[Rule Tuning] Modification of Environment Variable via Launchctl (#2119)

* add exception for vmoptions

rules/macos/defense_evasion_modify_environment_launchctl.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/14"
 maturity = "production"
-updated_date = "2021/03/09"
+updated_date = "2022/07/18"
 
 [rule]
 author = ["Elastic"]
@@ -39,7 +39,8 @@ event.category:process and event.type:start and
   not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
                                  "/usr/local/bin/kr" or
                                  "/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
-                                 "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper")
+                                 "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper") and
+  not process.args : "*.vmoptions"
 '''