Comments (23)
This has been needed for a long time, we should definitely prioritize this.
from integrations.
While native MacOS Unified Logging support isn't currently supported or being worked on for Beats/Agent, there was a very popular tool called cmdReporter that people used to pull events from Unified Logging to send to a SIEM. That tool was acquired by Jamf and rebranded, but the good news is, we're about to ship an integration with Jamf Compliance Reporter to provide visibility into Mac events.
Relevant PR: #3210
from integrations.
While having the integration mentioned by @jamiehynds is great for those that use jamf, it doesn't help the rest of us that don't use that specific product.
So another vote for native support of ingesting security logs for macOS Unified Logging.
from integrations.
Process & auth events are definitely on my list. Also (may overlap with above):
- Gatekeeper events
- Xprotect events
- Apple script events
- sudo, logons, opendirectory events
Some other interesting events (from https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/):
Predicate | Description |
---|---|
process == “sudo” | Captures command line activity run with elevated privileges |
process == “logind” | Captures user login events |
process == “tccd” | Captures events that indicate permissions and access violations |
process == “sshd” | Captures successful, failed and general ssh activity |
process == “kextd” && sender == “IOKit” | Captures successful and failed attempts to add kernel extensions |
process == “screensharingd || process == “ScreensharingAgent”’ | Captures events that indicate successful or failed authentication via screen sharing |
process == “loginwindow” && sender == “Security” | Captures keychain.db unlock events |
process == “securityd” && eventMessage CONTAINS “Session ” && subsystem == “com.apple.securityd” | Captures session creation and destruction events |
from integrations.
Unified Logging is also mentioned on (closed) elastic/beats#3109.
from integrations.
👍 for this. It is badly needed so you don't need to run a launchd just to dump the logs to disk for Filebeat to pick up.
from integrations.
I'm a little worried that this is going to languish, as we don't really have a "MacOS expert" and this is a MacOS api. @masci do you have any ideas for how to manage this?
from integrations.
It looks like there is an API since macOS 10.15. https://developer.apple.com/documentation/oslog
It would require cgo and objective-c to use the API.
from integrations.
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
from integrations.
Thanks for the feedback @defensivedepth - we're currently assessing some options to natively supported for Unified Logging. Could you share more information on your use case for the Unified Logs - e.g. are you mainly interested in process and authentication events, or any other event types you're interested in monitoring?
from integrations.
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
from integrations.
I'll just mention that there is a rust library put out by Mandiant to parse the Unified Log - https://github.com/mandiant/macos-UnifiedLogs
from integrations.
What is the real need here for the Apple Unified Logs? What would the goal be with these logs as opposed to what our macOS agent already provides? Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.
From a security perspective collecting Apple Unified Logging provides no real benefit aside from maybe in an incident response capacity collecting data after the fact. In addition to the many ESF events and custom/proprietary data sources our agent provides you can also implement our OSQuery integration with the agent to conduct and collect live queries of absolutely any data source macOS makes available via Unified Logs.
@defensivedepth Many of the use cases you pose from the Mandiant and Crowdstrike blogs are already covered by what our macOS agent provides utilizing Apple's ESF, or can be queried using OSQuery. The only events our agent doesn't currently collect are login/logout, session lock/unlock, screenattach, and session create/destroy all of which though we could collect and add to our agent with ESF if needed. These events though are more admin/policy focused and less helpful in actively detecting threat actor activity in real time. The events would be useful for Incident Response though or organization specific policy monitoring but like I said you can query this specific data via our agent OSQuery integration currently and we are adding the macOS login/authentication events (found here: https://developer.apple.com/documentation/endpointsecurity/endpointsecurity_structures) to our agent very soon.
from integrations.
All of that is not to say we shouldn't have an integration for macOS Unified Logging I think we should but with our agent and OSQuery there isn't a real need for it.
from integrations.
Our macOS agent taps into the Apple Endpoint Security Framework (ESF:https://developer.apple.com/documentation/endpointsecurity) which allows us to collect just about anything you could want to access in the Unified Logs via dedicated events vs a filtered event stream.
What specific Integration are you referring to?
from integrations.
macOS agent with the Elastic Defend integration installed (and OSQuery integration if wanted)
from integrations.
