The rule is designed to detect the removal of quarantine attributes from files on macOS systems, leveraging the Elastic Query Language (EQL) to monitor specific file actions. Quarantine attributes are set on files downloaded from the internet, allowing Apple's Gatekeeper to execute security checks. Attackers may attempt to circumvent these defenses by removing these attributes, prompting the need for a detection mechanism for such behavior. This rule specifically looks for "extended_attributes_delete" actions performed by processes that are either untrusted or unsigned, excluding certain legitimate paths, and flags any instances that deviate from expected file handling behavior. Given macOS's unique security model, this detection will help mitigate risks associated with malware exploiting security vulnerabilities by erasing protective flags.