From cd11001fe80ce758c4fc2e74cda8bdbef94f8580 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 22 Jul 2022 14:26:48 -0400
Subject: [PATCH] [Rule Tuning] Attempt to Remove File Quarantine Attribute
 (#2117)

* Add exceptions for browser FPs
---
 .../macos/defense_evasion_attempt_del_quarantine_attrib.toml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
index df4655ad2..501f4a77d 100644
--- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
+++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -42,6 +42,9 @@ process where event.type in ("start", "process_started") and
         "/bin/sh -c xattr -c *"
       )
     )
+  ) and not process.args : (
+    "/Applications/Google Chrome.app",
+    "/Applications/Microsoft Edge.app"
   )
 '''