From c031bb501dfde50d8aeb03f7198b605de6a29091 Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Mon, 9 May 2022 07:50:27 -0800
Subject: [PATCH] [Rule tuning] SSH Authorized Keys File Modification (#1955)

---
 .../persistence_ssh_authorized_keys_modification.toml        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
index 2ea1bead4..c0df66799 100644
--- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
+++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/05/04"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,8 @@ event.category:file and event.type:(change or creation) and
               /usr/bin/nautilus or 
               /usr/bin/scp or
               /usr/bin/touch or 
-              /var/lib/docker/*)
+              /var/lib/docker/* or
+              /usr/bin/google_guest_agent)
 '''