osquery-defense-kit/incident_response/recent_items.sql

-- Retrieves the list of recent items opened in OSX by parsing the plist per user.
--
-- interval: 86400
-- platform: darwin
-- value: Identify recently accessed items. Useful for compromised hosts.
-- version: 1.4.5
select
  username,
  key,
  value
from
  plist p,
  (
    select
      *
    from
      users
    where
      directory like '/Users/%'
  ) u
where
  p.path = u.directory || '/Library/Preferences/com.apple.recentitems.plist';