# Tags MacOS application execution events.
application_execution
  data_type is 'macosx:application_usage'
  data_type is 'syslog:line' AND body contains 'COMMAND=/bin/launchctl'

# Tags MacOS application installation events.
application_install
  data_type is 'plist:key' AND plugin is 'plist_install_history'

# Tags creation events of HFS/HFS+ files with LaunchAgents/ in the filename and plist as extension.
autorun
  data_type is 'fs:stat' AND timestamp_desc is 'HFS_DETECT crtime' AND filename contains 'LaunchAgents/' AND filename contains '.plist'

# Tags downloaded file events.
file_download
  data_type is 'chrome:history:file_downloaded'
  data_type is 'macosx:lsquarantine'
  timestamp_desc is 'File Downloaded'

# Tags device connection events.
device_connection
  data_type is 'ipod:device:entry'
  data_type is 'plist:key' AND plugin is 'plist_airport'

# Tags OLE compound document print events.
document_print
  data_type is 'olecf:summary_info' AND timestamp_desc contains 'Printed'
