This detection rule aims to identify the execution of Swift scripts via command line interfaces on macOS systems, which can be exploited by adversaries to execute arbitrary commands. Swift, a powerful scripting language used in macOS environments, can be leveraged maliciously in conjunction with other shell environments. The rule utilizes Splunk querying language to filter events related to Swift executing scripts, gathering pertinent information such as timestamps, hostnames, usernames, and process details. By matching the parent process names against common Unix/Linux shells, like zsh, bash, or sh, it enhances the effectiveness of detection for potentially malicious behavior.