├── .gitignore ├── CODEOWNERS ├── LICENSE ├── README.md ├── custom_analytic_detections ├── README.md ├── adhoc_codesigning.yaml ├── airdrop_event_inbound.yaml ├── all_commandline_activity.yaml ├── all_curl_activity.yaml ├── all_sudo_commandline_activity.yaml ├── app_bundle_first_open.yaml ├── app_bundle_installed.yaml ├── app_bundle_trashed.yaml ├── applescript_dialog_activity.yaml ├── applescript_gather_clipboard.yaml ├── applescript_gather_system_information.yaml ├── bluetooth_file_exchange_event_inbound.yaml ├── caffeinate_on_interactive_commandline.yaml ├── crash_report_creation.yaml ├── dns_service_discovery.yaml ├── electron_app_code_injection.yaml ├── file_download_curl_insecure.yaml ├── filevault_authrestart.yaml ├── generic_file_copied_remote_destination.yaml ├── hidden_account_created_dscl.yaml ├── hosts_file_modification.yaml ├── installer_initiated_network_connection.yaml ├── jamf_connect │ └── jamfconnect_accpromo_activity.yaml ├── kernel_panic_occured.yaml ├── keychain_copied.yaml ├── keychain_dumped.yaml ├── known_vulnerable_log4j_jar_installation.yaml ├── launch_daemon_deleted.yaml ├── launchctl_unload_and_bootout.yaml ├── lockscreen_check.yaml ├── mdfind_search_aws_keys.yaml ├── mitmproxy_activity.yaml ├── nmap_scan_activity.yaml ├── packet_filter_modification.yaml ├── printer_activity.yaml ├── process_exec_from_volumes.yaml ├── scp_file_copied_remote_destination.yaml ├── sfltool_activity.yaml ├── smartcard_config_activity │ ├── smartcard_filevault_disabled.yaml │ ├── smartcard_filevault_enabled.yaml │ ├── smartcard_identity_paired.yaml │ ├── smartcard_identity_unpaired.yaml │ ├── smartcard_pin_changed.yaml │ └── smartcard_pin_verified.yaml ├── smb_mounted_via_commandline.yaml ├── sqlite3_downloads.yaml ├── sqlite3_fda.yaml ├── swift_oneline_command_execution.yaml ├── sysctl_activity.yaml ├── system_config_activity │ ├── application_firewall_config_changes.yaml │ ├── builtin_apache_disabled.yaml │ ├── builtin_apache_enabled.yaml │ ├── file_sharing_disabled.yaml │ ├── file_sharing_enabled.yaml │ ├── gatekeeper_config_changes.yaml │ └── root_user_enabled_or_password_changed.yaml ├── system_profiler_activity.yaml ├── systemsetup_activity.yaml ├── terminal_persistency.yaml ├── third_party │ ├── brew_activity.yaml │ └── privileges_elevation.yaml ├── threat_prevention_file_quarantine.yaml ├── timemachine_notencrypted.yaml ├── tmutil_activity.yaml ├── unsigned_dmg_detected.yaml ├── unsigned_keylogger_registered.yaml ├── unsigned_process_exec_from_volumes.yaml ├── usb_insertion_non_writable.yaml ├── user_created_by_dscl.yaml ├── user_deleted_by_dscl.yaml ├── user_privilege_escalation_by_dseditgroup_and_jamf_self_service.yaml ├── user_switched_on_command_line.yaml ├── webapp_created.yaml ├── xattr_extended_attributes_activity.yaml └── zshenv_create_modify.yaml ├── device_controls ├── README.md └── restrict_mobiledevices_syncing_with_finder │ ├── .GlobalPreferences.plist │ ├── Disable iOS_iPadOS Devices Finder Sync.mobileconfig │ └── README.md ├── helper_tools ├── README.md ├── jamf_protect_diagnostics │ ├── README.md │ ├── aws_s3 │ │ ├── README.md │ │ ├── jp_diagnostics_self_service.sh │ │ └── makefile │ ├── azure_files │ │ ├── README.md │ │ ├── images │ │ │ └── SASToken.png │ │ └── jp_diagnostics_self_service.sh │ └── google_cloud_storage │ │ ├── README.md │ │ ├── jp_diagnostics_self_service.sh │ │ └── makefile ├── jamf_protect_event_analysis │ ├── .gitignore │ ├── README.md │ ├── jp_event_analysis.py │ ├── jp_event_analysis_self_service.sh │ └── requirements.txt ├── re-enable_auditing │ ├── compliance_reporter │ │ └── re-enable-auditing.sh │ └── jamf_protect │ │ └── re-enable-auditing.sh └── sample_app_for_testing │ ├── README.md │ └── SampleApp.pkg ├── jamf_pro_extension_attributes ├── .template_jamf_protect_extension_attribute.sh ├── README.md ├── jamf_protect_JamfCloud_queue.sh ├── jamf_protect_LogFile_queue.sh ├── jamf_protect_WebProtection.sh ├── jamf_protect_analytic_detection_smart_group.sh ├── jamf_protect_application_crash_reports.sh ├── jamf_protect_application_running_type_and_status.sh ├── jamf_protect_application_status.sh ├── jamf_protect_autoUpdate.sh ├── jamf_protect_binary_version.sh ├── jamf_protect_http_queue.sh ├── jamf_protect_kafka_queue.sh ├── jamf_protect_last_check_in.sh ├── jamf_protect_last_check_in_compliance.sh ├── jamf_protect_last_insights_report.sh ├── jamf_protect_last_insights_report_compliance.sh ├── jamf_protect_log_level.sh ├── jamf_protect_plan_hash.sh ├── jamf_protect_plan_id.sh ├── jamf_protect_quarantined_files.sh ├── jamf_protect_syslog_queue.sh ├── jamf_protect_tamper_prevention.sh ├── jamf_protect_tamper_prevention_mode.sh ├── jamf_protect_tenant_name.sh └── jamf_protect_threat_prevention_version.sh ├── jamf_protect_api ├── README.md └── scripts │ ├── bash │ └── export_noncompliant_insights_per_computer.sh │ └── python │ ├── README.md │ ├── delete_computers_from_csv.py │ ├── export_alert_data.py │ ├── generate_computer_compliance_report.py │ ├── generate_computer_info_report.py │ ├── generate_device_controls_report.py │ ├── interactively_list_and_delete_computers_by_last_checkin.py │ ├── list_audit_logs.py │ ├── send_slack_webhook_analytics.py │ ├── send_teams_webhook_analytics.py │ ├── update_alert_status.py │ └── update_plan_analytics.py ├── json_samples_and_schemas ├── README.md ├── alerts │ ├── samples │ │ ├── .txt │ │ ├── GPClickEvent.json │ │ ├── GPDownloadEvent.json │ │ ├── GPFSEvent.json │ │ ├── GPGatekeeperEvent.json │ │ ├── GPPreventedExecutionEvent.json │ │ ├── GPProcessEvent.json │ │ ├── GPScreenshotEvent.json │ │ ├── GPThreatMatchExecEvent.json │ │ ├── GPUSBEvent.json │ │ ├── GPUnifiedLogEvent.json │ │ └── auth-mount.json │ └── schemas │ │ ├── GPClickEvent.json │ │ ├── GPDownloadEvent.json │ │ ├── GPFSEvent.json │ │ ├── GPGatekeeperEvent.json │ │ ├── GPPreventedExecutionEvent.json │ │ ├── GPProcessEvent.json │ │ ├── GPScreenshotEvent.json │ │ ├── GPThreatMatchExecEvent.json │ │ ├── GPUSBEvent.json │ │ ├── GPUnifiedLogEvent.json │ │ └── auth-mount.json ├── telemetry │ ├── samples │ │ ├── AUE_ACCEPT.json │ │ ├── AUE_BIND.json │ │ ├── AUE_CHDIR.json │ │ ├── AUE_CHROOT.json │ │ ├── AUE_CONNECT.json │ │ ├── AUE_EXECVE.json │ │ ├── AUE_EXIT.json │ │ ├── AUE_FORK.json │ │ ├── AUE_GETAUID.json │ │ ├── AUE_KILL.json │ │ ├── AUE_LISTEN.json │ │ ├── AUE_MAC_SET_PROC.json │ │ ├── AUE_MOUNT.json │ │ ├── AUE_PIDFORTASK.json │ │ ├── AUE_POSIX_SPAWN.json │ │ ├── AUE_PTRACE.json │ │ ├── AUE_REMOVE_FROM_GROUP.json │ │ ├── AUE_SESSION_CLOSE.json │ │ ├── AUE_SESSION_END.json │ │ ├── AUE_SESSION_START.json │ │ ├── AUE_SESSION_UPDATE.json │ │ ├── AUE_SETPRIORITY.json │ │ ├── AUE_SETSOCKOPT.json │ │ ├── AUE_SETTIMEOFDAY.json │ │ ├── AUE_SHUTDOWN.json │ │ ├── AUE_SOCKETPAIR.json │ │ ├── AUE_TASKFORPID.json │ │ ├── AUE_TASKNAMEFORPID.json │ │ ├── AUE_UNMOUNT.json │ │ ├── AUE_WAIT4.json │ │ ├── AUE_auth_user.json │ │ ├── AUE_logout.json │ │ ├── AUE_lw_login.json │ │ ├── AUE_ssauthint.json │ │ ├── AUE_ssauthmech.json │ │ └── AUE_ssauthorize.json │ └── schemas │ │ ├── AUE_ACCEPT.json │ │ ├── AUE_BIND.json │ │ ├── AUE_CHDIR.json │ │ ├── AUE_CHROOT.json │ │ ├── AUE_CONNECT.json │ │ ├── AUE_EXECVE.json │ │ ├── AUE_EXIT.json │ │ ├── AUE_FORK.json │ │ ├── AUE_GETAUID.json │ │ ├── AUE_KILL.json │ │ ├── AUE_LISTEN.json │ │ ├── AUE_MAC_SET_PROC.json │ │ ├── AUE_MOUNT.json │ │ ├── AUE_PIDFORTASK.json │ │ ├── AUE_POSIX_SPAWN.json │ │ ├── AUE_PTRACE.json │ │ ├── AUE_REMOVE_FROM_GROUP.json │ │ ├── AUE_SESSION_CLOSE.json │ │ ├── AUE_SESSION_END.json │ │ ├── AUE_SESSION_START.json │ │ ├── AUE_SESSION_UPDATE.json │ │ ├── AUE_SETPRIORITY.json │ │ ├── AUE_SETSOCKOPT.json │ │ ├── AUE_SETTIMEOFDAY.json │ │ ├── AUE_SHUTDOWN.json │ │ ├── AUE_SOCKETPAIR.json │ │ ├── AUE_TASKFORPID.json │ │ ├── AUE_TASKNAMEFORPID.json │ │ ├── AUE_UNMOUNT.json │ │ ├── AUE_WAIT4.json │ │ ├── AUE_auth_user.json │ │ ├── AUE_logout.json │ │ ├── AUE_lw_login.json │ │ ├── AUE_ssauthint.json │ │ ├── AUE_ssauthmech.json │ │ └── AUE_ssauthorize.json └── web_protection │ ├── samples │ ├── NetworkTrafficStream.json │ └── ThreatEventsStream.json │ └── schemas │ ├── NetworkTrafficStream.json │ └── ThreatEventsStream.json ├── soar_playbooks ├── README.md ├── aftermath_collection │ ├── .gitignore │ ├── README.md │ ├── aws_s3 │ │ ├── README.md │ │ ├── aftermath_collection.sh │ │ └── makefile │ ├── azure_files │ │ ├── README.md │ │ ├── aftermath_collection.sh │ │ └── images │ │ │ └── SASToken.png │ └── google_cloud_storage │ │ ├── README.md │ │ ├── aftermath_collection.sh │ │ └── makefile ├── custom_analytic_detections │ └── quarantined_file_acquisition_and_removal.sh └── endpoint_network_isolation │ ├── README.md │ ├── endpoint_network_isolation_enforce.sh │ ├── endpoint_network_isolation_revert.sh │ └── jamf_pro_extension_attribute_endpoint_network_isolation_status.sh ├── telemetry ├── README.MD └── simple_log_file_collection │ ├── README.MD │ └── img │ ├── cups_access_log.png │ └── jamf_log.png ├── third_party_integrations ├── README.md ├── ZTNA_Risk_Signaling │ ├── README.md │ └── aws_lambda │ │ ├── README.md │ │ ├── aws_lambda.py │ │ └── requests.zip ├── alerts_management │ ├── AWS │ │ ├── README.md │ │ ├── alerts_aws_jira.py │ │ ├── alerts_aws_slack.py │ │ └── alerts_aws_teams.py │ └── README.md └── data_management │ ├── README.md │ └── microsoft_sentinel │ ├── Analytics │ ├── MicrosoftSentinel-JamfProtect_All_Alerts.json │ └── MicrosoftSentinel-JamfProtect_Unified_Logs.json │ ├── Images │ ├── .Microsoft_Sentinel_Incidents_black.png │ ├── .Microsoft_Sentinel_Incidents_white.png │ ├── .Microsoft_Sentinel_Workbook_black.png │ └── .Microsoft_Sentinel_Workbook_white.png │ └── README.md └── unified_log_filters ├── .template_unified_log_filter ├── README.md ├── airdrop_transfer_outbound.yaml ├── application_firewall_logging.yaml ├── bluetooth_file_exchange_transfer_outbound.yaml ├── jamf_connect ├── cloud_idp_authentication_bypass_and_local_user_authentication.yaml ├── failed_authentication_via_jc.yaml ├── local_password_change_via_jc_attempt.yaml ├── local_password_change_via_jc_failure.yaml ├── local_password_change_via_jc_success.yaml ├── local_password_sync_via_jc_menu_bar_failure.yaml ├── mfa_through_jc_login_window_failure.yaml ├── privilege_elevation_all.yaml └── privilege_elevation_elevate_and_demote.yaml ├── jamf_pro ├── jamf_pro_management_binary_logging.yaml └── jamf_pro_management_framework_removal.yaml ├── jamf_trust ├── jamf_trust_disabled.yaml └── jamf_trust_enabled.yaml ├── lock_screen_unlock_failure.yaml ├── mdm_profile_manual_removal.yaml ├── modifications_dns_settings.yaml ├── root_user_enabled_or_password_changed.yaml └── third_party └── sap_privileges_user_rights_elevations_and_demotions.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .vscode 3 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @matt-taylor934 @txhaflaire @golbiga -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Jamf Open Source Community 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /custom_analytic_detections/README.md: -------------------------------------------------------------------------------- 1 | # Custom Analytic Detections 2 | Jamf Protect's Analytics feature provide the ability to generically detect sensitive, suspicious or malicious behaviour on Mac endpoints through logical analysis of events occurring across the system. 3 | 4 | In addition to the Analytics provided and managed by Jamf's Detections Team, customers are able to create and deploy Custom Analytics with the same feature functionality to meet the audit trail and threat hunting needs specific to the evironment. 5 | 6 | Contained within this repository are predicates that can be used to create Custom Analytics that offer extended visibility and detection of events across macOS. Within each Custom Analytic object is: 7 | * A predicate expression 8 | * The required Sensor Event Type 9 | * The recommended Analytic Level setting 10 | * The recommended Severity 11 | 12 | More information on each of these settings can be found [here](https://docs.jamf.com/jamf-protect/documentation/Analytics.html). 13 | 14 | ## Creating a Custom Analytic in Jamf Protect from this repository 15 | Instructions for creating a Custom Analytic using the resources in this repository can be found [here](https://docs.jamf.com/jamf-protect/documentation/Creating_Analytics.html). 16 | 17 | When creating a Custom Analytic from this repository it is helpful to use the **Filter Text View** option inside the Analytic Filter builder to simply paste in the predicate expression rather than build it using the Filter Query Builder View. 18 | 19 | # 20 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 21 | -------------------------------------------------------------------------------- /custom_analytic_detections/adhoc_codesigning.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AdhocCodesigning 3 | uuid: 51cb46e3-8ee4-4a2f-a019-83ba46f5f42a 4 | longDescription: The codesign utility has been executed to locally ad-hoc codesign a binary. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.security.codesign" AND 11 | $event.process.args.@count > 0 AND ((ANY $event.process.args IN {"--sign", "-s"}) AND(ANY $event.process.args == "-")) 12 | actions: 13 | - name: Log 14 | context: 15 | - exprs: 16 | - (event.process.args)[LAST] 17 | name: Ad-hoc signed App Bundle 18 | type: File 19 | - exprs: 20 | - (event.process.args)[LAST].file.signingInfo.cdhash.hexString 21 | name: Bundle CDHash 22 | type: String 23 | - exprs: 24 | - (event.process.args)[LAST].file.sha1hex 25 | name: Executable - SHA1HEX 26 | type: String 27 | - exprs: 28 | - event.file.contentsAsDict.Label 29 | name: Label 30 | type: String 31 | - exprs: 32 | - (event.process.args)[LAST].file.sha256hex 33 | name: Executable - SHA256HEX 34 | type: String 35 | categories: 36 | - Visibility 37 | version: 1 38 | severity: Informational 39 | shortDescription: Adhoc Codesigning 40 | label: Adhoc Codesigning 41 | remediation: Review the binary that has been ad-hoc signed and determine if it's unsafe. 42 | MitreCategories: 43 | - Visibility 44 | 45 | -------------------------------------------------------------------------------- /custom_analytic_detections/airdrop_event_inbound.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AirdropInbound 3 | uuid: f0d7d630-c9a0-4ecf-ad8f-d91a83ce07b2 4 | longDescription: A file has been created by the sharingd service. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 3 AND $event.prevFile BEGINSWITH "/private/var/folders/" 10 | AND NOT $event.path MATCHES "(/Users/[^/]+/Library/Sharing/|/var/folders/).*" 11 | AND $event.process.signingInfo.appid == "com.apple.sharingd" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: Airdrop Event Inbound 20 | label: Airdrop Inbound 21 | remediation: null 22 | MitreCategories: 23 | - Visibility 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/all_commandline_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AllCommandlineActivity 3 | uuid: b5f40429-21c4-44e7-917f-e90f4be388c4 4 | longDescription: Activity on the commandline has been detected. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND $event.process.tty != nil AND 10 | $event.process.parent.isShell == 1 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - Visibility 16 | version: 1 17 | severity: Informational 18 | shortDescription: All commandline activity 19 | label: All commandline activity 20 | remediation: null 21 | MitreCategories: 22 | - Visibility 23 | -------------------------------------------------------------------------------- /custom_analytic_detections/all_curl_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AllCurlActivity 3 | uuid: ae84e018-e9fd-467e-9c24-f31ac949a63d 4 | longDescription: Curl activity has been detected. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND $event.process.path.lastPathComponent IN {"curl", "nscurl"} 10 | actions: 11 | - name: Log 12 | context: [] 13 | categories: 14 | - Visibility 15 | version: 1 16 | severity: Informational 17 | shortDescription: All curl activity 18 | label: All curl activity 19 | remediation: null 20 | MitreCategories: 21 | - Visibility 22 | 23 | -------------------------------------------------------------------------------- /custom_analytic_detections/all_sudo_commandline_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AllSudoCommandlineActivity 3 | uuid: 2ad6247d-5c06-4e60-b088-d00b4b2a1c6c 4 | longDescription: Sudo activity on the commandline has been detected. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND $event.process.tty != nil AND 10 | $event.process.signingInfo.appid == "com.apple.sudo" 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - Visibility 16 | version: 1 17 | severity: Informational 18 | shortDescription: All commandline activity 19 | label: All commandline activity 20 | remediation: null 21 | MitreCategories: 22 | - Visibility 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/app_bundle_first_open.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AppBundleFirstOpen 3 | uuid: 93675a41-5e57-4d87-b941-2d3f8d220bcf 4 | longDescription: This detection functions by monitoring for the creation of new directories on the OS containing .app in the name and within the directory used for App Translocation. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.isNewDirectory == 1 AND 10 | $event.path ENDSWITH[cd] ".app" AND 11 | $event.path BEGINSWITH "/Library/InstallerSandboxes/.PKInstallSandboxManager" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: App bundle first open 20 | label: App Bundle First Open 21 | remediation: null 22 | MitreCategories: 23 | - Visibility 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/app_bundle_installed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AppBundleInstalled 3 | uuid: a106e8d5-ede7-42d2-a612-d0c304eac796 4 | longDescription: This detection functions by monitoring for the creation of new directories on the OS that contain a .app extension and are not created in either a Trash or the application sandbox directory. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 7 AND 10 | $event.isNewDirectory == 1 AND 11 | $event.path ENDSWITH[cd] ".app" AND NOT ($event.path CONTAINS ".Trash" OR $event.path BEGINSWITH "/Library/InstallerSandboxes/.PKInstallSandboxManager") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: Application bundle installed 20 | label: Application Bundle Installed 21 | remediation: null 22 | MitreCategories: 23 | - Visibility 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/app_bundle_trashed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AppBundleTrashed 3 | uuid: 08fe8b4b-7f28-44ae-8b94-f969da542f44 4 | longDescription: This detection functions by monitoring for the creation of new directories on the OS in a path containing .Trash, indicating it was moved to trash. