From ba5f3eed823b2794207c8ba697d7d1ca5fd26923 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Tue, 22 Jun 2021 09:10:28 -0600
Subject: [PATCH] Switch from process.ppid to process.parent.pid (#1255)

* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date

(cherry picked from commit 31f63e728e0625c62e7798dfa8aea419a8d520f6)
---
 .../macos/execution_shell_execution_via_apple_scripting.toml  | 4 ++--
 rules/macos/persistence_folder_action_scripts_runtime.toml    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml
index 8e784e975..676757576 100644
--- a/rules/macos/execution_shell_execution_via_apple_scripting.toml
+++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/06/22"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
  [process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
- [process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.ppid
+ [process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
 '''
 
 
diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml
index 98724350c..c639b9e6d 100644
--- a/rules/macos/persistence_folder_action_scripts_runtime.toml
+++ b/rules/macos/persistence_folder_action_scripts_runtime.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/06/22"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
  [process where event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid
- [process where event.type in ("start", "process_started") and process.name in ("osascript", "sh")] by process.ppid
+ [process where event.type in ("start", "process_started") and process.name in ("osascript", "sh")] by process.parent.pid
 '''