This anomaly rule detects macOS Gatekeeper bypass attempts by monitoring for two known techniques that could enable malware execution without standard safeguards: (1) removing the com.apple.quarantine extended attribute via xattr (which can bypass quarantine checks on downloaded apps), and (2) disabling Gatekeeper protections with spctl --master-disable. It leverages osquery-based endpoint process auditing data (Endpoint.Processes) and a Splunk tstats query to surface processes that contain xattr and com.apple.quarantine, or spctl and master-disable, in their command or path history. The detection aggregates across a rich set of process and destination fields (dest, original_file_name, parent_process_id, process, process_exec, process_hash, process_path, user, etc.) and normalizes results with drop_dm_object_name and time citations. A dedicated macos_gatekeeper_bypass_filter is applied to refine results. The rule is focused on macOS endpoints and aligns with MITRE ATT&CK technique T1553.001. Implementation guidance references macOS process auditing with osquery and requires the TA-OSquery integration to populate data models across indexers and forwarders. Known false positives occur when administrators legitimately disable Gatekeeper, so alerts should be triaged with operational context and user intent. References include OSQuery process auditing documentation and macOS xattr/spctl resources. Drilldown searches are provided for per-user/destination view and for recent risk events.