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.isModified == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.finder" AND 11 | $event.prevFile ENDSWITH[cd] ".app" AND 12 | $event.path.stringByDeletingLastPathComponent.lastPathComponent == ".Trash" 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: Application bundle trashed 21 | label: Application Bundle Trashed 22 | remediation: null 23 | MitreCategories: 24 | - Visibility 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/applescript_dialog_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AppleScriptDialogActivity 3 | uuid: 93c977ae-877d-4e62-94f3-f112f2686a14 4 | longDescription: This detection functions by monitoring for when AppleScript is being used to display a dialog and capturing user input with specific arguments that link to the keychain or the users password. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.osascript" AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "display dialog") AND (ANY $event.process.args IN {"Keychain", "password", "credentials"})) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Credential Access 18 | version: 1 19 | severity: Informational 20 | shortDescription: The osascript binary has been launched to display a dialog and ask for user input. 21 | label: AppleScript Dialog Activity 22 | remediation: null 23 | MitreCategories: 24 | - Collection 25 | - Reconnaissance 26 | - Execution 27 | - LivingOffTheLand 28 | 29 | -------------------------------------------------------------------------------- /custom_analytic_detections/applescript_gather_clipboard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AppleScriptClipboardActivity 3 | uuid: 96cea4cc-a944-4220-9f8d-99d91622a6f5 4 | longDescription: This detection functions by monitoring for when AppleScript is being used to potentially gather clipboard contents over a defined time period or to generate a dialogue box and request the user to enter the keychain password. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.osascript" AND 11 | $event.process.commandLine CONTAINS[c] "the clipboard" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Collection 17 | version: 1 18 | severity: Informational 19 | shortDescription: The osascript binary has been launched to capture the contents of the clipboard. 20 | label: AppleScript Clipboard Activity 21 | remediation: null 22 | MitreCategories: 23 | - LivingOffTheLand 24 | - CredentialAccess 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/applescript_gather_system_information.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: AppleScriptSystemInfoActivity 3 | uuid: 9ece2bff-1bc8-4a08-aaa1-df33c64bec0d 4 | longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.osascript' and process arguments containing "system info". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.osascript" AND 11 | $event.process.commandLine CONTAINS[c] "system info" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Exploitation 17 | - Living Off The Land 18 | version: 1 19 | severity: Informational 20 | shortDescription: The osascript is used to gather the operating system version, current username, user ID, computer name, IP address, alongside other information. 21 | label: AppleScript System Info Activity 22 | remediation: null 23 | MitreCategories: 24 | - Collection 25 | - Discovery 26 | - CredentialAccess 27 | 28 | -------------------------------------------------------------------------------- /custom_analytic_detections/bluetooth_file_exchange_event_inbound.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: BleutoothFileExchangeInbound 3 | uuid: 1f1a1c74-750e-4a04-b766-73a7e6e66ee0 4 | longDescription: This detection functions by monitoring for file system activity in a known location by the OBEXAgent service and will provide the file name, save destination path and user involved. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 3 AND 10 | $event.process.signingInfo.appid == "com.apple.OBEXAgent" AND 11 | $event.prevFile CONTAINS "/com.apple.OBEXAgent/TemporaryItems/NSIRD_OBEXAgent" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: Bluetooth file exchange inbound 20 | label: Bluetooth File Exchange Inbound 21 | remediation: null 22 | MitreCategories: 23 | - Visibility 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/caffeinate_on_interactive_commandline.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CaffeinateOnInteractiveCommandline 3 | uuid: 207c6d15-e72d-467d-a87f-652a6060d864 4 | longDescription: Caffeinate activity has been detected on a interactive command line. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.tty != nil AND 11 | $event.process.parent.isShell == 1 AND 12 | $event.process.signingInfo.appid == "com.apple.caffeinate" 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: Caffeinate on interactive commandline 21 | label: Caffeinate on interactive commandline 22 | remediation: null 23 | MitreCategories: 24 | - Visibility 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/crash_report_creation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CrashReportCreation 3 | uuid: 4a4d7215-f470-452d-b2ee-0a36b829598e 4 | longDescription: This detection functions by monitoring for the creation of the Crash Report files. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.isNewFile == 1 AND 10 | $event.path MATCHES[cd] "(:?/System|/Users/[\\w_\\.\\-]{1,83})?/Library/Logs/DiagnosticReports/.*\\.ips" 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - Visibility 16 | version: 1 17 | severity: Informational 18 | shortDescription: The creation of a crash report has been detected. 19 | label: Crash Report Creation 20 | remediation: Review the crash report on the host system. Although by nature not necessarily related to malicious activity but in case of an unusual amount of reports this could relate to persistent malware that keeps crashing, also it can be useful for triaging issues on a end-users system. 21 | MitreCategories: 22 | - Visibility 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/dns_service_discovery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: DnsServiceDiscovery 3 | uuid: e209bb63-f433-48b4-a267-0906acee976a 4 | longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.dns-sd' and a process argument matches ".*-B\\s\\_\\w.*?\\.\\_tcp". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.dns-sd" AND 11 | $event.process.commandLine MATCHES ".*-B\\s\\_\\w.*?\\.\\_tcp" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: DNS Service Discovery detected 20 | label: DNS Service Discovery 21 | remediation: null 22 | MitreCategories: 23 | - Visibility 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/electron_app_code_injection.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ElectronAppCodeInjection 3 | uuid: 815a4d03-64fe-4b32-8ac4-21598f9d0bd7 4 | longDescription: This detection monitors attempts at code injection into Electron applications on macOS, particularly searching for the usage of the --inspect= argument that could lead into take over of macOS applications TCC permissions. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.path CONTAINS ".app" AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args IN {"--inspect=", "--remote-de-bugging-port"}) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - Privilege Escalation 19 | version: 1 20 | severity: Medium 21 | shortDescription: Code Injection into a Electron App has been detected 22 | label: Electron App Code Injection 23 | remediation: Review the responsible process for the execution of the Electron app and verify if this is legitimate or inteded behavior. 24 | MitreCategories: 25 | - DefenseEvasion 26 | - T1055 27 | 28 | -------------------------------------------------------------------------------- /custom_analytic_detections/file_download_curl_insecure.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: FileDownloadCurlInsecure 3 | uuid: bdc5b2ad-055c-416e-a808-26b6d00b347f 4 | longDescription: This detection functions by monitoring and report on attempts using curl to download a file using the -k argument, bypassing ssl validations. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: ($event.process.path.lastPathComponent IN {"curl", "nscurl"} AND 10 | (ANY $event.process.args == "-k")) AND 11 | $event.type IN {0, 3, 4} 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: Curl has been used with the -k argument to download a file programatically. 20 | label: File Download Curl Insecure 21 | remediation: Review where the file has been downloaded from. 22 | MitreCategories: 23 | - Visibility 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/filevault_authrestart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: FilevaultAuthRestart 3 | uuid: 40c2f55d-005b-476c-81ef-655d6a47d851 4 | longDescription: This detection functions by monitoring for processes created with a binary carrying the com.apple.fdesetup identifier and have a process argument containing the 'authrestart' argument to perform an authenticated restart. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.fdesetup" AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args == "authrestart") 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: A Filevault Authenticated restart has been issued. 21 | label: Filevault Authenticated Restart 22 | remediation: null 23 | MitreCategories: 24 | - Visibility 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/generic_file_copied_remote_destination.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: GenericFileCopiedRemoteDestination 3 | uuid: 6faa776e-f2fc-40cc-b7b8-e96ee56387c4 4 | longDescription: This detection functions by monitoring when scp, sftp or rsync is used to copy a file to a remote destination. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.process.path.lastPathComponent IN {"scp", "rsync", "sftp"} AND 10 | $event.type == 2 AND 11 | $event.process.args.@count > 1 AND 12 | (ANY $event.process.args MATCHES ".*@.*") AND 13 | $event.process.exitCode == 0 14 | actions: 15 | - name: Log 16 | context: [] 17 | categories: 18 | - Visibility 19 | version: 1 20 | severity: Informational 21 | shortDescription: A file has been copied to a remote destination. 22 | label: Generic File Copied to Remote Destination 23 | remediation: null 24 | MitreCategories: 25 | - Visibility 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/hidden_account_created_dscl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: HiddenAccountCreatedDscl 3 | uuid: 7ee555e8-d911-4918-a9f1-c919675d02c5 4 | longDescription: This detection functions by monitoring on attempts using dcsl to create accounts that are hidden from the login window. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | ($event.process.path.lastPathComponent == "dscl" AND 11 | ((ANY $event.process.args == "IsHidden") AND (ANY $event.process.args == "-create") AND (ANY $event.process.args IN {"true", "1", "yes"}))) 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - Persistence 18 | version: 1 19 | severity: Informational 20 | shortDescription: A hidden user has been created using dscl. 21 | label: Hidden Account Created DSCL 22 | remediation: null 23 | MitreCategories: 24 | - Persistence 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/hosts_file_modification.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: HostFileModification 3 | uuid: 7eea8332-eeb4-416f-92d8-cccef960f678 4 | longDescription: This detection functions by monitoring for modifications made to the /etc/hosts file path. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.isModified == 1 AND 10 | $event.path ==[cd] "/private/etc/hosts" 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - Visibility 16 | - System Tampering 17 | version: 1 18 | severity: Informational 19 | shortDescription: The /etc/hosts file has been modified. 20 | label: Host File modification 21 | remediation: Review which process was responsible for modifying the host file to determine if it's legitimate or unsafe behavior. 22 | MitreCategories: 23 | - Visibility 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/installer_initiated_network_connection.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: InstallerInitiatedNetworkConnection 3 | uuid: 834a7c7e-3fa1-46b3-b1f6-e907d6821a0b 4 | longDescription: This detection functions by monitoring for the process creation involving curl or nscurl where the responsible process is Installer and the parent process is a shell. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.path.lastPathComponent IN {"curl", "nscurl"} AND 11 | $event.process.parent.isShell == true AND 12 | $event.process.responsible.path.lastPathComponent == "Installer" 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - Privilege Escalation 19 | version: 1 20 | severity: Informational 21 | shortDescription: Installer has invoked curl or nscurl to connect to a remote destination. 22 | label: Installer Initiated Network Connection 23 | remediation: Review the context of the command to determine if it's legitimate or unsafe behavior. 24 | MitreCategories: 25 | - Execution 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/jamf_connect/jamfconnect_accpromo_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: JamfConnectAccPromoActivity 3 | uuid: caa020a3-03b1-4667-8401-0b0a426e523f 4 | longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.jamf.connect.tool' and process arguments containing "acc-promo --elevate". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: event.process.signingInfo.appid == "com.jamf.connect.tool" AND 10 | $event.type == 1 AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "acc-promo") AND (ANY $event.process.args == "--elevate")) AND 13 | $event.process.responsible.signingInfo.teamid != "483DWKW443" AND 14 | $event.process.tty == nil 15 | actions: 16 | - name: Log 17 | context: [] 18 | categories: 19 | - Visibility 20 | - Jamf Connect 21 | version: 1 22 | severity: Informational 23 | shortDescription: A user privileges has escalated through the Jamf Connect commandline utility. 24 | label: Jamf Connect Acc Promo Activity 25 | remediation: null 26 | MitreCategories: 27 | - PrivilegeEscalation 28 | 29 | -------------------------------------------------------------------------------- /custom_analytic_detections/kernel_panic_occured.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: KernelPanicOccured 3 | uuid: 086473c0-28a6-4d5c-9dca-edc6c8f058e2 4 | longDescription: "This detection functions by monitoring for the deletion of the current.panic files. 5 | NOTE: The current.panic file is initially written to disk when Jamf Protect is not actively running after the device kernel panics, when the machine is rebooting and before the Protect system extension is enabled. This file is subsequently deleted after the user gets to the login window. This is when Protect will trigger on this event. If the machine does not restart or the kernel panic causes memory corruption that prevents the machine from rebooting or powering on, this detection will not trigger." 6 | level: 0 7 | inputType: GPFSEvent 8 | tags: 9 | snapshotFiles: [] 10 | filter: $event.type == 1 AND 11 | $event.path ==[cd] "/private/var/db/PanicReporter/current.panic" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - System Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: A current.panic file has been deleted. 20 | label: Kernel Panic Occured 21 | remediation: null 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/keychain_copied.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: KeychainCopied 3 | uuid: 25b14366-08bd-473f-a7dd-6ff5818ffb84 4 | longDescription: This detection functions by monitoring for process activity using the mv, ditto or cp binaries to copy .keychain-db files over to other locations, in case of a healthy keychain this should not happen. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.path.lastPathComponent IN {'mv', 'ditto', 'cp'} AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args == ".keychain-db") 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - Credential Harvesting 19 | version: 1 20 | severity: Informational 21 | shortDescription: A users keychain database has been copied. 22 | label: Keychain Copied 23 | remediation: Review the path the keychain has been copied to and if it's initiated by the user on-purpose. 24 | MitreCategories: 25 | - CredentialAccess 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/keychain_dumped.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: KeychainDumped 3 | uuid: 6fe79b15-aa2f-4bd5-a6c9-9192878f17b4 4 | longDescription: This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.security' and using the parameters "dump-keychain". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.security" AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args == "dump-keychain") 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - Credential Harvesting 19 | version: 1 20 | severity: Informational 21 | shortDescription: A users keychain database has been dumped. 22 | label: Keychain Dumped 23 | remediation: null 24 | MitreCategories: 25 | - CredentialAccess 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/known_vulnerable_log4j_jar_installation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: KnownVulnerableLog4jJarInstallation 3 | uuid: 73647f5a-d508-4315-96fd-72798b3f82ea 4 | longDescription: This detection functions by monitoring for .jar files created on the host system that are known to be vulnerable to log4shell-related attacks. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 0 AND 10 | $event.path.pathExtension ==[cd] "jar" AND 11 | $event.path MATCHES ".*(apache-)?log4j-(\\d+(\\.|-)){1,3}((rc|beta)\\d+-)?(bin|alpha\\d+(-bin)?)/log4j-core-(?!2\\.3\\.[1-9]|2\\.17\\.[0-9]|2\\.12\\.[3-9])(\\d+(\\.|-)?){1,3}((alpha|beta|rc)\\d+)?\.jar" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - System Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: A .jar file has been created on the system. 20 | label: Known Vulnerable Log4j Jar Installation 21 | remediation: Review and cleanup the created .jar file. 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/launch_daemon_deleted.