From 451b3804ca2151b428c318ed98621c291b63029e Mon Sep 17 00:00:00 2001
From: shanembrown <21061399+shanembrown@users.noreply.github.com>
Date: Wed, 19 Nov 2025 14:19:35 -0600
Subject: [PATCH] adding workbrew_binary_removed.yaml as a custom analytic to
 monitor for workbrew binary deletion

---
 .../third_party/workbrew_binary_removed.yaml  | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 custom_analytic_detections/third_party/workbrew_binary_removed.yaml

diff --git a/custom_analytic_detections/third_party/workbrew_binary_removed.yaml b/custom_analytic_detections/third_party/workbrew_binary_removed.yaml
new file mode 100644
index 0000000..7aa62bd
--- /dev/null
+++ b/custom_analytic_detections/third_party/workbrew_binary_removed.yaml
@@ -0,0 +1,29 @@
+---
+name: Workbrew Binary Removed
+uuid: 59BE87C5-8816-4BD7-8043-5A69124F75CD
+longDescription: 
+level: 0
+inputType: GPFSEvent
+tags: null
+snapshotFiles: []
+filter: (
+    $event.isModified == 1 AND 
+    $event.process.signingInfo.appid == "com.apple.finder" AND
+    $event.prevFile.lastPathComponent ==  "brew" AND
+    $event.path.stringByDeletingLastPathComponent.lastPathComponent == ".Trash"
+)
+OR
+(
+    $event.type == 1 AND 
+    $event.process.signingInfo.appid == "com.apple.rm" AND
+    $event.path.lastPathComponent == "brew"
+)
+actions: null
+context: []
+categories: []
+version: 0
+severity: Informational
+shortDescription: This detection functions by monitoring and report on the removal/deletion of the Workbrew binary.
+label: null
+remediation: null
+MitreCategories: null