This detection rule identifies the risk of unauthorized modifications to the macOS dock's property list, specifically targeting the file '/Users/*/Library/Preferences/com.apple.dock.plist'. Adversaries might exploit this by changing shortcuts to launch malicious applications upon user invocation, establishing persistence in the user's environment. The detection is based on monitoring events categorized as file modifications, excluding modifications from legitimate processes such as xpcproxy and cfprefsd. The rule uses the KQL query language to construct filters that target suspicious activity while reducing false positives associated with normal system or user operations. Overall, the rule plays a crucial role in monitoring and alerting security teams to potential threat actor activities on macOS systems.