The detection rule 'Sublime Plugin or Application Script Modification' aims to identify potentially malicious modifications to the Sublime Text application plugins and scripts on macOS systems. Adversaries might exploit such modifications to execute malicious payloads when the Sublime Text application launches, thus creating a persistence mechanism. This rule uses Elastic Query Language (EQL) to trigger alerts on changes or creations of Python files in predefined Sublime directories while excluding known legitimate processes. The detection relies on data incoming from Elastic Defend and is especially tailored for environments using the Elastic Agent with Fleet for monitoring. The risk score is low, indicating low likelihood of false positives, but thus should be monitored cautiously due to the nature of potential exploitation by attackers. Setup prerequisites include properly configuring Fleet for Elastic Defend to ensure comprehensive endpoint monitoring.