/usr/bin/git",
       "/usr/libexec/xpcproxy",
-      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper",
-      "/Applications/Sublime Text.app/Contents/MacOS/plugin_host"
+      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper"
     )
 '''