Can you post a link to the Elastic docs for Defend and ESF? I am not seeing anything.
I am running Elastic Agent + Defend on macOS and appear to just have File + Process + Network events:
from integrations.
As long as you have those 3 options checked you should be getting everything. What specifically are you looking for?
from integrations.
Ok, so to make sure I understand - if I want to detect when a new local user has been created or a configuration profile has been installed, I would need to get that through the File/Process/Network events? The ESF integration you are talking about doesn't create structured logs - like for example, EventID 4720 in the Security Event Channel on Windows is generated when a new local user is created.
from integrations.
Yes, there are a number of different queries or detections you could write to see whether a new user has been created or configuration profile has been added using process and file events.
ESF isn't an Elastic integration. It's a framework provided by Apple on macOS that allows our agent to subscribe to specific events (similar to how you can subscribe to events by event codes like 4720 on Windows). Create user is one of those ESF events (https://developer.apple.com/documentation/endpointsecurity/es_event_od_create_user_t) we could subscribe to but don't currently.
Are you wanting to know in general if a new user gets created for policy reasons or if a new user gets created in a suspicious or abnormal manner?
from integrations.
For instance if you want to detect when a new user gets created programmatically (not via the GUI) you can search for the use of the dscl binary with the create flag:
process : "dscl" and process.args : "create"
from integrations.
For this particular issue, I think ingesting logs from the unified log system is the ask. You can get some info from EndpointSecurity framework, but its not the same as the log data.
from integrations.
Any update on this?
I'm asking because we have a customer making use of this MacOS app: https://github.com/SAP/macOS-enterprise-privileges. Logs for this get pushed to Apple Unified Log, and not sure if this is something we could pickup automatically or not.
There are options for Syslog, but this is only useful for devices that always have line-of-sight to the syslog server, which won't always be the case - so AUL would be the best method.
Thanks
from integrations.
Related Issues (20)
- [Stack 8.15.0-SNAPSHOT] [kibana] Failing test daily: system test: default (variant: kibana_8.10.0) in kibana.node_rules
- [Stack 8.15.0-SNAPSHOT] [mongodb_atlas] Failing test daily: system test: (elastic-agent logs - default) in mongodb_atlas.process
- [Stack 8.15.0-SNAPSHOT] [mongodb_atlas] Failing test daily: system test: (elastic-agent logs - default) in mongodb_atlas.hardware
- [Stack 8.15.0-SNAPSHOT] [tenable_io] Failing test daily: system test: (elastic-agent logs - default) in tenable_io.plugin
- [Serverless observability] [azure_openai] Failing test daily: pipeline test: test-open-ai-gateway.log in azure_openai.logs
- [Serverless security] [azure_openai] Failing test daily: pipeline test: test-open-ai-gateway.log in azure_openai.logs
- PulseSecure user.domain \\ breaks grok parsing HOT 1
- Improve Kubernetes APIserver metrics integration
- entityanalytics_{okta,entra_id} - Add request tracer config option for 8.15 HOT 1
- Doc: Update Auditd Manager docs to configure add_session_metadata processor (Session View)
- [AWS] Add leader election for all metric data streams HOT 2
- [Stack 8.15.0-SNAPSHOT] [f5_bigip] Failing test daily: pipeline test: test-pipeline-bigip-asm.log in f5_bigip.log
- keycloak event ingest pipeline doesn't remove the quotes from the events HOT 1
- Integration:CiscoFTD Grok error on ftd message ID 722051 - incorrect grok pattern HOT 1
- integration:CiscoASA Dissect processor failing for message id 721016 and 721018 HOT 1
- [aws] Cloudfront logs Ingest pipeline faulty uri stem grok pattern
- [New Integration] Authentik
- [New Integration] Sailpoint IdentityIQ
- [Stack 8.15.0-SNAPSHOT] [kibana] Failing test daily: system test: default (variant: kibana_8.10.0) in kibana.stats
- [Stack 8.15.0-SNAPSHOT] [kibana] Failing test daily: system test: default (variant: kibana_8.10.0) in kibana.audit
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from integrations.