From b44714c83f1ebe4430db176a204d776ec010486d Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Mon, 25 Jul 2022 10:12:30 -0400
Subject: [PATCH] filter Bitdefender FPs (#2109)

---
 rules/macos/defense_evasion_install_root_certificate.toml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml
index fae68587e..00a38318d 100644
--- a/rules/macos/defense_evasion_install_root_certificate.toml
+++ b/rules/macos/defense_evasion_install_root_certificate.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/15"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,9 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.name:security and process.args:"add-trusted-cert"
+  process.name:security and process.args:"add-trusted-cert" and
+  not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp"
+)
 '''