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: LaunchDaemonDeleted 3 | uuid: 5df4c897-743b-4555-9217-c062ecbe0b10 4 | longDescription: This detection functions by monitoring for deletion events on any files within known file paths for LaunchDaemons. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.path MATCHES[cd] "(:?/System|/Users/[\\w_\\.\\-]{1,83})?/Library/LaunchDaemons/.*\\.plist" 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - System Visibility 16 | version: 1 17 | severity: Informational 18 | shortDescription: A LaunchDaemon has been deleted. 19 | label: LaunchDaemon Deleted 20 | remediation: null 21 | MitreCategories: null 22 | 23 | -------------------------------------------------------------------------------- /custom_analytic_detections/launchctl_unload_and_bootout.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: LaunchctlUnloadAndBootout 3 | uuid: cd5bb321-6c70-49f9-952b-a1da4f9c6b81 4 | longDescription: This detection functions by monitoring for processes created by the launchctl binary where a process argument contains the 'unload' or 'bootout' arguments. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.xpc.launchctl" AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args IN {"unload", "bootout"}) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - System Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: A service has been unloaded by launchctl. 21 | label: Launchctl Unload and Bootout 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/lockscreen_check.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: LockscreenCheck 3 | uuid: 6543d169-39a2-401d-bec8-684b7b50bc77 4 | longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.zgrep' or 'com.apple.grep', a process group leader carrying the signing information of 'com.apple.ioreg', and a process argument containing "CGSSession". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.path.lastPathComponent == "grep" AND 11 | (ANY $event.process.args == "CGSSession") AND 12 | $event.process.pgprocess.signingInfo.appid == "com.apple.ioreg" 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - System Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: The ioreg binary has been used to check if the macOS Lockscreen is locked. 21 | label: Lockscreen Check 22 | remediation: null 23 | MitreCategories: 24 | - LivingOffTheLand 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/mdfind_search_aws_keys.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: MdfindSearchAwsKeys 3 | uuid: 97973a89-4d19-4281-8b57-fd3968bc4ba9 4 | longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.mdfind' and process arguments containing "*AKIA*". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.mdfind" AND 11 | (ANY $event.process.args CONTAINS[c] "*AKIA*") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - CredentialAccess 17 | version: 1 18 | severity: Informational 19 | shortDescription: The binary mdfind has been used to search for files containing aws keys on the host system. 20 | label: Mdfind Search AWS Keys 21 | remediation: null 22 | MitreCategories: 23 | - LivingOffTheLand 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/mitmproxy_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: MitmproxyActivity 3 | uuid: d11e55a2-c2de-4e1c-9d14-fba4ac7ebb0d 4 | longDescription: This detection functions by monitoring for when mitmproxy process is launched to potentially acts as a “middle man” between the server and the client. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.name == "mitmproxy" 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - System Visibility 16 | version: 1 17 | severity: Informational 18 | shortDescription: The mitmproxy utility has been launched. 19 | label: Mitmproxy Activity 20 | remediation: null 21 | MitreCategories: 22 | - AdversaryInTheMiddle 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/nmap_scan_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: NmapScanActivity 3 | uuid: e707c00f-7d3b-45d1-a4ca-16d03b9af404 4 | longDescription: This detection functions by monitoring for process activity using the nmap binary to process arguments containing "-sS -sV -Pn {IPRANGE} -p {PORTS}". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.path.lastPathComponent == "nmap" AND 11 | $event.process.commandLine MATCHES ".*nmap\\s+(?:-[sSVPn]{0,2}\\s+){0,3}?(?:\\d{1,3}\\.){3}?\\d{1,3}\\/\\d{1,2}\\s\\-p\\s(?:\\d+(?:\\,\\d+)*)?" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: The nmap binary has been lauched for scanning IP ranges on an endpoint. 20 | label: Nmap Scan Activity 21 | remediation: null 22 | MitreCategories: 23 | - Discovery 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/packet_filter_modification.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: PacketFilterModification 3 | uuid: 5f1d941b-0eaa-4fb0-8754-e7074f3b4366 4 | longDescription: This detection functions by monitoring for processes created with a binary carrying the com.apple.pfctl identifier and have a process argument containing one of the following arguments "-F all" "-d" "-e -f" "-e". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.pfctl" AND 11 | ($event.process.commandLine CONTAINS "-F all" OR 12 | $event.process.commandLine CONTAINS "-d" OR 13 | $event.process.commandLine CONTAINS "-e -f" OR 14 | $event.process.commandLine CONTAINS "-e") OR 15 | $file.path == "/etc/pf.conf" AND 16 | $file.isModified == 1 17 | actions: 18 | - name: Log 19 | context: [] 20 | categories: 21 | - System Visibility 22 | version: 1 23 | severity: Informational 24 | shortDescription: The pfctl binary has been lauched to make modifications to the packet filter on macOS. 25 | label: Packet Filter Modification 26 | remediation: null 27 | MitreCategories: null 28 | 29 | -------------------------------------------------------------------------------- /custom_analytic_detections/printer_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: PrinterActivity 3 | uuid: 2f1e2ef0-05b3-48d7-a6fe-3b908c5ee010 4 | longDescription: This detection functions by monitoring for process creation involving binaries carrying the signing information of 'com.apple.socket', 'com.apple.ipp', 'com.apple.lpd', or 'com.apple.usb' with a responsible process creation involving a binary carrying the signing info of 'com.apple.cupsd'. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid IN {'com.apple.socket', 'com.apple.ipp', 'com.apple.lpd', 'com.apple.usb'} AND 11 | $event.process.responsible.signingInfo.appid == "com.apple.cupsd" 12 | actions: 13 | - name: Log 14 | context: 15 | - exprs: 16 | - event.process.commandLine 17 | name: print job command 18 | type: String 19 | categories: 20 | - System Visibility 21 | version: 1 22 | severity: Informational 23 | shortDescription: Print activity has been detected on the endpoint. 24 | label: Printer Activity 25 | remediation: null 26 | MitreCategories: null 27 | 28 | -------------------------------------------------------------------------------- /custom_analytic_detections/process_exec_from_volumes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ProcessExecFromVolumes 3 | uuid: ae87231b-58ff-48b6-8fca-87bdb34f8ab3 4 | longDescription: This detection functions by monitoring for process executions from within the /Volumes/ directory. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.process.path BEGINSWITH "/Volumes/" AND 10 | $event.type == 1 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - Visibility 16 | version: 1 17 | severity: Informational 18 | shortDescription: A process has been executed from within the /Volumes/ directory. 19 | label: Process Executions from Volumes 20 | remediation: null 21 | MitreCategories: null 22 | 23 | -------------------------------------------------------------------------------- /custom_analytic_detections/scp_file_copied_remote_destination.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ScpFileCopiedRemoteDestination 3 | uuid: cbf317a8-7d93-4464-bba6-667aa8c2813f 4 | longDescription: This detection functions by monitoring and reporting when scp is used to copy a file to a remote destination. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.process.path.lastPathComponent == "scp" AND 10 | $event.type == 1 AND 11 | $event.process.args.@count > 1 AND 12 | (ANY $event.process.args MATCHES ".*@.*") 13 | actions: 14 | - name: Log 15 | context: 16 | - exprs: 17 | - (event.process.args)[1] 18 | name: Source File 19 | type: File 20 | - exprs: 21 | - (event.process.args)[LAST] 22 | name: Destination 23 | type: String 24 | categories: 25 | - Visibility 26 | version: 1 27 | severity: Informational 28 | shortDescription: The scp binary has been used to transfer a file to a remote destination. 29 | label: SCP File Copied to Remote Destination 30 | remediation: null 31 | MitreCategories: 32 | - Exfiltration 33 | 34 | -------------------------------------------------------------------------------- /custom_analytic_detections/sfltool_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SfltoolActivity 3 | uuid: 98aeced6-0922-4bc9-82ab-981d46035367 4 | longDescription: This detection functions by monitoring and report when sfltool is being used to either dump the BackgroundTaskManagement to identify all current login and background items configured on the system or reset all third-party Login Items and revert to installation defaults. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.sfltool" AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args IN {"resetbtm", "dumpbtm"}) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: The sfltool binary has been used to dump or reset BackgroundTaskManagement. 21 | label: SFLTool Activity 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/smartcard_config_activity/smartcard_filevault_disabled.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SmartcardFilevaultEnabled 3 | uuid: 7dc32c42-294b-4628-8522-550ff10a747b 4 | longDescription: This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth filevault -o fvdisable -u -h . 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.ctkbind" AND$event.process.commandLine CONTAINS " -o fvenable " 11 | $event.type == 1 AND 12 | $event.process.signingInfo.appid == "com.apple.ctkbind" AND 13 | $event.process.commandLine CONTAINS " -o fvdisable " 14 | actions: 15 | - name: Log 16 | context: [] 17 | categories: 18 | - Visibility 19 | - Smartcard 20 | version: 1 21 | severity: Informational 22 | shortDescription: A smartcard has been disabled for Filevault authentication. 23 | label: Smartcard Filevault Disabled 24 | remediation: null 25 | MitreCategories: null 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/smartcard_config_activity/smartcard_filevault_enabled.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SmartcardFilevaultEnabled 3 | uuid: ae775148-2516-47a7-9bb8-038816d6835a 4 | longDescription: This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth filevault -o fvenable -u -h . 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.ctkbind" AND$event.process.commandLine CONTAINS " -o fvenable " 11 | $event.type == 1 AND 12 | $event.process.signingInfo.appid == "com.apple.ctkbind" AND 13 | $event.process.commandLine CONTAINS " -o fvenable " 14 | actions: 15 | - name: Log 16 | context: [] 17 | categories: 18 | - Visibility 19 | - Smartcard 20 | version: 1 21 | severity: Informational 22 | shortDescription: A smartcard has been enabled for Filevault authentication. 23 | label: Smartcard Filevault Enabled 24 | remediation: null 25 | MitreCategories: null 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/smartcard_config_activity/smartcard_identity_paired.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SmartcardIdentityPaired 3 | uuid: 015e7d9e-0d51-4644-ba8a-d8e7ac86d37a 4 | longDescription: This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth pair -u -h . 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.ctkbind" AND 11 | (ANY $event.process.args == "-p") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - Smartcard 18 | version: 1 19 | severity: Informational 20 | shortDescription: A smartcard identity has paired to a user. 21 | label: Smartcard Identity Paired 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/smartcard_config_activity/smartcard_identity_unpaired.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SmartcardIdentityUnpaired 3 | uuid: 9dcb7012-6516-41f5-a972-5ddf56d5a6a0 4 | longDescription: This detection functions by monitoring the ctkbind process in macOS when a user runs /usr/sbin/sc_auth unpair -u -h . 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.ctkbind" AND 11 | (ANY $event.process.args == "-r") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - Smartcard 18 | version: 1 19 | severity: Informational 20 | shortDescription: A smartcard identity has unpaired to a user. 21 | label: Smartcard Identity Unpaired 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/smartcard_config_activity/smartcard_pin_changed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SmartcardPinChanged 3 | uuid: 89094318-f588-4b1a-9fb3-80e77855847f 4 | longDescription: This detection functions by monitoring the pivpin process in macOS when a user runs /usr/sbin/sc_auth changepin. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.pivpin" AND NOT 11 | (ANY $event.process.args == "-v") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - Smartcard 18 | version: 1 19 | severity: Informational 20 | shortDescription: The pin on a smartcard has been changed. 21 | label: Smartcard Pin Changed 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/smartcard_config_activity/smartcard_pin_verified.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SmartcardPinVerified 3 | uuid: a8a0ef17-305e-47f9-a93f-76f6619130bc 4 | longDescription: This detection functions by monitoring the pivpin process in macOS when a user runs /usr/sbin/sc_auth verifypin. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.pivpin" AND 11 | (ANY $event.process.args == "-v") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - Smartcard 18 | version: 1 19 | severity: Informational 20 | shortDescription: The pin on a smartcard has been verified. 21 | label: Smartcard Pin Verified 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/smb_mounted_via_commandline.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SmbMountedFromCommandline 3 | uuid: c06ec9c1-69b0-499d-8e22-4d1f1299cbf4 4 | longDescription: This detection functions by monitoring and report on various attempts to mount SMB shares via the command line. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | ($event.process.path.lastPathComponent == "mount_smbfs" OR 11 | ($event.process.path.lastPathComponent == "open" AND (ANY $event.process.args BEGINSWITH "smb://")) OR 12 | ($event.process.path.lastPathComponent == "osascript" AND ((ANY $event.process.args == "osascript") AND (ANY $event.process.args CONTAINS "mount") AND (ANY $event.process.args CONTAINS "smb://")))) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: A SMB Mount operation occurred. 21 | label: SMB Mounted via Commandline 22 | remediation: null 23 | MitreCategories: 24 | - LateralMovement 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/sqlite3_downloads.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Sqlite3Downloads 3 | uuid: 1ab0e8aa-0625-49c8-96d1-8ba9868e2813 4 | longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.sqlite3' and process arguments containing "com.apple.LaunchServices.QuarantineEventsV" and "LSQuarantineEvent". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.sqlite3" AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "com.apple.LaunchServices.QuarantineEventsV") AND (ANY $event.process.args == "LSQuarantineEvent")) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: The sqlite3 binary is used to view the URLs associated with downloaded files. 21 | label: SQLite3 Downloads 22 | remediation: null 23 | MitreCategories: 24 | - LivingOffTheLand 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/sqlite3_fda.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Sqlite3Fda 3 | uuid: 2cd33ab1-a437-4653-9b90-bcaf67a4642e 4 | longDescription: This detection functions by monitoring for process creation involving a binary carrying the signing information of 'com.apple.sqlite3' and process arguments containing "tcc.db" and "kTCCServiceSystemPolicyAllFiles". 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.sqlite3" AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "tcc.db") AND (ANY $event.process.args == "kTCCServiceSystemPolicyAllFiles")) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: The sqlite3 binary is used to interact with the TCC database to show apps with full disk access. 21 | label: SQLite3 Full Disk Access 22 | remediation: null 23 | MitreCategories: 24 | - LivingOffTheLand 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/swift_oneline_command_execution.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SwiftOnelineCommandExecution 3 | uuid: ac2f1d7a-56b8-4956-ab4f-7562d320e816 4 | longDescription: This detection functions by monitoring and report when the swift CLI is used to execute a arbitrary command using the -e argument that has been implemented in Swift 5.8. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.path.lastPathComponent == "swift" AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args == "-e") 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: The swift binary is used to execute a arbitrary command. 21 | label: Swift Oneline Command Execution 22 | remediation: null 23 | MitreCategories: 24 | - LivingOffTheLand 25 | - Execution 26 | - DefenseEvasion 27 | 28 | -------------------------------------------------------------------------------- /custom_analytic_detections/sysctl_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SysctlActivity 3 | uuid: 5e9650bc-6071-40c5-8ff0-25fc5b665a53 4 | longDescription: This detection functions by monitoring process creation involving a binary carrying the signing information of 'com.apple.sysctl' that have an associated TTY. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.tty != nil AND 11 | $event.process.signingInfo.appid == "com.apple.sysctl" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: The sysctl binary is used in a interactive shell to retrieve macOS hardware information. 