application_execution
  data_type is 'macosx:application_usage'
  data_type is 'syslog:line' AND body contains 'COMMAND=/bin/launchctl'

application_install
  data_type is 'plist:key' AND plugin is 'plist_install_history'

autorun
  data_type is 'fs:stat' AND filename contains 'LaunchAgents/' AND timestamp_desc is 'HFS_DETECT crtime' AND filename contains '.plist'

file_download
  data_type is 'chrome:history:file_downloaded'
  timestamp_desc is 'File Downloaded'
  data_type is 'macosx:lsquarantine'

device_connection
  data_type is 'ipod:device:entry'
  data_type is 'plist:key' and plugin is 'plist_airport'

document_print
  (data_type is 'metadata:hachoir' OR data_type is 'metadata:OLECF') AND timestamp_desc contains 'Printed'
