Application Execution
  data_type is 'macosx:application_usage'
  data_type is 'syslog:line' AND body contains 'COMMAND=/bin/launchctl'

Application Install
  data_type is 'plist:key' AND plugin is 'plist_install_history'

AutoRun
  data_type is 'fs:stat' AND filename contains 'LaunchAgents/' AND timestamp_desc is 'HFS_DETECT crtime' AND filename contains '.plist'

File Downloaded
  data_type is 'chrome:history:file_downloaded'
  timestamp_desc is 'File Downloaded'
  data_type is 'macosx:lsquarantine'

Device Connected
  data_type is 'ipod:device:entry'
  data_type is 'plist:key' and plugin is 'plist_airport'

Document Printed
  (data_type is 'metadata:hachoir' OR data_type is 'metadata:OLECF') AND timestamp_desc contains 'Printed'