From d8e0c0fee3aa4b39d770d26c1aff7758d0742efd Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Tue, 2 Aug 2022 14:06:57 -0400
Subject: [PATCH] [Rule Tuning] Suspicious Calendar File Modification (#2187)

* exclude fps for Mail.app
---
 ...ersistence_suspicious_calendar_modification.toml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml
index 5351f1fb9..eac455d9f 100644
--- a/rules/macos/persistence_suspicious_calendar_modification.toml
+++ b/rules/macos/persistence_suspicious_calendar_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/27"
 
 [rule]
 author = ["Elastic"]
@@ -31,12 +31,13 @@ query = '''
 event.category:file and event.action:modification and
   file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and
   process.executable:
-  (* and not 
+  (* and not
     (
-      /System/Library/* or 
-      /System/Applications/Calendar.app/Contents/MacOS/* or 
-      /usr/libexec/xpcproxy or 
-      /sbin/launchd or 
+      /System/Library/* or
+      /System/Applications/Calendar.app/Contents/MacOS/* or
+      /System/Applications/Mail.app/Contents/MacOS/Mail or
+      /usr/libexec/xpcproxy or
+      /sbin/launchd or
       /Applications/*
     )
   )