From 39ad3ba652585ede4958ef3ee506ca8a7c8092e9 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 5 Aug 2022 14:15:28 -0400
Subject: [PATCH] [Rule Tuning] Sublime Plugin or Application Script
 Modification (#2180)

* expand filter to sublime text contents

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 058f11f6507de213056b466b645b4e190b442130)
---
 ...istence_modification_sublime_app_plugin_or_script.toml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
index 14e31a872..1b1b59ae5 100644
--- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
+++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/26"
 
 [rule]
 author = ["Elastic"]
@@ -35,11 +35,11 @@ file where event.type in ("change", "creation") and file.extension : "py" and
     ) and
   not process.executable :
     (
-      "/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*",
+      "/Applications/Sublime Text*.app/Contents/*",
       "/usr/local/Cellar/git/*/bin/git",
+      "/Library/Developer/CommandLineTools/usr/bin/git",
       "/usr/libexec/xpcproxy",
-      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper",
-      "/Applications/Sublime Text.app/Contents/MacOS/plugin_host"
+      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper"
     )
 '''