Handle "$HOME" placeholder in the IOC list

......@@ -69,6 +69,19 @@ foreach my $param (@ARGV) {
my $found = 0;
foreach my $glob (sort keys %ioc) {
my $incident = $ioc{$glob};
# Handle $HOME in globs to expand it to any user present on the system.
if ($glob =~ /\$HOME/) {
my @homes = `getent passwd | awk -F: '{print \$6}'`;
my @newglobs = ();
foreach my $home (@homes) {
my $globwithhome = $glob;
$globwithhome =~ s/\$HOME/$home/;
push(@newglobs, $globwithhome);
$glob = join(' ', @newglobs);
my @files = glob($glob);
foreach my $file (@files) {
if (-e $file) {
