Add XProtect definitions for macOS

definitions/MacOS_XProtect_Detections.yaml

@@ -0,0 +1,32 @@
+Name: MacOS XProtect Detections
+Author: Matt Green - @mgreen27
+Description: |
+   This artifact provides details about XProtect detections on macOS.
+
+   macOS includes built-in antivirus technology called XProtect for 
+   the signature-based detection and removal of malware. The system 
+   uses YARA and behavorial signatures.
+
+Reference: https://www.huntress.com/blog/dmxprotect-stop-drop-shut-malware-down-before-it-opens-up-shop
+
+SQLiteIdentifyQuery: |
+  SELECT count(*) AS `Check`
+  FROM sqlite_master
+  WHERE type='table'
+    AND name='events';
+SQLiteIdentifyValue: 1
+
+Categories:
+  - MacOS
+
+FilenameRegex: "XPdb"
+Globs:
+  - "/private/var/protected/xprotect/XPdb"
+
+Sources:
+- VQL: |
+    SELECT *
+    FROM Rows
+
+  SQL: |
+    SELECT * FROM events