From 3e831b82c39eee30e7ddb631655936ff1dd236a9 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 28 Aug 2024 16:33:44 +0100
Subject: [PATCH] Update
 credential_access_suspicious_web_browser_sensitive_file_access.toml (#4029)

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
---
 ...l_access_suspicious_web_browser_sensitive_file_access.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
index a3c853dad..6055cc39c 100644
--- a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
+++ b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: file_access_events, process.Ext.effective_parent"
 min_stack_version = "8.11.0"
-updated_date = "2024/05/17"
+updated_date = "2024/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -60,7 +60,7 @@ file where event.action == "open" and host.os.type == "macos" and process.execut
               "Login Data") and 
  ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : "osascript") and 
  not process.code_signature.signing_id : "org.mozilla.firefox" and
- not process.Ext.effective_parent.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint"
+ not Effective_process.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint"
 '''