From aa341ab38f3c4fe3efecf4e993919dd64bc0d986 Mon Sep 17 00:00:00 2001
From: Maxime Lamothe-Brassard <maxime@refractionpoint.com>
Date: Thu, 26 Jan 2023 15:51:24 -0800
Subject: [PATCH] Support macOS file_event.

---
 tools/sigma/backends/limacharlie.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py
index b4ca4a49d..f5bd7d427 100644
--- a/tools/sigma/backends/limacharlie.py
+++ b/tools/sigma/backends/limacharlie.py
@@ -250,6 +250,24 @@ _allFieldMappings = {
             postOpMapper = _mapProcessCreationOperations,
             isCaseSensitive = ['event/FILE_PATH']
         ),
+        "macos/file_event/": SigmaLCConfig(
+            topLevelParams = {
+                "events": [
+                    "FILE_CREATE",
+                    "NEW_DOCUMENT",
+                ]
+            },
+            preConditions = {
+                "op": "is mac",
+            },
+            fieldMappings = {
+                "TargetFilename": "event/FILE_PATH",
+            },
+            isAllStringValues = False,
+            keywordField = None,
+            postOpMapper = None,
+            isCaseSensitive = ['event/FILE_PATH']
+        ),
     },
     "artifact": {
         "windows//": SigmaLCConfig(