20 | label: Sysctl Activity 21 | remediation: null 22 | MitreCategories: 23 | - LivingOffTheLand 24 | - Discovery 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_config_activity/application_firewall_config_changes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ApplicationFirewallConfigChanges 3 | uuid: f501f7d7-b89d-4eca-a972-a17539d71a11 4 | longDescription: This detection functions by monitoring for usage of the socketfilterfw binary used with specific binary verbs that reduce or entirely disable the security provided by the Application Firewall. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.socketfilterfw" AND 11 | $event.process.args.@count > 0 AND 12 | (((ANY $event.process.args IN {"--setglobalstate", "--setloggingmode", "--setblockall"}) AND (ANY $event.process.args == "off")) OR (ANY $event.process.args IN {"--unblockapp", "--remove"})) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - System Changes 19 | version: 1 20 | severity: Low 21 | shortDescription: The socketfilterfw binary has been used to make changes to the application firewall. 22 | label: Application Firewall Configuration Changes 23 | remediation: null 24 | MitreCategories: null 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_config_activity/builtin_apache_disabled.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: BuiltinApacheDisabled 3 | uuid: 161b7713-732c-4ef5-800e-501865e31f74 4 | longDescription: This detection functions by monitoring for a launchctl command executed by macOS when a user disabled httpd via /usr/sbin/apachectl 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.xpc.launchctl" AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "unload") AND (ANY $event.process.args == "/System/Library/LaunchDaemons/org.apache.httpd.plist")) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - System Changes 19 | version: 1 20 | severity: Informational 21 | shortDescription: The launchctl has been used to unload and disable the httpd for Apache. 22 | label: Builtin Apache Disabled 23 | remediation: null 24 | MitreCategories: null 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_config_activity/builtin_apache_enabled.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: BuiltinApacheEnabled 3 | uuid: e0fd4469-1b85-4f39-877c-1f618baa20d8 4 | longDescription: This detection functions by monitoring for a launchctl command executed by macOS when a user enables httpd via /usr/sbin/apachectl 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.xpc.launchctl" AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "load") AND (ANY $event.process.args == "/System/Library/LaunchDaemons/org.apache.httpd.plist")) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - System Changes 19 | version: 1 20 | severity: Informational 21 | shortDescription: The launchctl has been used to load and enable the httpd for Apache. 22 | label: Builtin Apache Enabled 23 | remediation: null 24 | MitreCategories: null 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_config_activity/file_sharing_disabled.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: FileSharingDisabled 3 | uuid: e363547c-1c36-462b-8a41-878c0d2f4729 4 | longDescription: This detection functions by monitoring for a launchctl command executed by macOS when a user toggles the File Sharing feature off inside System Preferences > Sharing. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.xpc.launchctl" AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "unload") AND (ANY $event.process.args == "/System/Library/LaunchDaemons/com.apple.smbd.plist")) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - System Changes 19 | version: 1 20 | severity: Informational 21 | shortDescription: File Sharing has been disabled. 22 | label: File Sharing Disabled 23 | remediation: null 24 | MitreCategories: null 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_config_activity/file_sharing_enabled.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: FileSharingEnabled 3 | uuid: 3fef5ea1-2737-497a-b1c4-e3532d5826e0 4 | longDescription: This detection functions by monitoring for a launchctl command executed by macOS when a user toggles the File Sharing feature on inside System Preferences > Sharing. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.xpc.launchctl" AND 11 | $event.process.args.@count > 0 AND 12 | ((ANY $event.process.args == "load") AND (ANY $event.process.args == "/System/Library/LaunchDaemons/com.apple.smbd.plist")) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | - System Changes 19 | version: 1 20 | severity: Informational 21 | shortDescription: File Sharing has been enabled. 22 | label: File Sharing Enabled 23 | remediation: null 24 | MitreCategories: null 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_config_activity/gatekeeper_config_changes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: GatekeeperConfigChanges 3 | uuid: 027a48ee-bcc8-4e1d-bc08-c5ecf705ca44 4 | longDescription: This detection functions by monitoring for usage of the spctl binary used with specific binary verbs that reduce or entirely disable the security provided by Gatekeeper. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.spctl" AND 11 | (ANY $event.process.args IN {"--global-disable", "--master-disable", "--disable", "--remove"}) 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - System Changes 18 | version: 1 19 | severity: Low 20 | shortDescription: The spctl binary has been used to disable Gatekeeper. 21 | label: Gatekeeper Configuration Changes 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_config_activity/root_user_enabled_or_password_changed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: RootUserEnabledOrPasswordChanged 3 | uuid: 80f3ef6c-fb39-428f-8bc4-7605561ae85f 4 | longDescription: This detection functions by monitoring for expected changes made to the /var/db/dslocal/nodes/Default/users/root.plist file when these events occur. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.path == "/var/db/dslocal/nodes/Default/users/root.plist" AND 10 | $event.isModified == 1 AND 11 | $event.file.contentsAsDict.accountPolicyData.asPlistDict.passwordLastSetTime != $event.file.snapshotData.asPlistDict.accountPolicyData.asPlistDict.passwordLastSetTime 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - System Changes 18 | version: 1 19 | severity: Low 20 | shortDescription: The root user has either been enabled or a new password has been set. 21 | label: Root User Enabled or Password Changed 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/system_profiler_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SystemProfilerActivity 3 | uuid: ef541e88-ef49-4089-a009-f943cd4df90b 4 | longDescription: This detection functions by monitoring process creation involving a process path where the last path component is system_profiler, No TTY is assigned and at least one argument is provided that matches "SPHardwareDataType" 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.tty == nil AND 11 | $event.process.path.lastPathComponent == "system_profiler" 12 | $event.process.args.@count > 0 AND 13 | (ANY $event.process.args IN {"SPHardwareDataType", "SPSoftwareDataType", "SPDisplayDataType"}) AND 14 | $event.process.responsible.signingInfo.signerType IN {3, 4} 15 | actions: 16 | - name: Log 17 | context: [] 18 | categories: 19 | - Visibility 20 | version: 1 21 | severity: Informational 22 | shortDescription: The system_profiler binary is used in a non-interactive shell and prints hardware related information and the responsible process is not signed. 23 | label: System Profiler Activity 24 | remediation: null 25 | MitreCategories: 26 | - LivingOffTheLand 27 | - Discovery 28 | 29 | -------------------------------------------------------------------------------- /custom_analytic_detections/systemsetup_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SystemsetupActivity 3 | uuid: 1c43d0f9-4073-4fa1-8f06-be8e9e0c6661 4 | longDescription: This detection functions by monitoring and report when systemsetup is being used to either either enable or disable remotelogin or appleremoteevents, systemsetup can be used to enable SSH for remote login but also can be used to enable Remote Apple Events. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.systemsetup" AND 11 | $event.process.args.@count > 0 AND 12 | (ANY $event.process.args IN {"setremoteappleevents", "setremotelogin"}) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: The systemsetup binary is used to enable or disable remote events. 21 | label: Systemsetup Activity 22 | remediation: null 23 | MitreCategories: 24 | - LateralMovement 25 | 26 | -------------------------------------------------------------------------------- /custom_analytic_detections/terminal_persistency.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: TerminalPersistency 3 | uuid: 64e86201-a39d-4cfb-ad63-aeb778f5604d 4 | longDescription: This detection functions by monitoring and report when a shell command has been configured in the Terminal preferences, a tactic an adversary might employ for persistence. Specifically, this command then executes every time a Terminal session starts. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.path CONTAINS "/Library/Preferences/com.apple.Terminal.plist" AND 10 | $event.type == 4 AND 11 | $event.file.contentsAsDict."Window Settings".Basic.CommandString != nil 12 | actions: 13 | - name: Log 14 | context: 15 | - exprs: 16 | - (event.file.contentsAsDict."Window Settings".Basic.CommandString) 17 | name: Terminal Shell Command 18 | type: String 19 | categories: 20 | - Visibility 21 | version: 1 22 | severity: Low 23 | shortDescription: The preferences of the Terminal application has been modified and a start-up Command String has been added. 24 | label: Terminal Persistency 25 | remediation: Review the Terminal Shell Command to define if this is intended by the user or if an adversary attempts to gain persistence. 26 | MitreCategories: 27 | - Persistence 28 | - LivingOffTheLand 29 | 30 | -------------------------------------------------------------------------------- /custom_analytic_detections/third_party/brew_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: BrewActivity 3 | uuid: b81eaa0f-9daf-49e6-894f-3cc0fbedb5d0 4 | longDescription: This detection functions by monitoring and report on any activity involving the use of brew with additional arguments, although this one is looking for brew being installed on the default location. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.path.lastPathComponent == "bash" AND 11 | $event.process.parent.isShell == 1 AND 12 | $event.process.args.@count > 4 AND 13 | (ANY $event.process.args == "/opt/homebrew/bin/brew") 14 | actions: 15 | - name: Log 16 | context: [] 17 | categories: 18 | - Visibility 19 | - Third Party 20 | version: 1 21 | severity: Informational 22 | shortDescription: The package manager brew has been invoked. 23 | label: Brew Activity 24 | remediation: null 25 | MitreCategories: null 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/third_party/privileges_elevation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: SapPrivilegesElevation 3 | uuid: e62605ea-4072-4e47-a755-280a325bf04b 4 | longDescription: This detection functions by monitoring and report when an end-user has used Privileges.app to elevate administrator or demote to standard user, this alternative can be used if Unified Logging is not an option. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: null 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "corp.sap.privileges" AND 11 | $event.process.signingInfo.teamid == "7R5ZEU67FQ" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | - Third Party 18 | version: 1 19 | severity: Informational 20 | shortDescription: The utility Privileges has been used to elevate or demote privileges. 21 | label: SAP Privileges Elevation 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/threat_prevention_file_quarantine.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ThreatPreventionFileQuarantine 3 | uuid: 9c143b3c-7dfc-48a0-9ad2-3de72212c978 4 | longDescription: This detection functions by monitoring for new file creations in the Jamf Protect file quarantine directory /Library/Application Support/JamfProtect/Quarantine. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type IN {0, 3, 7} AND 10 | $event.path MATCHES[c] "/Library/Application Support/JamfProtect/Quarantine/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[^/]+" 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - KnownMalware 16 | - Known Malicious File 17 | version: 1 18 | severity: Informational 19 | shortDescription: Threat Prevention detected known malware via a signature match and the offending file is contained and moved to the quarantine directory. 20 | label: Threat Prevention File Quarantine 21 | remediation: null 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/timemachine_notencrypted.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: TimeMachineNotEncrypted 3 | uuid: 42a8b84e-f8c3-4397-b929-4010dea8a483 4 | longDescription: This detection functions by monitoring and report when a Time Machine is configured and the last known encryption state is not encrypted. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.path == "/Library/Preferences/com.apple.TimeMachine.plist" AND 10 | $event.type IN {0, 3, 4} AND 11 | $event.file.contentsAsDict.LastKnownEncryptionState != "Encrypted" 12 | actions: 13 | - name: Log 14 | context: 15 | - exprs: 16 | - event.file.contentsAsDict.LastKnownEncryptionState 17 | name: Last Known Encryption State 18 | type: String 19 | - exprs: 20 | - event.file.contentsAsDict.LastKnownVolumeName 21 | name: Last Known Volume Name 22 | type: String 23 | categories: 24 | - Visibility 25 | version: 1 26 | severity: Informational 27 | shortDescription: A Time Machine has been setup and is marked as being not encrypted. 28 | label: Time Machine Not Encrypted 29 | remediation: null 30 | MitreCategories: null 31 | 32 | -------------------------------------------------------------------------------- /custom_analytic_detections/tmutil_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: TmutilActivity 3 | uuid: 1582c158-aacc-4ffb-8ded-62e10fd8b58d 4 | longDescription: This detection functions by monitoring and report when tmutil is utilized outside of an interactive command line for specific purposes, either to delete all local snapshots using the deletelocalsnapshots argument with / as the mount point, or when the delete argument is used to remove a Time Machine backup from an external volume. Such actions could potentially indicate adversarial behavior, as an attacker might perform these operations to impede file restoration by the victim in the event of a ransomware attack. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.timemachine.tmutil" AND 11 | $event.process.tty == nil AND 12 | $event.process.args.@count > 0 AND 13 | (((ANY $event.process.args == "deletelocalsnapshots") AND (ANY $event.process.args == "/")) OR (ANY $event.process.args == "delete")) 14 | actions: 15 | - name: Log 16 | context: [] 17 | categories: 18 | - Visibility 19 | version: 1 20 | severity: Low 21 | shortDescription: The tmutil binary has been used to delete local snapshots from a endpoint or deletes a backup from a external volume. 22 | label: TMUtil Activity 23 | remediation: Review if this activity was initiated by the user, if not review the processes that were responsible. 24 | MitreCategories: 25 | - LivingOffTheLand 26 | 27 | -------------------------------------------------------------------------------- /custom_analytic_detections/unsigned_dmg_detected.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UnsignedDmgDetected 3 | uuid: fd394560-6603-4dca-a20f-79d3a84b9dbd 4 | longDescription: This detection functions by monitoring and report on dmg files being created where the object is not signed and not created by Disk Utility. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 0 AND 10 | $event.file.path.pathExtension == "dmg" AND 11 | $event.file.signingInfo.signerType == 4 AND NOT 12 | (("com.apple.quarantine" IN $event.file.xattrs) AND $event.file.isQuarantined == 1) 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Low 20 | shortDescription: A unsigned Disk Image has been created or downloaded. 21 | label: Unsigned Dmg Detected 22 | remediation: Carefully review the contents of the Disk Image. 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/unsigned_keylogger_registered.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UnsignedKeyloggerRegistered 3 | uuid: 8fcd60e1-8d6f-439f-82d5-100aa783f318 4 | longDescription: This detection functions by monitoring for keylogger registration events where the signing information of the keylogger is unable to be obtained or verified. 5 | level: 0 6 | inputType: GPKeylogRegisterEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.source.signingInfo.signerType == 4 10 | actions: 11 | - name: Log 12 | context: [] 13 | categories: 14 | - Visibility 15 | version: 1 16 | severity: Medium 17 | shortDescription: A unsigned keylogger has registered on the endpoint. 18 | label: Unsigned Keylogger Registered 19 | remediation: null 20 | MitreCategories: null 21 | 22 | -------------------------------------------------------------------------------- /custom_analytic_detections/unsigned_process_exec_from_volumes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UnsignedProcessExecFromVolumes 3 | uuid: e26b8ec7-04cb-464e-9875-a65797560602 4 | longDescription: This detection functions by monitoring and report into unsigned processes executions from within the /Volumes/ directory. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.process.path BEGINSWITH "/Volumes/" AND 10 | $event.type == 1 AND 11 | $event.process.signingInfo.signerType == 4 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: A unsigned process has been executed from the /Volumes/ directory. 20 | label: Unsigned Process Execution from Volumes 21 | remediation: Review the unsigned process and verify if the user on purpose launched it from within this directory. 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/usb_insertion_non_writable.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UsbInsertionNonWritable 3 | uuid: 28043b0a-7cd1-45b1-a128-148b96b7b6c7 4 | longDescription: This detection functions by monitoring for removable device insertion events where the device hardware is determined to be removable and non-writable. 