plaso-rubanetra/extra/tag_macosx.txt

Application Execution
  data_type is 'macosx:application_usage'
  data_type is 'syslog:line' AND body contains 'COMMAND=/bin/launchctl'

Application Install
  data_type is 'plist:key' AND plugin is 'plist_install_history'

AutoRun
  data_type is 'fs:stat' AND filename contains 'LaunchAgents/' AND timestamp_desc is 'HFS_DETECT crtime' AND filename contains '.plist'

File Downloaded
  data_type is 'chrome:history:file_downloaded'
  timestamp_desc is 'File Downloaded'
  data_type is 'macosx:lsquarantine'

Device Connected
  data_type is 'ipod:device:entry'
  data_type is 'plist:key' and plugin is 'plist_airport'

Document Printed
  (data_type is 'metadata:hachoir' OR data_type is 'metadata:OLECF') AND timestamp_desc contains 'Printed'
Import from old repository 2020-04-06 16:48:34 +00:00			`Application Execution`
			`data_type is 'macosx:application_usage'`
			`data_type is 'syslog:line' AND body contains 'COMMAND=/bin/launchctl'`

			`Application Install`
			`data_type is 'plist:key' AND plugin is 'plist_install_history'`

			`AutoRun`
			`data_type is 'fs:stat' AND filename contains 'LaunchAgents/' AND timestamp_desc is 'HFS_DETECT crtime' AND filename contains '.plist'`

			`File Downloaded`
			`data_type is 'chrome:history:file_downloaded'`
			`timestamp_desc is 'File Downloaded'`
			`data_type is 'macosx:lsquarantine'`

			`Device Connected`
			`data_type is 'ipod:device:entry'`
			`data_type is 'plist:key' and plugin is 'plist_airport'`

			`Document Printed`
			`(data_type is 'metadata:hachoir' OR data_type is 'metadata:OLECF') AND timestamp_desc contains 'Printed'`