Support for MacOS Unified Logging about integrations HOT 23 OPEN

This has been needed for a long time, we should definitely prioritize this.

from integrations.

While native MacOS Unified Logging support isn't currently supported or being worked on for Beats/Agent, there was a very popular tool called cmdReporter that people used to pull events from Unified Logging to send to a SIEM. That tool was acquired by Jamf and rebranded, but the good news is, we're about to ship an integration with Jamf Compliance Reporter to provide visibility into Mac events.

Relevant PR: #3210

from integrations.

While having the integration mentioned by @jamiehynds is great for those that use jamf, it doesn't help the rest of us that don't use that specific product.

So another vote for native support of ingesting security logs for macOS Unified Logging.

from integrations.

Process & auth events are definitely on my list. Also (may overlap with above):

• Gatekeeper events
• Xprotect events
• Apple script events
• sudo, logons, opendirectory events

Some other interesting events (from https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/):

from integrations.

Unified Logging is also mentioned on (closed) elastic/beats#3109.

from integrations.

👍 for this. It is badly needed so you don't need to run a launchd just to dump the logs to disk for Filebeat to pick up.

from integrations.

I'm a little worried that this is going to languish, as we don't really have a "MacOS expert" and this is a MacOS api. @masci do you have any ideas for how to manage this?

from integrations.

It looks like there is an API since macOS 10.15. https://developer.apple.com/documentation/oslog

It would require cgo and objective-c to use the API.

from integrations.

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

from integrations.

Thanks for the feedback @defensivedepth - we're currently assessing some options to natively supported for Unified Logging. Could you share more information on your use case for the Unified Logs - e.g. are you mainly interested in process and authentication events, or any other event types you're interested in monitoring?

from integrations.

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

from integrations.

I'll just mention that there is a rust library put out by Mandiant to parse the Unified Log - https://github.com/mandiant/macos-UnifiedLogs

from integrations.

What is the real need here for the Apple Unified Logs? What would the goal be with these logs as opposed to what our macOS agent already provides? Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.

From a security perspective collecting Apple Unified Logging provides no real benefit aside from maybe in an incident response capacity collecting data after the fact. In addition to the many ESF events and custom/proprietary data sources our agent provides you can also implement our OSQuery integration with the agent to conduct and collect live queries of absolutely any data source macOS makes available via Unified Logs.

@defensivedepth Many of the use cases you pose from the Mandiant and Crowdstrike blogs are already covered by what our macOS agent provides utilizing Apple's ESF, or can be queried using OSQuery. The only events our agent doesn't currently collect are login/logout, session lock/unlock, screenattach, and session create/destroy all of which though we could collect and add to our agent with ESF if needed. These events though are more admin/policy focused and less helpful in actively detecting threat actor activity in real time. The events would be useful for Incident Response though or organization specific policy monitoring but like I said you can query this specific data via our agent OSQuery integration currently and we are adding the macOS login/authentication events (found here: https://developer.apple.com/documentation/endpointsecurity/endpointsecurity_structures) to our agent very soon.

from integrations.

All of that is not to say we shouldn't have an integration for macOS Unified Logging I think we should but with our agent and OSQuery there isn't a real need for it.

from integrations.

@DefSecSentinel

Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.

What specific Integration are you referring to?

from integrations.

macOS agent with the Elastic Defend integration installed (and OSQuery integration if wanted)

from integrations.

Can you post a link to the Elastic docs for Defend and ESF? I am not seeing anything.

I am running Elastic Agent + Defend on macOS and appear to just have File + Process + Network events:

from integrations.

As long as you have those 3 options checked you should be getting everything. What specifically are you looking for?

from integrations.

Ok, so to make sure I understand - if I want to detect when a new local user has been created or a configuration profile has been installed, I would need to get that through the File/Process/Network events? The ESF integration you are talking about doesn't create structured logs - like for example, EventID 4720 in the Security Event Channel on Windows is generated when a new local user is created.

from integrations.

Yes, there are a number of different queries or detections you could write to see whether a new user has been created or configuration profile has been added using process and file events.

ESF isn't an Elastic integration. It's a framework provided by Apple on macOS that allows our agent to subscribe to specific events (similar to how you can subscribe to events by event codes like 4720 on Windows). Create user is one of those ESF events (https://developer.apple.com/documentation/endpointsecurity/es_event_od_create_user_t) we could subscribe to but don't currently.

Are you wanting to know in general if a new user gets created for policy reasons or if a new user gets created in a suspicious or abnormal manner?

from integrations.

For instance if you want to detect when a new user gets created programmatically (not via the GUI) you can search for the use of the dscl binary with the create flag:

process : "dscl" and process.args : "create"

from integrations.

For this particular issue, I think ingesting logs from the unified log system is the ask. You can get some info from EndpointSecurity framework, but its not the same as the log data.

from integrations.

Any update on this?

I'm asking because we have a customer making use of this MacOS app: https://github.com/SAP/macOS-enterprise-privileges. Logs for this get pushed to Apple Unified Log, and not sure if this is something we could pickup automatically or not.

There are options for Syslog, but this is only useful for devices that always have line-of-sight to the syslog server, which won't always be the case - so AUL would be the best method.

Thanks

from integrations.