From e4e00ae8e1dadc59932187dfc3c8ec7598e05a3e Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Date: Fri, 27 Oct 2023 15:10:09 -0500
Subject: [PATCH] [Tuning] Access to Stored Browser Credentials (#3066)

* Exclude FPs

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 6400bb3237b5c1c82852517c4a1c29b64531b93c)
---
 ...ential_access_access_to_browser_credentials_procargs.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml
index 2a0210272..07c41358e 100644
--- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml
+++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/31"
 
 [rule]
 author = ["Elastic"]
@@ -46,7 +46,8 @@ process where host.os.type == "macos" and event.type in ("start", "process_start
       "key3.db",
       "logins.json",
       "cookies.sqlite"
-    )
+    ) and 
+  not (process.name : "wordexp-helper" and process.parent.name : ("elastic-agent", "elastic-endpoint"))
 '''