{ "_event_score": 10, "attributes": { "device": 0, "file_access_mode": 33261, "file_system_id": 16777220, "node_id": 4817, "owner_group_id": 0, "owner_group_name": "wheel", "owner_user_id": 0, "owner_user_name": "root" }, "exec_args": { "args": { "1": "/usr/libexec/od_user_homes", "2": ".Trashes" }, "args_compiled": "/usr/libexec/od_user_homes,.Trashes" }, "exec_chain_child": { "parent_path": "/usr/libexec/automountd", "parent_pid": 25113, "parent_uuid": "2EA50C03-B7D8-42C8-B3E2-4C69A2B5D3EB" }, "exec_env": { "env": { "ARCH": "macintosh", "CPU": "i386", "MALWAREBYTES_GROUP": "1ddbfe4b-cd4c-40fc-9c6e-2570cb96bc1d", "PATH": "/usr/bin:/bin:/usr/sbin:/sbin", "XPC_FLAGS": "0x0", "XPC_SERVICE_NAME": "0" }, "env_compiled": "XPC_SERVICE_NAME=0,MALWAREBYTES_GROUP=1ddbfe4b-cd4c-40fc-9c6e-2570cb96bc1d,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0,ARCH=macintosh,CPU=i386" }, "header": { "event_id": 23, "event_modifier": 0, "event_name": "AUE_EXECVE", "time_milliseconds_offset": 223, "time_seconds_epoch": 1571164212, "version": 11 }, "host_info": { "host_name": "Dan_macbook_pro", "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", "osversion": "Version 10.15 (Build 19A582a)", "primary_mac_address": "38:f9:e8:15:5a:82", "serial_number": "C03XY889JHG3" }, "identity": { "cd_hash": "707d307023c55cc510e33fc000cd2b4e0ac3fa48", "signer_id": "com.apple.automountd", "signer_id_truncated": 0, "signer_type": 1, "team_id": "", "team_id_truncated": 0 }, "path": [ "/usr/libexec/od_user_homes", "/usr/libexec/od_user_homes" ], "return": { "description": "success", "error": 0, "return_value": 0 }, "subject": { "audit_id": 4294967295, "audit_user_name": "-1", "effective_group_id": 0, "effective_group_name": "wheel", "effective_user_id": 0, "effective_user_name": "root", "group_id": 0, "group_name": "wheel", "process_hash": "4E6A40369544B0B87A7BF97AEF4DB7436092AC38", "process_id": 25601, "process_name": "/usr/libexec/od_user_homes", "session_id": 100000, "terminal_id": { "addr": [ 0 ], "ip_address": "0.0.0.0", "port": 0, "type": 0 }, "user_id": 0, "user_name": "root" } }