5 | level: 0 6 | inputType: GPUSBEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 0 AND 10 | $event.device.removable == 1 AND 11 | $event.device.writable != 1 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: A non-writable USB drive has been inserted. 20 | label: USB Insertion Non Writable 21 | remediation: null 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/user_created_by_dscl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UserCreatedbyDscl 3 | uuid: 3e92e7d8-c3f4-4fcd-87f2-eab10ecc8ef9 4 | longDescription: This detection functions by monitoring for processes created with a binary carrying the com.apple.dscl identifier and have a process argument containing the '-create' argument used to create a user. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.dscl" AND 11 | (ANY $event.process.args == "-create") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: The dscl binary has been used to create a user. 20 | label: User Created by DSCL 21 | remediation: null 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/user_deleted_by_dscl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UserDeletedbyDscl 3 | uuid: eae3e8c1-6d70-471f-abd6-16d9b113b446 4 | longDescription: This detection functions by monitoring for processes deleted with a binary carrying the com.apple.dscl identifier and have a process argument containing the '-delete' argument used to delete a user. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.dscl" AND 11 | (ANY $event.process.args == "-delete") 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: The dscl binary has been used to delete a user. 20 | label: User Deleted by DSCL 21 | remediation: null 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/user_privilege_escalation_by_dseditgroup_and_jamf_self_service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UserPrivilegeEscalationByDseditgroupAndSelfService 3 | uuid: dbe9308f-ca10-4201-aac1-8aa1d57aa8c8 4 | longDescription: This detection functions by monitoring for process creation with a binary carrying the signing information of 'com.apple.dseditgroup', a command-line argument of '-o edit -a' (required to escalate privileges with this binary) and with the parent process originating from the Jamf Pro management framework's application support directory. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.dseditgroup" AND 11 | $event.process.commandLine CONTAINS[cd] "-o edit -a" AND 12 | $event.process.parent.commandLine CONTAINS "/Library/Application Support/JAMF/" 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: A users privileges have been escalated. 21 | label: User Privilege Escalation by dseditgroup and Self Service 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/user_switched_on_command_line.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: UserSwitchedOnCommandline 3 | uuid: 90de5c96-125f-40de-b1a5-2cada0896c43 4 | longDescription: This detection functions by monitoring for su processes created that have an associated TTY and are determined to be created through a fully interactive shell, such as those from a Terminal session. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.tty != nil AND 11 | $event.process.signingInfo.appid == "com.apple.su" 12 | actions: 13 | - name: Log 14 | context: [] 15 | categories: 16 | - Visibility 17 | version: 1 18 | severity: Informational 19 | shortDescription: A user switched on the commandline using the su binary. 20 | label: User Switched on Commandline 21 | remediation: null 22 | MitreCategories: null 23 | 24 | -------------------------------------------------------------------------------- /custom_analytic_detections/webapp_created.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: WebappCreated 3 | uuid: 1ce4d15c-f2be-4061-b2f8-3fc1bc720e1e 4 | longDescription: This detection functions by monitoring and report when Web Apps are being created by Safari in the Applications directory in a users home folder. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 7 AND 10 | $event.isNewDirectory == 1 AND 11 | $event.file.isAppBundle == 1 AND 12 | $event.file.path BEGINSWITH "/Users/" AND 13 | $event.process.signingInfo.appid == "com.apple.coreservices.uiagent" AND 14 | $event.file.path.stringByDeletingLastPathComponent ENDSWITH "/Applications" 15 | actions: 16 | - name: Log 17 | context: 18 | - exprs: 19 | - (event.file.bundle.infoDictionary.Manifest.start_url) 20 | name: Web App URL 21 | type: File 22 | categories: 23 | - Visibility 24 | version: 1 25 | severity: Informational 26 | shortDescription: A Web App has been created. 27 | label: Web App Created 28 | remediation: null 29 | MitreCategories: null 30 | 31 | -------------------------------------------------------------------------------- /custom_analytic_detections/xattr_extended_attributes_activity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: XattrExtendedAttributesActivity 3 | uuid: 87d1bea2-fbbe-4b53-9044-aa6dfd77d77c 4 | longDescription: This detection functions by monitoring for usage of the xattr binary with the -c and -d args (with com.apple.quarantine) used to clear all or a target extended attribute from a file. 5 | level: 0 6 | inputType: GPProcessEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: $event.type == 1 AND 10 | $event.process.signingInfo.appid == "com.apple.xattr" AND 11 | $event.process.commandLine CONTAINS "com.apple.quarantine" AND 12 | $event.process.commandLine MATCHES "xattr\\s+(-[lrsvx]{0,5}\\s+){0,5}-[rsvx]{0,4}d[rsvxd]{0,5}\\s+(-[lrsvxd]{0,5}\\s+){0,5}(\"|\')?com\\.apple\\.quarantine(\"|\')?\\s.+" 13 | actions: 14 | - name: Log 15 | context: [] 16 | categories: 17 | - Visibility 18 | version: 1 19 | severity: Informational 20 | shortDescription: The xattr binary has been used to clear the quarantine attributes on a file. 21 | label: User Switched on Commandline 22 | remediation: null 23 | MitreCategories: null 24 | 25 | -------------------------------------------------------------------------------- /custom_analytic_detections/zshenv_create_modify.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ZshenvCreateModify 3 | uuid: e0198480-4008-4dee-830b-625e4eb569f7 4 | longDescription: This detection functions by monitoring for the creation of new new file or modification of a .zshenv in the User's profile. 5 | level: 0 6 | inputType: GPFSEvent 7 | tags: 8 | snapshotFiles: [] 9 | filter: ($event.isNew == 1 OR $event.isModified == 1) AND 10 | $event.path MATCHES[cd] "/Users/.*/\\.zshenv" 11 | actions: 12 | - name: Log 13 | context: [] 14 | categories: 15 | - Visibility 16 | version: 1 17 | severity: Informational 18 | shortDescription: The .zshenv has been created or modified in a users profile. 19 | label: Zshenv Created or Modified 20 | remediation: null 21 | MitreCategories: null 22 | 23 | -------------------------------------------------------------------------------- /device_controls/README.md: -------------------------------------------------------------------------------- 1 | # Device Controls 2 | 3 | In this repository, you will find all kinds of resources related to Device Controls that comes with Jamf Protect or resources and examples that can help on this subject. 4 | 5 | More information around the built-in Device Controls within Jamf Protect can be found [here](https://docs.jamf.com/jamf-protect/documentation/Device_Controls.html) 6 | 7 | Currently you can find the following resources, we are adding more resources in the future. 8 | 9 | * Restrict iOS/iPadOS devices from syncing with Finder on macOS 10 | 11 | **Disclaimer:** All resources contained in this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /device_controls/restrict_mobiledevices_syncing_with_finder/.GlobalPreferences.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ignore-devices 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /device_controls/restrict_mobiledevices_syncing_with_finder/Disable iOS_iPadOS Devices Finder Sync.mobileconfig: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | PayloadContent 6 | 7 | 8 | PayloadContent 9 | 10 | .GlobalPreferences 11 | 12 | Forced 13 | 14 | 15 | mcx_preference_settings 16 | 17 | ignore-devices 18 | 19 | 20 | 21 | 22 | 23 | 24 | PayloadDisplayName 25 | Custom Settings 26 | PayloadIdentifier 27 | A1ED5AF5-2A1B-42BC-8222-2E682F3741A6 28 | PayloadOrganization 29 | Jamf Open Source Github 30 | PayloadType 31 | com.apple.ManagedClient.preferences 32 | PayloadUUID 33 | A1ED5AF5-2A1B-42BC-8222-2E682F3741A6 34 | PayloadVersion 35 | 1 36 | 37 | 38 | PayloadDescription 39 | Disables iOS/iPadOS devices from opening and syncing in Finder. 40 | PayloadDisplayName 41 | Disable iOS/iPadOS devices Finder Syncing 42 | PayloadEnabled 43 | 44 | PayloadIdentifier 45 | A7B0E2CF-77B9-4098-8C93-C421C54389BE 46 | PayloadOrganization 47 | Jamf Open Source Github 48 | PayloadRemovalDisallowed 49 | 50 | PayloadScope 51 | System 52 | PayloadType 53 | Configuration 54 | PayloadUUID 55 | CDFAF281-FDB7-4CA4-8225-98DF8C7BC599 56 | PayloadVersion 57 | 1 58 | 59 | 60 | -------------------------------------------------------------------------------- /device_controls/restrict_mobiledevices_syncing_with_finder/README.md: -------------------------------------------------------------------------------- 1 | # Disable iOS/iPadOS devices from syncing with Finder on macOS 2 | 3 | In this repository we provide information and examples on restricting iOS and iPadOS devices from syncing with Finder on macOS Catalina and later. 4 | 5 | Since the release of macOS Catalina (10.15) the Finder has replaced iTunes as one of the ways to sync devices with a Mac, this feature provides browsing and accessing data from your device on your Mac and also allows Finder to sync data between the device and the Mac. 6 | 7 | In some scenarios you want to prevent data being transmitted from the Mac to the mobile device using the Finder Sync to prevent the loss of organisational data. 8 | 9 | If you want to learn more about syncing devices with Finder you can do so [here](https://support.apple.com/en-gb/HT210611) or read more on this [Jamf technical article](https://docs.jamf.com/technical-articles/Disabling_Data_Syncing_between_Computers_and_Apple_Devices.html) 10 | 11 | Disabling iOS and iPadOS devices from syncing with Finder will restrict and prevent the following functionalities: 12 | 13 | * Mounting devices in Finder menubar either through Wi-Fi and connected with a USB cable. 14 | * Restrict the following syncing features 15 | * Syncing Albums, songs, playlists, films, TV shows, podcasts, books and audiobooks, Photos and videos, Contacts and calendars. 16 | * Manually copying over files from the Mac to the mobile device 17 | 18 | Although setting the disablement, the following functionalities will remain working: 19 | 20 | * Attaching the mobile device to the Mac to use Console to read device logs 21 | * Attaching the mobile device to the Mac to use it with Apple Configurator 2 22 | * Syncing data with 3rd party tools 23 | * Charging the attached mobile device 24 | 25 | 26 | Steps to restrict Finder sync on a Mac: 27 | 28 | - Download the .mobileconfiguration profile contained within this repository 29 | - Upload the .mobileconfiguration profile in to Jamf Pro or a other MDM solution 30 | - Scope out this Configuration Profile to the Macs where you want to disable this feature. 31 | 32 | **Disclaimer:** All resources contained in this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /helper_tools/README.md: -------------------------------------------------------------------------------- 1 | # Helper Tools 2 | 3 | The tools contained within this section of the repository are built to help deliver the best possible implementation of Jamf Protect. 4 | 5 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 6 | -------------------------------------------------------------------------------- /helper_tools/jamf_protect_diagnostics/README.md: -------------------------------------------------------------------------------- 1 | # Helper Tools - Jamf Protect Diagnostics Collection 2 | 3 | Scripts in this repository are provided to collect the output from `protectctl diagnostics` and upload it to an cloud storage solution of choice. 4 | 5 | ## About protectctl tool 6 | 7 | The Jamf Protect agent includes the protectctl tool, which allows you to execute some Terminal commands on computers, for more information please refer to [Jamf Learning Hub](https://learn.jamf.com/bundle/jamf-protect-documentation/page/About_Jamf_Protect.html#ariaid-title3) 8 | 9 | ## Storage Solutions 10 | 11 | The workflows in this repository support but are not limited to: 12 | 13 | - [ ] [Amazon S3 Bucket](./aws_s3/) 14 | - [ ] [Google Cloud Storage Bucket](./google_cloud_storage/) 15 | - [ ] [Azure Files](./azure_files/) 16 | 17 | # 18 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /helper_tools/jamf_protect_diagnostics/aws_s3/README.md: -------------------------------------------------------------------------------- 1 | # Helper Tools - Jamf Protect Diagnostics Collection (AWS S3) 2 | 3 | This script is provided to trigger and collect the output from an `protectctl diagnostics` and upload it to an AWS S3 bucket. 4 | 5 | ## Workflow Steps 6 | 7 | Steps to create the workflow: 8 | 9 | - [ ] Create [aws_jpdiagnostics.pkg](#aws_pkg) and upload to Jamf Pro 10 | - [ ] Jamf Pro - Upload [jp_diagnostics_self_service.sh](./jp_diagnostics_self_service.sh) 11 | - [ ] Jamf Pro - [Create Policies](#policies) 12 | - Jamf Protect Diagnostics Collect 13 | - AWS Credentials 14 | 15 | ## Workflow Components 16 | 17 | #### Policies 18 | 19 | |Name|Frequency|Trigger|Scope|Payload| 20 | |----|---------|-------|-----|-------| 21 | |**Jamf Protect Diagnostics Collect**|Ongoing|Self Service|All Managed Clients|jp_diagnostics_self_service.sh 22 | |**AWS Credentials**|Ongoing|aws_creds|All Managed Clients|aws_jpdiagnostics.pkg 23 | 24 | **AWS Configuration** 25 | 26 | - Create an AWS S3 Bucket and an IAM user with `s3:PutObject` rights applied 27 | ```{ 28 | "Version": "2012-10-17", 29 | "Statement": [ 30 | { 31 | "Sid": "VisualEditor0", 32 | "Effect": "Allow", 33 | "Action": [ 34 | "s3:PutObject" 35 | ], 36 | "Resource": "arn:aws:s3:::s3bucketname/*" 37 | } 38 | ] 39 | } 40 | ``` 41 | - Create AWS CLI Configuration file: 42 | 1. Install the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) 43 | 2. Configure AWS CLI profile. Run the following in Terminal.app: 44 | - `aws configure --profile jpdiagnostics` 45 | 3. Verify AWS CLI configuration. Run the following in Terminal.app: 46 | - `aws configure list --profile jpdiagnostics` 47 | 3. Use included makefile to create pkg. Run the following from within the project folder in Terminal.app: 48 | - `sudo make pkg` 49 | 4. Copy aws_jpdiagnostics.pkg to Jamf Pro. 50 | 5. Clean up after upload complete. Run the following from within the project folder in Terminal.app: 51 | - `sudo make clean` 52 | # 53 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /helper_tools/jamf_protect_diagnostics/aws_s3/makefile: -------------------------------------------------------------------------------- 1 | PKGTITLE="aws_jpdiagnostics" 2 | PKGVERSION=1.0 3 | PKGID="com.jamf.aws.jpdiagnostics" 4 | PROJECT="aws_jpdiagnostics" 5 | DeveloperID="" 6 | 7 | clean: 8 | rm -f ./${PKGTITLE}-*.pkg 9 | rm -rf pkgroot 10 | rm -rf ./signed 11 | 12 | pkg: clean 13 | mkdir -p pkgroot/opt 14 | mkdir ./signed 15 | cp -r ~/.aws pkgroot/opt/ 16 | chmod -R 400 pkgroot/opt/.aws 17 | pkgbuild --root pkgroot --identifier ${PKGID} --version ${PKGVERSION} ./${PKGTITLE}-${PKGVERSION}.pkg 18 | # productsign --sign ${DeveloperID} ${PKGTITLE}-${PKGVERSION}.pkg signed/${PKGTITLE}-${PKGVERSION}.pkg -------------------------------------------------------------------------------- /helper_tools/jamf_protect_diagnostics/azure_files/README.md: -------------------------------------------------------------------------------- 1 | # Helper Tools - Jamf Protect Diagnostics Collection (Azure Files) 2 | 3 | This script is provided to trigger and collect the output from an `protectctl diagnostics` and upload it to Azure Files. 4 | 5 | ## Workflow Steps 6 | 7 | Steps to create the workflow: 8 | 9 | - [ ] Jamf Pro - Upload [jp_diagnostics_self_service.sh](./jp_diagnostics_self_service.sh) 10 | - Set the variables in the script 11 | - [ ] Jamf Pro - [Create Policies](#policies) 12 | - Jamf Protect Diagnostics Collect 13 | 14 | ## Workflow Components 15 | 16 | #### Policies 17 | 18 | |Name|Frequency|Trigger|Scope|Payload| 19 | |----|---------|-------|-----|-------| 20 | |**Jamf Protect Diagnostics Collect**|Ongoing|Self Service|All Managed Clients|jp_diagnostics_self_service.sh
