This detection rule identifies the creation or modification of Event Monitor Daemon (emond) rules on macOS systems. The emond service can be exploited by adversaries who might craft malicious rules to execute commands in response to specific events, such as system startup or user authentication. The rule is implemented using EQL (Event Query Language) within the Elastic Security app, focusing on specific file paths related to emond rules. It alerts security personnel to potentially unauthorized modifications or creations of rules that could signify persistence tactics used by attackers. The rule involves files located in '/private/etc/emond.d/rules/*.plist', '/etc/emond.d/rules/*.plist', and '/private/var/db/emondClients/*', and utilizes a risk score of 47 indicating a medium severity of potential threats. It also includes a comprehensive setup guide requiring integration with Elastic Defend and guidelines for investigation, false positive analysis, and response measures.