From cdafe17ffbb33873479727f58e6836553c17f7f9 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Wed, 27 Jul 2022 08:34:23 -0400
Subject: [PATCH] [Rule Tuning] Authorization Plugin Modification (#2156)

* exclude files altered by shove processes
---
 ...ence_credential_access_authorization_plugin_creation.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml
index 2bb4ad9a8..35a10afd8 100644
--- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml
+++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2022/07/22"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,8 @@ type = "query"
 query = '''
 event.category:file and not event.type:deletion and
   file.path:(/Library/Security/SecurityAgentPlugins/* and
-  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)
+  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and
+  not process.name:shove and process.code_signature.trusted:true
 '''