This detection rule monitors for the enabling of Remote Apple Events (RAE) on macOS systems. RAE is a part of Apple's Event Manager system that allows applications to communicate and perform tasks remotely by utilizing Apple Events. This capability can be leveraged by attackers for remote control of applications and system processes, making its unauthorized use a notable security concern. The detection logic utilizes Splunk querying to identify the use of the 'systemsetup' command with parameters indicating the enabling of Remote Apple Events. The command format captures the timestamp, hostname, username, and details of the involved process for thorough analysis. Such remote functionality necessitates full disk access, increasing risk if misused; thus, monitoring its activation is crucial for security teams.