[Rule Tuning] Authorization Plugin Modification (#2156)

* exclude files altered by shove processes

rules/macos/persistence_credential_access_authorization_plugin_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2022/07/22"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,8 @@ type = "query"
 query = '''
 event.category:file and not event.type:deletion and
   file.path:(/Library/Security/SecurityAgentPlugins/* and
-  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)
+  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and
+  not process.name:shove and process.code_signature.trusted:true
 '''