This detection rule is designed to identify attempts to install a root certificate on MacOS devices. It monitors for specific command-line executions related to the `security` tool, particularly the command `security add-trusted-cert -d -r trusted`, which is used to add a certificate to the trusted keychain on MacOS. The rule utilizes CrowdStrike's FDREvent log type to gather relevant data regarding process executions and validates certain expected results through multiple test scenarios. For instance, it detects the addition of a root certificate under the correct platform while ensuring that logs from Windows or incorrect event types do not trigger false positives. The severity is classified as medium due to the potential risks associated with unauthorized certificate installations, which could lead to a variety of security vulnerabilities including man-in-the-middle attacks. The rule also includes tests to verify log integrity and addresses handling of commands that do not align with the expected behavior, thereby enhancing its capability to accurately detect malicious activities related to certificate management. Overall, this rule is part of a broader strategy to secure certificate management processes in MacOS environments.