This detection rule identifies suspicious modifications to calendar files on macOS systems, triggered by unusual processes. Attackers often exploit calendar files to schedule the execution of malicious programs at set intervals, establishing persistence on compromised hosts. The rule leverages event data from Elastic Defend to detect inappropriate modifications to specific calendar file paths, while filtering out legitimate activities by known applications. The setup requires integration with the Elastic Defend module, and the investigation process includes reviewing the triggering executable paths, timestamps of file modifications, and the associated user accounts. The rule aims to help security analysts uncover potential adversarial behavior while considering common false positives from trusted calendar applications and automated tasks. It follows the MITRE ATT&CK framework, particularly the "Event Triggered Execution" technique (T1546), under the persistence tactic (TA0003).