Add `SAS Token` in script Parameter 5 21 | 22 | **Azure Files Configuration** 23 | 24 | - Create [Azure File Share](https://learn.microsoft.com/en-us/azure/storage/files/storage-files-introduction) and generate a [SAS Token](https://learn.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature) with `write-only` permissions as applied in the example below. 25 | 26 | SASToken 27 | 28 | # 29 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /helper_tools/jamf_protect_diagnostics/azure_files/images/SASToken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/helper_tools/jamf_protect_diagnostics/azure_files/images/SASToken.png -------------------------------------------------------------------------------- /helper_tools/jamf_protect_diagnostics/google_cloud_storage/README.md: -------------------------------------------------------------------------------- 1 | # Helper Tools - Jamf Protect Diagnostics Collection (Google Cloud) 2 | 3 | This script is provided to trigger and collect the output from an `protectctl diagnostics` and upload it to Google Cloud Storage. 4 | 5 | ## Workflow Steps 6 | 7 | Steps to create the workflow: 8 | 9 | - [ ] Create [gcs_jpdiagnostics.pkg](#gcs_pkg) and upload to Jamf Pro 10 | - [ ] Jamf Pro - Upload [jp_diagnostics_self_service.sh](./jp_diagnostics_self_service.sh) 11 | - [ ] Jamf Pro - [Create Policies](#policies) 12 | - Jamf Protect Diagsnotics Collect 13 | - Google Cloud Credentials 14 | 15 | ## Workflow Components 16 | 17 | #### Policies 18 | 19 | |Name|Frequency|Trigger|Scope|Payload| 20 | |----|---------|-------|-----|-------| 21 | |**Jamf Protect Diagnostics Collect**|Ongoing|Self Service|All Managed Clients|jp_diagnostics_self_service.sh 22 | |**Google Cloud Credentials**|Ongoing|gcs_creds|All Managed Clients|gcs_jpdiagnostics.pkg 23 | 24 | **Google Cloud Configuration** 25 | 26 | > **Note** 27 | > `gsutil` requires Python3 28 | 29 | - Create a Google Cloud Bucket and a service account with `Storage Object Creator` and `Storage Object Viewer` roles applied. 30 | - Create Google Cloud Configuration file: 31 | 1. Install [Google Cloud CLI](https://cloud.google.com/sdk/docs/downloads-interactive#silent) 32 | 2. Configure the Boto configuration file. Run the following in Terminal.app: 33 | - `/usr/local/google-cloud-sdk/bin/gsutil config -a` 34 | 3. Use included makefile to create pkg. Run the following from within the project folder in Terminal.app: 35 | - `sudo make pkg` 36 | 4. Copy gcs_aftermath.pkg to Jamf Pro. 37 | 5. Clean up after upload complete. Run the following from within the project folder in Terminal.app: 38 | - `sudo make clean` 39 | # 40 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /helper_tools/jamf_protect_diagnostics/google_cloud_storage/makefile: -------------------------------------------------------------------------------- 1 | PKGTITLE="gcs_jpdiagnostics" 2 | PKGVERSION=1.0 3 | PKGID="com.jamf.gcs.jpdiagnostics" 4 | PROJECT="gcs_jpdiagnostics" 5 | DeveloperID="" 6 | 7 | clean: 8 | rm -f ./${PKGTITLE}-*.pkg 9 | rm -rf pkgroot 10 | rm -rf ./signed 11 | 12 | pkg: clean 13 | mkdir -p pkgroot/opt 14 | mkdir ./signed 15 | cp ~/.boto pkgroot/opt/ 16 | chmod 400 pkgroot/opt/.boto 17 | pkgbuild --root pkgroot --identifier ${PKGID} --version ${PKGVERSION} ./${PKGTITLE}-${PKGVERSION}.pkg 18 | # productsign --sign ${DeveloperID} ${PKGTITLE}-${PKGVERSION}.pkg signed/${PKGTITLE}-${PKGVERSION}.pkg -------------------------------------------------------------------------------- /helper_tools/jamf_protect_event_analysis/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | *.xlsx -------------------------------------------------------------------------------- /helper_tools/jamf_protect_event_analysis/requirements.txt: -------------------------------------------------------------------------------- 1 | pandas 2 | openpyxl 3 | xlsxwriter 4 | psutil -------------------------------------------------------------------------------- /helper_tools/re-enable_auditing/compliance_reporter/re-enable-auditing.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | set -e 4 | 5 | /usr/bin/chflags nouchg /etc/security/audit_* 6 | 7 | if [[ ! -e /etc/security/audit_control ]] && [[ -e /etc/security/audit_control.example ]];then 8 | /bin/cp /etc/security/audit_control.example /etc/security/audit_control 9 | fi 10 | 11 | # Add execution environment variables to log events 12 | /usr/bin/sed -i.backup 's|policy:cnt,argv$|policy:cnt,argv,arge|' /etc/security/audit_control 13 | 14 | # Enable and bootstrap auditd 15 | /bin/launchctl enable system/com.apple.auditd 16 | /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist 17 | 18 | # Initialize auditd 19 | /usr/sbin/audit -i -------------------------------------------------------------------------------- /helper_tools/re-enable_auditing/jamf_protect/re-enable-auditing.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | set -e 4 | 5 | if [[ -e /etc/security/audit_control ]];then 6 | # Enable and bootstrap auditd 7 | /bin/launchctl enable system/com.apple.auditd 8 | /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist 9 | 10 | # Initialize auditd 11 | /usr/sbin/audit -i 12 | fi -------------------------------------------------------------------------------- /helper_tools/sample_app_for_testing/README.md: -------------------------------------------------------------------------------- 1 | # Sample App for Testing 2 | 3 | Contained within this repository is an sample application that can be used alongside testing Jamf Protect. 4 | 5 | SampleApp is an basic `hello world` application written in SwiftUI, purposely build for testing [Jamf Protect Custom Prevent Lists](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Custom_Prevent_Lists.html) feature using Jamf Protect's Evaluation Guide. 6 | 7 | The pkg and application are both code-signed and notarized. 8 | 9 | **Signing Information:** 10 | - Identifier: 11 | - *com.sample.app* 12 | - CDHash: 13 | - *c4d76d39a8f6b8eff9bc23100b8163ae25818360* 14 | - TeamIdentifier: 15 | - *CLQKFNPCCP* 16 | 17 | **Installation** 18 | 19 | The `SampleApp.pkg` installs the `SampleApp.app` in to the `/Applications` folder. 20 | 21 | **Uninstall** 22 | 23 | The `Sample App.app` can be removed by moving it into the Trash or simply running the following command 24 | ``` rm -rf /Applications/Sample App.app``` 25 | 26 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 27 | -------------------------------------------------------------------------------- /helper_tools/sample_app_for_testing/SampleApp.pkg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/helper_tools/sample_app_for_testing/SampleApp.pkg -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/.template_jamf_protect_extension_attribute.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This Extension Attribute will report on 3 | # 4 | # Data Type: 5 | # Input Type: Script 6 | # 7 | # Expected Results: 8 | # 9 | ##### Script starts here ##### 10 | 11 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 12 | 13 | # Check to confirm that the Jamf Protect binary is available and, if not, set the EA varibale as not present and end 14 | if [[ ! -f "$jamfProtectBinaryLocation" ]]; then 15 | 16 | # Echo the EA result 17 | echo "Protect binary not found" 18 | 19 | # Exit the script 20 | exit 0 21 | 22 | fi 23 | 24 | # Script continues here 25 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/README.md: -------------------------------------------------------------------------------- 1 | ## Jamf Pro Extension Attributes 2 | Scripted Extension Attributes in Jamf Pro allow IT teams to extend the native inventory capabilities of the product with customisable data collection to achieve powerful, advanced workflows for the environment. 3 | 4 | More information regarding using Extension Attributes in Jamf Pro can be found [here](https://docs.jamf.com/10.32.0/jamf-pro/administrator-guide/Computer_Extension_Attributes.html). 5 | 6 | ## Using Extension Attributes to report on the Jamf Protect installation 7 | This repository contains many Extension Attribute scripts that can be used to include information about the Jamf Protect installation on an endpoint in the standard inventory submission sent to Jamf Pro. This information can be used for both reporting but also with Smart Grouping to create dynamic workflows based upon the status of Jamf Protect on that endpoint. 8 | 9 | For example, the **[Jamf Protect - Quarantined Files](https://github.com/jamf/jamfprotect/blob/main/custom_analytic_detections/ThreatPreventionFileQuaratine)** Extension Attribute can be used to report on endpoints that have quarantined files present in Jamf Protect's quarantine directory. 10 | 11 | To leverage this Extension Attribute simply: 12 | 1. Navigate to Jamf Pro > Settings > Computer Management > Extension Attributes and create a new object 13 | 2. Input the required settings from the Extension Attribute in this repository and save 14 | 15 | The next time endpoints submit inventory to Jamf Pro they will now report 'yes' or 'no' depending on whether there are files present in the `/Library/Application Support/JamfProtect/Quarantine` directory. 16 | 17 | # 18 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 19 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_JamfCloud_queue.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the JamfCloud Queue of Jamf Protect 3 | # 4 | # Data Type: Integer 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectJamfcloudQueue=$(/usr/libexec/PlistBuddy -c "Print UploadQueue:JamfCloud" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectJamfcloudQueue="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectJamfcloudQueue" 20 | 21 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_LogFile_queue.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the Local Log File queue of Jamf Protect 3 | # 4 | # Data Type: Integer 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectLogfileQueue=$(/usr/libexec/PlistBuddy -c "Print UploadQueue:LogFile" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectLogfileQueue="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectLogfileQueue" 20 | 21 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_WebProtection.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # This Extension Attribute will report on the state of Web Protection. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectWebProtection=$(/usr/libexec/PlistBuddy -c "Print :Plan:WebProtection" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectWebProtection="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectWebProtection" -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_analytic_detection_smart_group.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This Extension Attribute will report on all files existing in the Jamf Protect 'groups' directory, used by the Analytic action 'Add to Jamf Pro Smart Group' to invoke the Jamf Protect and Jamf Pro response integration. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | SMARTGROUPS_DIR=/Library/Application\ Support/JamfProtect/groups 10 | if [ -d "$SMARTGROUPS_DIR" ]; then 11 | SMART_GROUPS=`/bin/ls "$SMARTGROUPS_DIR" | /usr/bin/tr '\n' ','` 12 | echo "${SMART_GROUPS%?}" 13 | else 14 | echo "" 15 | fi 16 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_application_crash_reports.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This Extension Attribute will report on any Jamf Protect crash reports present on the managed endpoint from the Jamf Protect application. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 10 | 11 | # Check to confirm that the Jamf Protect binary is available and, if not, set the EA varibale as not present and end 12 | if [[ ! -f "$jamfProtectBinaryLocation" ]]; then 13 | 14 | # Echo the EA result 15 | echo "Protect binary not found" 16 | 17 | # Exit the script 18 | exit 0 19 | 20 | fi 21 | 22 | # Capture the verbose information output from the Jamf Protect application in the form of a plist 23 | jamfProtectInfoPlist=$("$jamfProtectBinaryLocation" info -v --plist) 24 | 25 | # Check for the present of any crash files detected by the Jamf Protect application 26 | jamfProtectCrashFiles=$(/usr/libexec/PlistBuddy -c "Print Crashes:files" /dev/stdin <<<"$jamfProtectInfoPlist" | sed -e '1d' -e 's/Array//' -e 's/[{}]//g') 27 | 28 | if [[ ! -z "$jamfProtectCrashFiles" ]]; then 29 | 30 | # Return a list of file paths for the crash files detected 31 | echo "$jamfProtectCrashFiles" 32 | 33 | else 34 | 35 | echo "No Crash Files Found" 36 | 37 | fi 38 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_application_status.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Extension Attribute to display the status of Jamf Protect 3 | 4 | # Created by macstuff.dev - Melwin Moeskops 5 | # Display Name: Jamf Protect Status 6 | # Data type: String 7 | # Expected results: Protected, Enrolling, Missing Plan, Disconnected, Missing CA, Protect binary does not exist. 8 | 9 | # Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [[ -f "$jamfProtectBinaryLocation" ]]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectStatus=$(/usr/libexec/PlistBuddy -c "Print Status" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectStatus="Protect binary does not exist" 17 | fi 18 | 19 | # Display the current status 20 | echo "${jamfProtectStatus}" 21 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_autoUpdate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # This Extension Attribute will report on the state of Auto Update. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectAutoUpdate=$(/usr/libexec/PlistBuddy -c "Print :Plan:autoUpdate" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectAutoUpdate="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectAutoUpdate" -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_binary_version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the installed version of the Jamf Protect binary. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectVersion=$(/usr/libexec/PlistBuddy -c "Print Version" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectVersion="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectVersion" 20 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_http_queue.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the HTTP Queue of Jamf Protect 3 | # 4 | # Data Type: Integer 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectHTTPQueue=$(/usr/libexec/PlistBuddy -c "Print UploadQueue:HTTP" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectHTTPQueue="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectHTTPQueue" 20 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_kafka_queue.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the SysLog Queue of Jamf Protect 3 | # 4 | # Data Type: Integer 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectKafkaQueue=$(/usr/libexec/PlistBuddy -c "Print UploadQueue:SysLog" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectKafkaQueue="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectKafkaQueue" 20 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_last_check_in.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the last check-in date of the Jamf Protect binary. 3 | # 4 | # Data Type: Date (YYYY-MM-DD hh:mm:ss) 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [[ -f "$jamfProtectBinaryLocation" ]]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | xpath="/plist/dict/date[preceding-sibling::key='LastCheckin'][1]/text()" 15 | rawLastCheckin=$(/bin/echo $plist | /usr/bin/xpath -e "${xpath}" 2>/dev/null) 16 | jamfProtectLastCheckin=$(/bin/date -j -f "%Y-%m-%dT%H:%M:%SZ" "$rawLastCheckin" "+%Y-%m-%d %H:%M:%S") 17 | else 18 | jamfProtectLastCheckin="Protect binary not found" 19 | fi 20 | 21 | echo "$jamfProtectLastCheckin" -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_last_insights_report.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the time of the last Inights report submitted by the Jamf Protect binary. 3 | # 4 | # Data Type: Date (YYYY-MM-DD hh:mm:ss) 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [[ -f "$jamfProtectBinaryLocation" ]]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | xpath="/plist/dict/date[preceding-sibling::key='LastInsightsSync'][1]/text()" 15 | rawInsightsSync=$(/bin/echo $plist | /usr/bin/xpath -e "${xpath}" 2>/dev/null) 16 | jamfProtectInfoInsightsSync=$(/bin/date -j -f "%Y-%m-%dT%H:%M:%SZ" "$rawInsightsSync" "+%Y-%m-%d %H:%M:%S") 17 | else 18 | jamfProtectInfoInsightsSync="Protect binary not found" 19 | fi 20 | 21 | echo "$jamfProtectInfoInsightsSync" -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_log_level.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the Log Level currently in-use by Jamf Protect 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 10 | 11 | if [ -f "$jamfProtectBinaryLocation" ]; then 12 | plist=$($jamfProtectBinaryLocation info --plist) 13 | jamfProtectLogLevel=$(/usr/libexec/PlistBuddy -c "Print LogLevel" /dev/stdin <<<"$plist") 14 | else 15 | jamfProtectLogLevel="Protect binary not found" 16 | fi 17 | 18 | echo "$jamfProtectLogLevel" -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_plan_hash.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the hash of the Plan currently in-use by Jamf Protect. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectPlanHash=$(/usr/libexec/PlistBuddy -c "Print PlanHash" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectPlanHash="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectPlanHash" 20 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_plan_id.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the ID of the Plan currently in-use by Jamf Protect. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectPlanID=$(/usr/libexec/PlistBuddy -c "Print PlanID" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectPlanID="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectPlanID" 20 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_quarantined_files.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This Extension Attribute will report on the presence of files in the Jamf Protect file quarantine directory, placed there when known malware is prevented from executing due to a signature detection match with the Threat Prevention feature. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | QUARANTINE_FILES=$(/bin/ls /Library/Application\ Support/JamfProtect/Quarantine) 10 | if [[ -z "$QUARANTINE_FILES" ]]; then 11 | 12 | echo "No" 13 | 14 | else 15 | 16 | echo "Yes" 17 | fi 18 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_syslog_queue.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This Extension Attribute will report on the Kafka Queue of Jamf Protect 3 | # 4 | # Data Type: Integer 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectSyslogQueue=$(/usr/libexec/PlistBuddy -c "Print UploadQueue:Kafka" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectSyslogQueue="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectSyslogQueue" 20 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_tamper_prevention.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # This Extension Attribute will report on the state of Tamper Prevention. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectTamperPrevention=$(/usr/libexec/PlistBuddy -c "Print :Plan:Configuration:0:Enabled" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectTamperPrevention="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectTamperPrevention" 20 | 21 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_tamper_prevention_mode.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | # This Extension Attribute will report on the mode of Tamper Prevention. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectTamperPrevention=$(/usr/libexec/PlistBuddy -c "Print :Plan:Configuration:0:Mode" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectTamperPrevention="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectTamperPrevention" 20 | 21 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_tenant_name.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This Extension Attribute will report on the Jamf Protect Cloud tenant that Jamf Protect is enrolled with. