From be3c7eaf45a41673c48d17e7fa44bbd3be51854e Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 19 Mar 2021 10:00:50 +0100
Subject: [PATCH] [Rule Tuning] WebProxy Settings Modification (#1008)

* [Rule Tuning] WebProxy Settings Modification

* kql optimz test

* update date
---
 .../macos/credential_access_mitm_localhost_webproxy.toml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml
index 1dd3b7045..1793757b7 100644
--- a/rules/macos/credential_access_mitm_localhost_webproxy.toml
+++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/05"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/09"
 
 [rule]
 author = ["Elastic"]
@@ -27,8 +27,11 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.category:process and event.type:start and
- process.name:networksetup and process.args:("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl")
+event.category : process and event.type : start and
+ process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and
+ not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or
+                                  "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or
+                                  "/usr/libexec/xpcproxy")
 '''