[Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#2147)

* exclude jamf fp and add ssh subtechnique
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/macos/lateral_movement_remote_ssh_login_enabled.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/22"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,8 @@ type = "query"
 query = '''
 event.category:process and event.type:(start or process_started) and
  process.name:systemsetup and
- process.args:("-setremotelogin" and on)
+ process.args:("-setremotelogin" and on) and
+ not process.parent.executable : /usr/local/jamf/bin/jamf
 '''
 
 
@@ -36,6 +37,11 @@ framework = "MITRE ATT&CK"
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
 
 
 [rule.threat.tactic]