Comments (23)
This has been needed for a long time, we should definitely prioritize this.
from integrations.
While native MacOS Unified Logging support isn't currently supported or being worked on for Beats/Agent, there was a very popular tool called cmdReporter that people used to pull events from Unified Logging to send to a SIEM. That tool was acquired by Jamf and rebranded, but the good news is, we're about to ship an integration with Jamf Compliance Reporter to provide visibility into Mac events.
Relevant PR: #3210
from integrations.
While having the integration mentioned by @jamiehynds is great for those that use jamf, it doesn't help the rest of us that don't use that specific product.
So another vote for native support of ingesting security logs for macOS Unified Logging.
from integrations.
Process & auth events are definitely on my list. Also (may overlap with above):
- Gatekeeper events
- Xprotect events
- Apple script events
- sudo, logons, opendirectory events
Some other interesting events (from https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/):
Predicate | Description |
---|---|
process == “sudo” | Captures command line activity run with elevated privileges |
process == “logind” | Captures user login events |
process == “tccd” | Captures events that indicate permissions and access violations |
process == “sshd” | Captures successful, failed and general ssh activity |
process == “kextd” && sender == “IOKit” | Captures successful and failed attempts to add kernel extensions |
process == “screensharingd || process == “ScreensharingAgent”’ | Captures events that indicate successful or failed authentication via screen sharing |
process == “loginwindow” && sender == “Security” | Captures keychain.db unlock events |
process == “securityd” && eventMessage CONTAINS “Session ” && subsystem == “com.apple.securityd” | Captures session creation and destruction events |
from integrations.
Unified Logging is also mentioned on (closed) elastic/beats#3109.
from integrations.
👍 for this. It is badly needed so you don't need to run a launchd just to dump the logs to disk for Filebeat to pick up.
from integrations.
I'm a little worried that this is going to languish, as we don't really have a "MacOS expert" and this is a MacOS api. @masci do you have any ideas for how to manage this?
from integrations.
It looks like there is an API since macOS 10.15. https://developer.apple.com/documentation/oslog
It would require cgo and objective-c to use the API.
from integrations.
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
from integrations.
Thanks for the feedback @defensivedepth - we're currently assessing some options to natively supported for Unified Logging. Could you share more information on your use case for the Unified Logs - e.g. are you mainly interested in process and authentication events, or any other event types you're interested in monitoring?
from integrations.
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
from integrations.
I'll just mention that there is a rust library put out by Mandiant to parse the Unified Log - https://github.com/mandiant/macos-UnifiedLogs
from integrations.
What is the real need here for the Apple Unified Logs? What would the goal be with these logs as opposed to what our macOS agent already provides? Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.
From a security perspective collecting Apple Unified Logging provides no real benefit aside from maybe in an incident response capacity collecting data after the fact. In addition to the many ESF events and custom/proprietary data sources our agent provides you can also implement our OSQuery integration with the agent to conduct and collect live queries of absolutely any data source macOS makes available via Unified Logs.
@defensivedepth Many of the use cases you pose from the Mandiant and Crowdstrike blogs are already covered by what our macOS agent provides utilizing Apple's ESF, or can be queried using OSQuery. The only events our agent doesn't currently collect are login/logout, session lock/unlock, screenattach, and session create/destroy all of which though we could collect and add to our agent with ESF if needed. These events though are more admin/policy focused and less helpful in actively detecting threat actor activity in real time. The events would be useful for Incident Response though or organization specific policy monitoring but like I said you can query this specific data via our agent OSQuery integration currently and we are adding the macOS login/authentication events (found here: https://developer.apple.com/documentation/endpointsecurity/endpointsecurity_structures) to our agent very soon.
from integrations.
All of that is not to say we shouldn't have an integration for macOS Unified Logging I think we should but with our agent and OSQuery there isn't a real need for it.
from integrations.
Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.
What specific Integration are you referring to?
from integrations.
macOS agent with the Elastic Defend integration installed (and OSQuery integration if wanted)
from integrations.
Can you post a link to the Elastic docs for Defend and ESF? I am not seeing anything.
I am running Elastic Agent + Defend on macOS and appear to just have File + Process + Network events:
from integrations.
As long as you have those 3 options checked you should be getting everything. What specifically are you looking for?
from integrations.
Ok, so to make sure I understand - if I want to detect when a new local user has been created or a configuration profile has been installed, I would need to get that through the File/Process/Network events? The ESF integration you are talking about doesn't create structured logs - like for example, EventID 4720 in the Security Event Channel on Windows is generated when a new local user is created.
from integrations.
Yes, there are a number of different queries or detections you could write to see whether a new user has been created or configuration profile has been added using process and file events.
ESF isn't an Elastic integration. It's a framework provided by Apple on macOS that allows our agent to subscribe to specific events (similar to how you can subscribe to events by event codes like 4720 on Windows). Create user is one of those ESF events (https://developer.apple.com/documentation/endpointsecurity/es_event_od_create_user_t) we could subscribe to but don't currently.
Are you wanting to know in general if a new user gets created for policy reasons or if a new user gets created in a suspicious or abnormal manner?
from integrations.
For instance if you want to detect when a new user gets created programmatically (not via the GUI) you can search for the use of the dscl binary with the create flag:
process : "dscl" and process.args : "create"
from integrations.
For this particular issue, I think ingesting logs from the unified log system is the ask. You can get some info from EndpointSecurity framework, but its not the same as the log data.
from integrations.
Any update on this?
I'm asking because we have a customer making use of this MacOS app: https://github.com/SAP/macOS-enterprise-privileges. Logs for this get pushed to Apple Unified Log, and not sure if this is something we could pickup automatically or not.
There are options for Syslog, but this is only useful for devices that always have line-of-sight to the syslog server, which won't always be the case - so AUL would be the best method.
Thanks
from integrations.
Related Issues (20)
- Palo Alto NGFW Integration throwing errors HOT 3
- [CSPM] Update documentation and manifest to include supported platforms
- [M365 Defender] Change `event.type` of `AlertInfo` HOT 1
- [AWS] Create AWS Health Integration package HOT 3
- [stormshield] Follow-up tasks for new integration HOT 1
- [AWS][Pipeline Test] Multiple pipeline Test failure due to event.category mappings HOT 11
- [Azure OpenAI] Add PTU Metrics Dashboard
- [Azure OpenAI] Enable Advance Logging
- [RFC] Crowdstrike unified Device ID HOT 3
- [EA Input] Adding support for Jamf as a provider
- [sql_input] Support for SAP Hana
- [Auth0] Update Auth0 Integration to use Management API for Log Ingestion HOT 1
- M365 Defender Integration: Rather than removing HKEY_CURRENT_USER and and HKEY_LOCAL_MACHINE, replace them with HKCU and HKLM to avoiding breaking detection rules HOT 2
- Microsoft Exchange Online Message Trace documentation HOT 1
- AWS Firehose endpoint returning 200 even when ingestion is failing
- [AWS] AWS ELB metrics integration OOTB Dashboard does not reflect ALBs data for Inbound and Outbound Traffic Visualisations HOT 1
- [Prometheus] Add HTTP config options to all data streams
- [Meta] AWS ELB Integration Improvements
- [Citrix ADC] Syslog messages are not according to documentation HOT 1
- Add full text search on specified fields in the Okta integration. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from integrations.