From a9de227cfafbb14ec1e5aa9d43423ef4a7eb6fa3 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 22 Jul 2022 14:14:12 -0400
Subject: [PATCH] [Rule Tuning] Access to Keychain Credentials Directories
 (#2101)

* rule tune to remove noisy FPs
---
 .../macos/credential_access_credentials_keychains.toml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml
index 95dc17790..c3fc0ce38 100644
--- a/rules/macos/credential_access_credentials_keychains.toml
+++ b/rules/macos/credential_access_credentials_keychains.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/13"
 
 [rule]
 author = ["Elastic"]
@@ -51,7 +51,13 @@ process where event.type in ("start", "process_started") and
                       "set-key-partition-list",
                       "import",
                       "find-identity") and
-    not process.parent.executable : "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect"
+    not process.parent.executable :
+      (
+        "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect",
+        "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise",
+        "/opt/jc/bin/jumpcloud-agent"
+      ) and
+    not process.executable : "/opt/jc/bin/jumpcloud-agent"
 '''