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectTenant=$(/usr/libexec/PlistBuddy -c "Print Tenant" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectTenant="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectTenant" 20 | -------------------------------------------------------------------------------- /jamf_pro_extension_attributes/jamf_protect_threat_prevention_version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This Extension Attribute will report on the Threat Prevention version currently in place with Jamf Protect. 3 | # 4 | # Data Type: String 5 | # Input Type: Script 6 | # 7 | ##### Script starts here ##### 8 | 9 | #Jamf Protect Location 10 | jamfProtectBinaryLocation="/usr/local/bin/protectctl" 11 | 12 | if [ -f "$jamfProtectBinaryLocation" ]; then 13 | plist=$($jamfProtectBinaryLocation info --plist) 14 | jamfProtectThreatPreventionVersion=$(/usr/libexec/PlistBuddy -c "Print Monitors:execAuth:stats:signatureFeed:version" /dev/stdin <<<"$plist") 15 | else 16 | jamfProtectThreatPreventionVersion="Protect binary not found" 17 | fi 18 | 19 | echo "$jamfProtectThreatPreventionVersion" 20 | -------------------------------------------------------------------------------- /jamf_protect_api/README.md: -------------------------------------------------------------------------------- 1 | # Jamf Protect API 2 | The Jamf Protect API is the primary resource for programmatically interacting with Jamf Protect. The Jamf Protect API uses GraphQL, an advanced query service and language that allows you to search and access your data from a single endpoint. 3 | 4 | To learn more about GraphQL, see the [Introduction to GraphQL](https://graphql.org/learn) page on the GraphQL Foundation website. 5 | 6 | Documentation on the Jamf Protect API can be found [here](https://docs.jamf.com/jamf-protect/documentation/Jamf_Protect_API.html). 7 | 8 | ## API Scripts 9 | The scripts contained within this repository are written in either Bash or Python, with specific guidance for each provided within their respective sections. 10 | 11 | # 12 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 13 | -------------------------------------------------------------------------------- /json_samples_and_schemas/README.md: -------------------------------------------------------------------------------- 1 | # JSON Samples and Schemas 2 | Jamf Protect offers the feature of [redirecting Alerts and Telemetry to third-party storage systems or a SIEM](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Data_Forwarding_to_a_Third_Party_Storage_Solution.html), with the transmitted data formatted in JSON. While the [Jamf Learning Hub](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Telemetry_Log_Data_Examples.html) offers sample representations for various event types, this repository is specifically curated to include examples of both Jamf Protect Alerts and Telemetry, along with the corresponding schemas pertinent to each type of event. 3 | 4 | 5 | If you wish to send a single or multiple sample events to an HTTP endpoint, you can do so using a provided Postman Collection. 6 | You can access the documentation for this collection [here](https://documenter.getpostman.com/view/19047489/2s9YeD8Ckv). 7 | 8 | [![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/19047489-ca625448-7b53-4883-b825-c290dbb56397?action=collection%2Ffork&source=rip_markdown&collection-url=entityId%3D19047489-ca625448-7b53-4883-b825-c290dbb56397%26entityType%3Dcollection%26workspaceId%3D8d42b81d-adf4-4584-8418-8990049f0ff6) 9 | 10 | # 11 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 12 | -------------------------------------------------------------------------------- /json_samples_and_schemas/alerts/samples/.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/json_samples_and_schemas/alerts/samples/.txt -------------------------------------------------------------------------------- /json_samples_and_schemas/alerts/samples/GPUnifiedLogEvent.json: -------------------------------------------------------------------------------- 1 | { 2 | "caid": "02315cab15112294890e215397052cd73743b887c8264bc468b84df905e67e91", 3 | "certid": "d8154207ff785fd8c406baffe03eb345f3290434c5025e1b8268f89f6c310df9", 4 | "input": { 5 | "eventType": "GPUnifiedLogEvent", 6 | "host": { 7 | "hostname": "PCJVW6XJGM", 8 | "ips": [ 9 | "192.168.86.32" 10 | ], 11 | "os": "Version 13.6.1 (Build 22G313)", 12 | "protectVersion": "5.1.0.4", 13 | "provisioningUDID": "00006000-000678310153401E", 14 | "serial": "PCJVW6XJGM" 15 | }, 16 | "match": { 17 | "actions": [ 18 | { 19 | "name": "Report" 20 | } 21 | ], 22 | "context": [], 23 | "custom": false, 24 | "event": { 25 | "category": "XPEvent.structured", 26 | "composedMessage": "{\"caused_by\":[],\"status_message\":\"NoThreatDetected\",\"status_code\":20,\"execution_duration\":0.7135159969329834}", 27 | "name": "XProtect Remediator Scan Activity", 28 | "process": "XProtectRemediatorGreenAcre", 29 | "processIdentifier": 6925, 30 | "processImagePath": "/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorGreenAcre", 31 | "sender": "XProtectRemediatorGreenAcre", 32 | "senderImagePath": "/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorGreenAcre", 33 | "subsystem": "com.apple.XProtectFramework.PluginAPI", 34 | "tags": [ 35 | "XProtect Remediator" 36 | ], 37 | "timestamp": 1699432944.315508, 38 | "uuid": "D64D34FA-D426-48A3-BFD3-286776C34618" 39 | }, 40 | "facts": [ 41 | { 42 | "actions": [ 43 | { 44 | "name": "Report" 45 | } 46 | ], 47 | "context": [], 48 | "human": "XProtect Remediator Scan Activity", 49 | "name": "XProtect Remediator Scan Activity", 50 | "severity": 0, 51 | "tags": [ 52 | "XProtect Remediator" 53 | ], 54 | "uuid": "48C46122-898D-412D-A728-F8939F0F8017" 55 | } 56 | ], 57 | "severity": 0, 58 | "tags": [ 59 | "XProtect Remediator" 60 | ], 61 | "uuid": "7E46E4CD-0999-44C7-8EEE-6AC21876126E" 62 | } 63 | } 64 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_BIND.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 10, 3 | "arguments": { 4 | "fd": 7 5 | }, 6 | "header": { 7 | "event_id": 34, 8 | "event_modifier": 0, 9 | "event_name": "AUE_BIND", 10 | "time_milliseconds_offset": 736, 11 | "time_seconds_epoch": 1571164260, 12 | "version": 11 13 | }, 14 | "host_info": { 15 | "host_name": "VMAC-2C23RW4DY", 16 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 17 | "osversion": "Version 10.15 (Build 19A582a)", 18 | "primary_mac_address": "38:f9:e8:15:5a:82", 19 | "serial_number": "Z2C23RW4DY" 20 | }, 21 | "identity": { 22 | "cd_hash": "ff3302b13bed47bc0d3099a7e14ee0fbe6219b45", 23 | "signer_id": "com.apple.timed", 24 | "signer_id_truncated": 0, 25 | "signer_type": 1, 26 | "team_id": "", 27 | "team_id_truncated": 0 28 | }, 29 | "return": { 30 | "description": "success", 31 | "error": 0, 32 | "return_value": 0 33 | }, 34 | "socket_inet": { 35 | "addr": [ 36 | 0 37 | ], 38 | "family": 2, 39 | "id": 128, 40 | "ip_address": "0.0.0.0", 41 | "port": 123 42 | }, 43 | "subject": { 44 | "audit_id": 4294967295, 45 | "audit_user_name": "-1", 46 | "effective_group_id": 266, 47 | "effective_group_name": "_timed", 48 | "effective_user_id": 266, 49 | "effective_user_name": "_timed", 50 | "group_id": 266, 51 | "group_name": "_timed", 52 | "process_hash": "2EC19124474D13ABC02FAFF6A9DA5384B29020AD", 53 | "process_id": 244, 54 | "process_name": "/usr/libexec/timed", 55 | "session_id": 100000, 56 | "terminal_id": { 57 | "addr": [ 58 | 0 59 | ], 60 | "ip_address": "0.0.0.0", 61 | "port": 0, 62 | "type": 0 63 | }, 64 | "user_id": 266, 65 | "user_name": "_timed" 66 | } 67 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_CHDIR.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 2, 3 | "attributes": { 4 | "device": 0, 5 | "file_access_mode": 16832, 6 | "file_system_id": 16777220, 7 | "node_id": 1254228, 8 | "owner_group_id": 20, 9 | "owner_group_name": "staff", 10 | "owner_user_id": 502, 11 | "owner_user_name": "john_appleseed" 12 | }, 13 | "header": { 14 | "event_id": 8, 15 | "event_modifier": 0, 16 | "event_name": "AUE_CHDIR", 17 | "time_milliseconds_offset": 885, 18 | "time_seconds_epoch": 1570154813, 19 | "version": 11 20 | }, 21 | "host_info": { 22 | "host_name": "VMAC-2C23RW4DY", 23 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 24 | "osversion": "Version 10.14.6 (Build 18G95)", 25 | "primary_mac_address": "38:f9:e8:15:5a:82", 26 | "serial_number": "Z2C23RW4DY" 27 | }, 28 | "identity": { 29 | "cd_hash": "d6195eac3979557fc3938dbbdea4c811ff475ab4", 30 | "signer_id": "com.noodlesoft.hazelworker", 31 | "signer_id_truncated": 0, 32 | "signer_type": 0, 33 | "team_id": "86Z3GCJ4MF", 34 | "team_id_truncated": 0 35 | }, 36 | "path": [ 37 | "/Users/john_appleseed/Desktop", 38 | "/Users/john_appleseed/Desktop" 39 | ], 40 | "return": { 41 | "description": "success", 42 | "error": 0, 43 | "return_value": 0 44 | }, 45 | "subject": { 46 | "audit_id": 502, 47 | "audit_user_name": "john_appleseed", 48 | "effective_group_id": 20, 49 | "effective_group_name": "staff", 50 | "effective_user_id": 502, 51 | "effective_user_name": "john_appleseed", 52 | "group_id": 20, 53 | "group_name": "staff", 54 | "process_hash": "", 55 | "process_id": 33196, 56 | "process_name": "", 57 | "session_id": 100011, 58 | "terminal_id": { 59 | "addr": [ 60 | 0 61 | ], 62 | "ip_address": "0.0.0.0", 63 | "port": 50331650, 64 | "type": 0 65 | }, 66 | "user_id": 502, 67 | "user_name": "john_appleseed" 68 | } 69 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_CHROOT.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 10, 3 | "attributes": { 4 | "device": 0, 5 | "file_access_mode": 16832, 6 | "file_system_id": 16777220, 7 | "node_id": 35433516, 8 | "owner_group_id": 20, 9 | "owner_group_name": "staff", 10 | "owner_user_id": 503, 11 | "owner_user_name": "presentation" 12 | }, 13 | "exec_chain_child": { 14 | "parent_path": "/usr/libexec/dirhelper", 15 | "parent_pid": 11694, 16 | "parent_uuid": "86C52198-4836-4BF5-846E-4F820A508D49" 17 | }, 18 | "header": { 19 | "event_id": 24, 20 | "event_modifier": 0, 21 | "event_name": "AUE_CHROOT", 22 | "time_milliseconds_offset": 499, 23 | "time_seconds_epoch": 1570952104, 24 | "version": 11 25 | }, 26 | "host_info": { 27 | "host_name": "VMAC-2C23RW4DY", 28 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 29 | "osversion": "Version 10.15 (Build 19A582a)", 30 | "primary_mac_address": "38:f9:e8:15:5a:82", 31 | "serial_number": "Z2C23RW4DY" 32 | }, 33 | "identity": { 34 | "cd_hash": "dfe8f43e8b8e71b8db37ce445ca3a3d6ac5663ed", 35 | "signer_id": "com.apple.dirhelper", 36 | "signer_id_truncated": 0, 37 | "signer_type": 1, 38 | "team_id": "", 39 | "team_id_truncated": 0 40 | }, 41 | "path": [ 42 | "/var/folders/lz/hlz26vk50qb1sn046dw9kq080000gq/T", 43 | "/private/var/folders/lz/hlz26vk50qb1sn046dw9kq080000gq/T" 44 | ], 45 | "return": { 46 | "description": "success", 47 | "error": 0, 48 | "return_value": 0 49 | }, 50 | "subject": { 51 | "audit_id": 4294967295, 52 | "audit_user_name": "-1", 53 | "effective_group_id": 0, 54 | "effective_group_name": "wheel", 55 | "effective_user_id": 0, 56 | "effective_user_name": "root", 57 | "group_id": 0, 58 | "group_name": "wheel", 59 | "process_hash": "FAF349F33B0D8D6378F0498484EB8BF21158331B", 60 | "process_id": 11730, 61 | "process_name": "/usr/libexec/dirhelper", 62 | "session_id": 100000, 63 | "terminal_id": { 64 | "addr": [ 65 | 0 66 | ], 67 | "ip_address": "0.0.0.0", 68 | "port": 0, 69 | "type": 0 70 | }, 71 | "user_id": 0, 72 | "user_name": "root" 73 | } 74 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_CONNECT.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "fd": 43 5 | }, 6 | "header": { 7 | "event_id": 32, 8 | "event_modifier": 0, 9 | "event_name": "AUE_CONNECT", 10 | "time_milliseconds_offset": 174, 11 | "time_seconds_epoch": 1571164481, 12 | "version": 11 13 | }, 14 | "host_info": { 15 | "host_name": "VMAC-2C23RW4DY", 16 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 17 | "osversion": "Version 10.15 (Build 19A582a)", 18 | "primary_mac_address": "38:f9:e8:15:5a:82", 19 | "serial_number": "Z2C23RW4DY" 20 | }, 21 | "identity": { 22 | "cd_hash": "13bf8bbe9e56bc3a1c81d6cc715777f7b4719283", 23 | "signer_id": "com.logi.ghub.agent", 24 | "signer_id_truncated": 0, 25 | "signer_type": 0, 26 | "team_id": "QED4VVPZWA", 27 | "team_id_truncated": 0 28 | }, 29 | "return": { 30 | "description": "failure : Operation now in progress", 31 | "error": 150, 32 | "return_value": 4294967295 33 | }, 34 | "socket_inet": { 35 | "addr": [ 36 | 16777343 37 | ], 38 | "family": 2, 39 | "id": 128, 40 | "ip_address": "127.0.0.1", 41 | "port": 6468 42 | }, 43 | "subject": { 44 | "audit_id": 502, 45 | "audit_user_name": "john_appleseed", 46 | "effective_group_id": 20, 47 | "effective_group_name": "staff", 48 | "effective_user_id": 502, 49 | "effective_user_name": "john_appleseed", 50 | "group_id": 20, 51 | "group_name": "staff", 52 | "process_hash": "", 53 | "process_id": 11800, 54 | "process_name": "", 55 | "session_id": 100007, 56 | "terminal_id": { 57 | "addr": [ 58 | 0 59 | ], 60 | "ip_address": "0.0.0.0", 61 | "port": 50331650, 62 | "type": 0 63 | }, 64 | "user_id": 502, 65 | "user_name": "john_appleseed" 66 | } 67 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_EXIT.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "exec_chain_child": { 4 | "parent_path": "/bin/zsh", 5 | "parent_pid": 30537, 6 | "parent_uuid": "7241AD38-A42B-4B55-BE65-337468DB3E22" 7 | }, 8 | "exit": { 9 | "return_value": 0, 10 | "status": 0 11 | }, 12 | "header": { 13 | "event_id": 1, 14 | "event_modifier": 0, 15 | "event_name": "AUE_EXIT", 16 | "time_milliseconds_offset": 671, 17 | "time_seconds_epoch": 1570154832, 18 | "version": 11 19 | }, 20 | "host_info": { 21 | "host_name": "VMAC-2C23RW4DY", 22 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 23 | "osversion": "Version 10.14.6 (Build 18G95)", 24 | "primary_mac_address": "38:f9:e8:15:5a:82", 25 | "serial_number": "Z2C23RW4DY" 26 | }, 27 | "identity": { 28 | "cd_hash": "05ed42ef5e67e41ab135b8f24b59f7b42e9b324d", 29 | "signer_id": "com.apple.zsh", 30 | "signer_id_truncated": 0, 31 | "signer_type": 1, 32 | "team_id": "", 33 | "team_id_truncated": 0 34 | }, 35 | "return": { 36 | "description": "success", 37 | "error": 0, 38 | "return_value": 0 39 | }, 40 | "subject": { 41 | "audit_id": 502, 42 | "audit_user_name": "john_appleseed", 43 | "effective_group_id": 20, 44 | "effective_group_name": "staff", 45 | "effective_user_id": 502, 46 | "effective_user_name": "john_appleseed", 47 | "group_id": 20, 48 | "group_name": "staff", 49 | "process_hash": "", 50 | "process_id": 33206, 51 | "process_name": "", 52 | "session_id": 100011, 53 | "terminal_id": { 54 | "addr": [ 55 | 0 56 | ], 57 | "ip_address": "0.0.0.0", 58 | "port": 50331650, 59 | "type": 0 60 | }, 61 | "user_id": 502, 62 | "user_name": "john_appleseed" 63 | } 64 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_FORK.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "child_PID": 72350 5 | }, 6 | "exec_chain_parent": { 7 | "uuid": "78788648-9035-4BBD-BE36-C622E0A5EDE7" 8 | }, 9 | "header": { 10 | "event_id": 2, 11 | "event_modifier": 0, 12 | "event_name": "AUE_FORK", 13 | "time_milliseconds_offset": 400, 14 | "time_seconds_epoch": 1570033263, 15 | "version": 11 16 | }, 17 | "host_info": { 18 | "host_name": "VMAC-2C23RW4DY", 19 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 20 | "osversion": "Version 10.14.6 (Build 18G95)", 21 | "primary_mac_address": "38:f9:e8:15:5a:82", 22 | "serial_number": "Z2C23RW4DY" 23 | }, 24 | "identity": { 25 | "cd_hash": "acedd0c240e84dc3589fb9707fddb25f8743606e", 26 | "signer_id": "com.github.GitHubClient.helper", 27 | "signer_id_truncated": 0, 28 | "signer_type": 0, 29 | "team_id": "VEKTX9H2N7", 30 | "team_id_truncated": 0 31 | }, 32 | "return": { 33 | "description": "success", 34 | "error": 0, 35 | "return_value": 72350 36 | }, 37 | "subject": { 38 | "audit_id": 502, 39 | "audit_user_name": "john_appleseed", 40 | "effective_group_id": 20, 41 | "effective_group_name": "staff", 42 | "effective_user_id": 502, 43 | "effective_user_name": "john_appleseed", 44 | "group_id": 20, 45 | "group_name": "staff", 46 | "process_hash": "F38903FE2AEBEDD2F07704FAE89A405AF57023F2", 47 | "process_id": 60068, 48 | "process_name": "/Applications/GitHub Desktop.app/Contents/Frameworks/GitHub Desktop Helper.app/Contents/MacOS/GitHub Desktop Helper", 49 | "session_id": 100011, 50 | "terminal_id": { 51 | "addr": [ 52 | 0 53 | ], 54 | "ip_address": "0.0.0.0", 55 | "port": 50331650, 56 | "type": 0 57 | }, 58 | "user_id": 502, 59 | "user_name": "john_appleseed" 60 | } 61 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_GETAUID.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "header": { 4 | "event_id": 130, 5 | "event_modifier": 0, 6 | "event_name": "AUE_GETAUID", 7 | "time_milliseconds_offset": 519, 8 | "time_seconds_epoch": 1571162245, 9 | "version": 11 10 | }, 11 | "host_info": { 12 | "host_name": "VMAC-2C23RW4DY", 13 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 14 | "osversion": "Version 10.15 (Build 19A582a)", 15 | "primary_mac_address": "38:f9:e8:15:5a:82", 16 | "serial_number": "Z2C23RW4DY" 17 | }, 18 | "identity": { 19 | "cd_hash": "2bf9e42cb57800f2e3a43cf2882b88f58282aab2", 20 | "signer_id": "com.apple.loginwindow", 21 | "signer_id_truncated": 0, 22 | "signer_type": 1, 23 | "team_id": "", 24 | "team_id_truncated": 0 25 | }, 26 | "return": { 27 | "description": "success", 28 | "error": 0, 29 | "return_value": 0 30 | }, 31 | "subject": { 32 | "audit_id": 502, 33 | "audit_user_name": "john_appleseed", 34 | "effective_group_id": 20, 35 | "effective_group_name": "staff", 36 | "effective_user_id": 502, 37 | "effective_user_name": "john_appleseed", 38 | "group_id": 20, 39 | "group_name": "staff", 40 | "process_hash": "25220F4B8B3ACAD2B28387AC333401D3E59840EA", 41 | "process_id": 282, 42 | "process_name": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", 43 | "session_id": 100007, 44 | "terminal_id": { 45 | "addr": [ 46 | 0 47 | ], 48 | "ip_address": "0.0.0.0", 49 | "port": 50331650, 50 | "type": 0 51 | }, 52 | "user_id": 0, 53 | "user_name": "root" 54 | } 55 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_LISTEN.