This analytic rule identifies suspicious activity associated with the SQLite3 querying the macOS LSQuarantine preferences, specifically focused on how packages are downloaded on MacOS systems. Utilizing EDR data, it targets processes that exhibit behaviors tied to LSQuarantine, which is often used by adware or potentially unwanted programs to assess download origins. The rule is significant because it helps in detecting malicious attempts to manipulate downloaded packages that could lead to system vulnerabilities or adware infestations. The implementation requires ingestion of relevant logs through EDR agents and normalization using Splunk's CIM to facilitate accurate detection and reporting of these activities.