This detection rule identifies unusual high-volume activity involving the `pbpaste` command on macOS systems, which may suggest malicious behavior such as a scripted loop continuously capturing clipboard data. The rule generates alerts when `pbpaste` is executed frequently within a short timestamp window across hosts, indicating a potential attempt to harvest sensitive information like credentials or private data from the clipboard. It consists of a sequence query that detects five or more executions of `pbpaste` in a one-minute span. The investigation guide emphasizes assessing the execution frequency and patterns, the processes invoking `pbpaste`, reviewing clipboard data, checking for possible data exfiltration activities, and correlating `pbpaste` activity with the user's normal behavior to determine whether the activity is legitimate or an indicator of compromise. The rule utilizes data from Jamf Protect and requires various prerequisites for effective deployment within an Elastic Agent context.