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "fd": 6 5 | }, 6 | "exec_chain_child": { 7 | "parent_path": "/sbin/launchd", 8 | "parent_pid": 1, 9 | "parent_uuid": "84492D4D-24C3-472E-8C19-6417C51FA1D2" 10 | }, 11 | "header": { 12 | "event_id": 43140, 13 | "event_modifier": 0, 14 | "event_name": "AUE_LISTEN", 15 | "time_milliseconds_offset": 822, 16 | "time_seconds_epoch": 1571163830, 17 | "version": 11 18 | }, 19 | "host_info": { 20 | "host_name": "VMAC-2C23RW4DY", 21 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 22 | "osversion": "Version 10.15 (Build 19A582a)", 23 | "primary_mac_address": "38:f9:e8:15:5a:82", 24 | "serial_number": "Z2C23RW4DY" 25 | }, 26 | "identity": { 27 | "cd_hash": "c09a9b7b934a35e5e1594784a976147cc324f599", 28 | "signer_id": "com.apple.cupsd", 29 | "signer_id_truncated": 0, 30 | "signer_type": 1, 31 | "team_id": "", 32 | "team_id_truncated": 0 33 | }, 34 | "return": { 35 | "description": "success", 36 | "error": 0, 37 | "return_value": 0 38 | }, 39 | "subject": { 40 | "audit_id": 4294967295, 41 | "audit_user_name": "-1", 42 | "effective_group_id": 0, 43 | "effective_group_name": "wheel", 44 | "effective_user_id": 0, 45 | "effective_user_name": "root", 46 | "group_id": 0, 47 | "group_name": "wheel", 48 | "process_hash": "AD6554AFF6746C7B4D994AECE9D9CF229FDA2D24", 49 | "process_id": 24971, 50 | "process_name": "/usr/sbin/cupsd", 51 | "session_id": 100000, 52 | "terminal_id": { 53 | "addr": [ 54 | 0 55 | ], 56 | "ip_address": "0.0.0.0", 57 | "port": 0, 58 | "type": 0 59 | }, 60 | "user_id": 0, 61 | "user_name": "root" 62 | } 63 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_MAC_SET_PROC.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "exec_chain_child": { 4 | "parent_path": "/sbin/launchd", 5 | "parent_pid": 1, 6 | "parent_uuid": "84492D4D-24C3-472E-8C19-6417C51FA1D2" 7 | }, 8 | "header": { 9 | "event_id": 43122, 10 | "event_modifier": 0, 11 | "event_name": "AUE_MAC_SET_PROC", 12 | "time_milliseconds_offset": 978, 13 | "time_seconds_epoch": 1571163436, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.15 (Build 19A582a)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "identity": { 24 | "cd_hash": "5d3fdaa460a12021a198c58ca697d31338d66c76", 25 | "signer_id": "com.apple.backupd", 26 | "signer_id_truncated": 0, 27 | "signer_type": 1, 28 | "team_id": "", 29 | "team_id_truncated": 0 30 | }, 31 | "return": { 32 | "description": "success", 33 | "error": 0, 34 | "return_value": 0 35 | }, 36 | "subject": { 37 | "audit_id": 4294967295, 38 | "audit_user_name": "-1", 39 | "effective_group_id": 0, 40 | "effective_group_name": "wheel", 41 | "effective_user_id": 0, 42 | "effective_user_name": "root", 43 | "group_id": 0, 44 | "group_name": "wheel", 45 | "process_hash": "B701AF52CDA90E4A31B8A164EB0348FC888AB022", 46 | "process_id": 24524, 47 | "process_name": "/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd", 48 | "session_id": 100000, 49 | "terminal_id": { 50 | "addr": [ 51 | 0 52 | ], 53 | "ip_address": "0.0.0.0", 54 | "port": 0, 55 | "type": 0 56 | }, 57 | "user_id": 0, 58 | "user_name": "root" 59 | }, 60 | "texts": [ 61 | "arg: tm/1" 62 | ] 63 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_MOUNT.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "flags": 1048576 5 | }, 6 | "attributes": { 7 | "device": 0, 8 | "file_access_mode": 16457, 9 | "file_system_id": 16777220, 10 | "node_id": 241568256, 11 | "owner_group_id": 0, 12 | "owner_group_name": "wheel", 13 | "owner_user_id": 0, 14 | "owner_user_name": "root" 15 | }, 16 | "exec_chain_child": { 17 | "parent_path": "", 18 | "parent_pid": 19725, 19 | "parent_uuid": "107D507D-B8BE-4FB2-9B96-838BAF8987D5" 20 | }, 21 | "header": { 22 | "event_id": 62, 23 | "event_modifier": 0, 24 | "event_name": "AUE_MOUNT", 25 | "time_milliseconds_offset": 350, 26 | "time_seconds_epoch": 1571161051, 27 | "version": 11 28 | }, 29 | "host_info": { 30 | "host_name": "VMAC-2C23RW4DY", 31 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 32 | "osversion": "Version 10.15 (Build 19A582a)", 33 | "primary_mac_address": "38:f9:e8:15:5a:82", 34 | "serial_number": "Z2C23RW4DY" 35 | }, 36 | "identity": { 37 | "cd_hash": "b50d3446803aeeccd28ee42a2258314492f3c42b", 38 | "signer_id": "com.apple.mount_apfs", 39 | "signer_id_truncated": 0, 40 | "signer_type": 1, 41 | "team_id": "", 42 | "team_id_truncated": 0 43 | }, 44 | "path": [ 45 | "/Volumes/Recovery", 46 | "/Volumes/Recovery" 47 | ], 48 | "return": { 49 | "description": "success", 50 | "error": 0, 51 | "return_value": 0 52 | }, 53 | "subject": { 54 | "audit_id": 4294967295, 55 | "audit_user_name": "-1", 56 | "effective_group_id": 0, 57 | "effective_group_name": "wheel", 58 | "effective_user_id": 0, 59 | "effective_user_name": "root", 60 | "group_id": 0, 61 | "group_name": "wheel", 62 | "process_hash": "", 63 | "process_id": 19726, 64 | "process_name": "", 65 | "session_id": 100000, 66 | "terminal_id": { 67 | "addr": [ 68 | 0 69 | ], 70 | "ip_address": "0.0.0.0", 71 | "port": 0, 72 | "type": 0 73 | }, 74 | "user_id": 0, 75 | "user_name": "root" 76 | }, 77 | "texts": [ 78 | "apfs" 79 | ] 80 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_PIDFORTASK.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 10, 3 | "arguments": { 4 | "pid": 33183, 5 | "port": 1379 6 | }, 7 | "header": { 8 | "event_id": 43049, 9 | "event_modifier": 0, 10 | "event_name": "AUE_PIDFORTASK", 11 | "time_milliseconds_offset": 295, 12 | "time_seconds_epoch": 1570154823, 13 | "version": 11 14 | }, 15 | "host_info": { 16 | "host_name": "VMAC-2C23RW4DY", 17 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 18 | "osversion": "Version 10.14.6 (Build 18G95)", 19 | "primary_mac_address": "38:f9:e8:15:5a:82", 20 | "serial_number": "Z2C23RW4DY" 21 | }, 22 | "return": { 23 | "description": "success", 24 | "error": 0, 25 | "return_value": 0 26 | }, 27 | "subject": { 28 | "audit_id": 4294967295, 29 | "audit_user_name": "-1", 30 | "effective_group_id": 0, 31 | "effective_group_name": "wheel", 32 | "effective_user_id": 0, 33 | "effective_user_name": "root", 34 | "group_id": 0, 35 | "group_name": "wheel", 36 | "process_hash": "3E38EA613B3FCC0B9136BBAC9949A7F9EE6C5B8B", 37 | "process_id": 96805, 38 | "process_name": "/usr/libexec/sandboxd", 39 | "session_id": 100000, 40 | "terminal_id": { 41 | "addr": [ 42 | 0 43 | ], 44 | "ip_address": "0.0.0.0", 45 | "port": 0, 46 | "type": 0 47 | }, 48 | "user_id": 0, 49 | "user_name": "root" 50 | } 51 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_POSIX_SPAWN.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "child_PID": 25971 5 | }, 6 | "exec_args": { 7 | "args": { 8 | "1": "xpcproxy", 9 | "2": "com.apple.mdworker.shared.04000000-0600-0000-0000-000000000000" 10 | }, 11 | "args_compiled": "xpcproxy,com.apple.mdworker.shared.04000000-0600-0000-0000-000000000000" 12 | }, 13 | "exec_chain_parent": { 14 | "uuid": "84492D4D-24C3-472E-8C19-6417C51FA1D2" 15 | }, 16 | "exec_env": { 17 | "env": { 18 | "XPC_FLAGS": "0x100" 19 | }, 20 | "env_compiled": "XPC_FLAGS=0x100" 21 | }, 22 | "header": { 23 | "event_id": 43190, 24 | "event_modifier": 0, 25 | "event_name": "AUE_POSIX_SPAWN", 26 | "time_milliseconds_offset": 882, 27 | "time_seconds_epoch": 1571164480, 28 | "version": 11 29 | }, 30 | "host_info": { 31 | "host_name": "VMAC-2C23RW4DY", 32 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 33 | "osversion": "Version 10.15 (Build 19A582a)", 34 | "primary_mac_address": "38:f9:e8:15:5a:82", 35 | "serial_number": "Z2C23RW4DY" 36 | }, 37 | "identity": { 38 | "cd_hash": "92c1a9522cd719ae3c19f843093ada121787ab00", 39 | "signer_id": "com.apple.xpc.launchd", 40 | "signer_id_truncated": 0, 41 | "signer_type": 1, 42 | "team_id": "", 43 | "team_id_truncated": 0 44 | }, 45 | "path": [ 46 | "/dev/console" 47 | ], 48 | "return": { 49 | "description": "success", 50 | "error": 0, 51 | "return_value": 0 52 | }, 53 | "subject": { 54 | "audit_id": 4294967295, 55 | "audit_user_name": "-1", 56 | "effective_group_id": 0, 57 | "effective_group_name": "wheel", 58 | "effective_user_id": 0, 59 | "effective_user_name": "root", 60 | "group_id": 0, 61 | "group_name": "wheel", 62 | "process_hash": "E1CF8C4EB76CE6FC0764B29358EE3EE7AE478224", 63 | "process_id": 1, 64 | "process_name": "/sbin/launchd", 65 | "session_id": 100000, 66 | "terminal_id": { 67 | "addr": [ 68 | 0 69 | ], 70 | "ip_address": "0.0.0.0", 71 | "port": 0, 72 | "type": 0 73 | }, 74 | "user_id": 0, 75 | "user_name": "root" 76 | } 77 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_PTRACE.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "addr": 0, 5 | "data": 0, 6 | "process": 8125, 7 | "request": 31 8 | }, 9 | "exec_chain_child": { 10 | "parent_path": "/sbin/launchd", 11 | "parent_pid": 1, 12 | "parent_uuid": "84492D4D-24C3-472E-8C19-6417C51FA1D2" 13 | }, 14 | "header": { 15 | "event_id": 43002, 16 | "event_modifier": 0, 17 | "event_name": "AUE_PTRACE", 18 | "time_milliseconds_offset": 270, 19 | "time_seconds_epoch": 1571152560, 20 | "version": 11 21 | }, 22 | "host_info": { 23 | "host_name": "VMAC-2C23RW4DY", 24 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 25 | "osversion": "Version 10.15 (Build 19A582a)", 26 | "primary_mac_address": "38:f9:e8:15:5a:82", 27 | "serial_number": "Z2C23RW4DY" 28 | }, 29 | "identity": { 30 | "cd_hash": "77e8b86b6a842fa7f0e86a289c48381784853517", 31 | "signer_id": "com.apple.authorizationhost", 32 | "signer_id_truncated": 0, 33 | "signer_type": 1, 34 | "team_id": "", 35 | "team_id_truncated": 0 36 | }, 37 | "return": { 38 | "description": "success", 39 | "error": 0, 40 | "return_value": 0 41 | }, 42 | "subject": { 43 | "audit_id": 4294967295, 44 | "audit_user_name": "-1", 45 | "effective_group_id": 0, 46 | "effective_group_name": "wheel", 47 | "effective_user_id": 0, 48 | "effective_user_name": "root", 49 | "group_id": 0, 50 | "group_name": "wheel", 51 | "process_hash": "6F6FE565B11FC5FF43CD29F64183CCF2EC4E497D", 52 | "process_id": 8125, 53 | "process_name": "/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost", 54 | "session_id": 100000, 55 | "terminal_id": { 56 | "addr": [ 57 | 0 58 | ], 59 | "ip_address": "0.0.0.0", 60 | "port": 0, 61 | "type": 0 62 | }, 63 | "user_id": 0, 64 | "user_name": "root" 65 | } 66 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_REMOVE_FROM_GROUP.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "exec_chain_child": { 4 | "parent_path": "/sbin/launchd", 5 | "parent_pid": 1, 6 | "parent_uuid": "072234D8-1BAB-47B6-82AC-0C275A190207" 7 | }, 8 | "header": { 9 | "event_id": 45019, 10 | "event_modifier": 0, 11 | "event_name": "AUE_remove_from_group", 12 | "time_milliseconds_offset": 88, 13 | "time_seconds_epoch": 1570730184, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.15 (Build 19A582a)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "identity": { 24 | "cd_hash": "85d569713637049c668874934c04a8dac3056ac1", 25 | "signer_id": "com.apple.opendirectoryd", 26 | "signer_id_truncated": 0, 27 | "signer_type": 1, 28 | "team_id": "", 29 | "team_id_truncated": 0 30 | }, 31 | "return": { 32 | "description": "success", 33 | "error": 0, 34 | "return_value": 0 35 | }, 36 | "subject": { 37 | "audit_id": 502, 38 | "audit_user_name": "john_appleseed", 39 | "effective_group_id": 20, 40 | "effective_group_name": "staff", 41 | "effective_user_id": 502, 42 | "effective_user_name": "john_appleseed", 43 | "group_id": 20, 44 | "group_name": "staff", 45 | "process_hash": "FCED4EC0FD369A22E40D781A9CBE25E215D28D82", 46 | "process_id": 16209, 47 | "process_name": "/System/Library/PreferencePanes/Accounts.prefPane/Contents/XPCServices/com.apple.preferences.users.remoteservice.xpc/Contents/MacOS/com.apple.preferences.users.remoteservice", 48 | "session_id": 100008, 49 | "terminal_id": { 50 | "addr": [ 51 | 0 52 | ], 53 | "ip_address": "0.0.0.0", 54 | "port": 33075, 55 | "type": 0 56 | }, 57 | "user_id": 502, 58 | "user_name": "john_appleseed" 59 | }, 60 | "texts": [ 61 | "Removed Groups membership username from '_lpadmin' node '/Local/Default', value = 'presentation'" 62 | ] 63 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SESSION_CLOSE.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "am_failure": 0, 5 | "am_success": 0, 6 | "sflags": 0 7 | }, 8 | "header": { 9 | "event_id": 44904, 10 | "event_modifier": 0, 11 | "event_name": "AUE_SESSION_CLOSE", 12 | "time_milliseconds_offset": 525, 13 | "time_seconds_epoch": 1571163930, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.15 (Build 19A582a)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "return": { 24 | "description": "success", 25 | "error": 0, 26 | "return_value": 0 27 | }, 28 | "subject": { 29 | "audit_id": 4294967295, 30 | "audit_user_name": "-1", 31 | "effective_group_id": 0, 32 | "effective_group_name": "wheel", 33 | "effective_user_id": 0, 34 | "effective_user_name": "root", 35 | "group_id": 0, 36 | "group_name": "wheel", 37 | "process_hash": "", 38 | "process_id": 0, 39 | "process_name": "", 40 | "session_id": 100264, 41 | "terminal_id": { 42 | "addr": [ 43 | 0 44 | ], 45 | "ip_address": "0.0.0.0", 46 | "port": 0, 47 | "type": 0 48 | }, 49 | "user_id": 0, 50 | "user_name": "root" 51 | } 52 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SESSION_END.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "am_failure": 0, 5 | "am_success": 0, 6 | "sflags": 0 7 | }, 8 | "header": { 9 | "event_id": 44903, 10 | "event_modifier": 0, 11 | "event_name": "AUE_SESSION_END", 12 | "time_milliseconds_offset": 133, 13 | "time_seconds_epoch": 1571163954, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.15 (Build 19A582a)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "return": { 24 | "description": "success", 25 | "error": 0, 26 | "return_value": 0 27 | }, 28 | "subject": { 29 | "audit_id": 4294967295, 30 | "audit_user_name": "-1", 31 | "effective_group_id": 0, 32 | "effective_group_name": "wheel", 33 | "effective_user_id": 0, 34 | "effective_user_name": "root", 35 | "group_id": 0, 36 | "group_name": "wheel", 37 | "process_hash": "", 38 | "process_id": 0, 39 | "process_name": "", 40 | "session_id": 100265, 41 | "terminal_id": { 42 | "addr": [ 43 | 0 44 | ], 45 | "ip_address": "0.0.0.0", 46 | "port": 0, 47 | "type": 0 48 | }, 49 | "user_id": 0, 50 | "user_name": "root" 51 | } 52 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SESSION_START.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "am_failure": 0, 5 | "am_success": 0, 6 | "sflags": 0 7 | }, 8 | "header": { 9 | "event_id": 44901, 10 | "event_modifier": 0, 11 | "event_name": "AUE_SESSION_START", 12 | "time_milliseconds_offset": 553, 13 | "time_seconds_epoch": 1571164386, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.15 (Build 19A582a)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "return": { 24 | "description": "success", 25 | "error": 0, 26 | "return_value": 0 27 | }, 28 | "subject": { 29 | "audit_id": 4294967295, 30 | "audit_user_name": "-1", 31 | "effective_group_id": 0, 32 | "effective_group_name": "wheel", 33 | "effective_user_id": 0, 34 | "effective_user_name": "root", 35 | "group_id": 0, 36 | "group_name": "wheel", 37 | "process_hash": "", 38 | "process_id": 0, 39 | "process_name": "", 40 | "session_id": 100267, 41 | "terminal_id": { 42 | "addr": [ 43 | 0 44 | ], 45 | "ip_address": "0.0.0.0", 46 | "port": 0, 47 | "type": 0 48 | }, 49 | "user_id": 0, 50 | "user_name": "root" 51 | } 52 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SESSION_UPDATE.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "am_failure": 12288, 5 | "am_success": 12288, 6 | "sflags": 24624 7 | }, 8 | "header": { 9 | "event_id": 44902, 10 | "event_modifier": 0, 11 | "event_name": "AUE_SESSION_UPDATE", 12 | "time_milliseconds_offset": 64, 13 | "time_seconds_epoch": 1571162251, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.15 (Build 19A582a)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "return": { 24 | "description": "success", 25 | "error": 0, 26 | "return_value": 0 27 | }, 28 | "subject": { 29 | "audit_id": 502, 30 | "audit_user_name": "john_appleseed", 31 | "effective_group_id": 0, 32 | "effective_group_name": "wheel", 33 | "effective_user_id": 0, 34 | "effective_user_name": "root", 35 | "group_id": 0, 36 | "group_name": "wheel", 37 | "process_hash": "", 38 | "process_id": 0, 39 | "process_name": "", 40 | "session_id": 100007, 41 | "terminal_id": { 42 | "addr": [ 43 | 0 44 | ], 45 | "ip_address": "0.0.0.0", 46 | "port": 50331650, 47 | "type": 0 48 | }, 49 | "user_id": 0, 50 | "user_name": "root" 51 | } 52 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SETPRIORITY.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "priority": 4, 5 | "which": 6, 6 | "who": 19461 7 | }, 8 | "header": { 9 | "event_id": 31, 10 | "event_modifier": 0, 11 | "event_name": "AUE_SETPRIORITY", 12 | "time_milliseconds_offset": 7, 13 | "time_seconds_epoch": 1570154835, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.14.6 (Build 18G95)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "identity": { 24 | "cd_hash": "6d1769e6e7b4d9d82b432c28da29fa353e5ca186", 25 | "signer_id": "com.apple.launchservicesd", 26 | "signer_id_truncated": 0, 27 | "signer_type": 1, 28 | "team_id": "", 29 | "team_id_truncated": 0 30 | }, 31 | "return": { 32 | "description": "success", 33 | "error": 0, 34 | "return_value": 0 35 | }, 36 | "subject": { 37 | "audit_id": 4294967295, 38 | "audit_user_name": "-1", 39 | "effective_group_id": 0, 40 | "effective_group_name": "wheel", 41 | "effective_user_id": 0, 42 | "effective_user_name": "root", 43 | "group_id": 0, 44 | "group_name": "wheel", 45 | "process_hash": "591057D75FBA4E0F4488C298667B13619D32EB6C", 46 | "process_id": 106, 47 | "process_name": "/System/Library/CoreServices/launchservicesd", 48 | "session_id": 100000, 49 | "terminal_id": { 50 | "addr": [ 51 | 0 52 | ], 53 | "ip_address": "0.0.0.0", 54 | "port": 0, 55 | "type": 0 56 | }, 57 | "user_id": 0, 58 | "user_name": "root" 59 | } 60 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SETTIMEOFDAY.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 10, 3 | "header": { 4 | "event_id": 37, 5 | "event_modifier": 0, 6 | "event_name": "AUE_SETTIMEOFDAY", 7 | "time_milliseconds_offset": 201, 8 | "time_seconds_epoch": 1571005459, 9 | "version": 11 10 | }, 11 | "host_info": { 12 | "host_name": "VMAC-2C23RW4DY", 13 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 14 | "osversion": "Version 10.15 (Build 19A582a)", 15 | "primary_mac_address": "38:f9:e8:15:5a:82", 16 | "serial_number": "Z2C23RW4DY" 17 | }, 18 | "identity": { 19 | "cd_hash": "ff3302b13bed47bc0d3099a7e14ee0fbe6219b45", 20 | "signer_id": "com.apple.timed", 21 | "signer_id_truncated": 0, 22 | "signer_type": 1, 23 | "team_id": "", 24 | "team_id_truncated": 0 25 | }, 26 | "return": { 27 | "description": "success", 28 | "error": 0, 29 | "return_value": 0 30 | }, 31 | "subject": { 32 | "audit_id": 4294967295, 33 | "audit_user_name": "-1", 34 | "effective_group_id": 266, 35 | "effective_group_name": "_timed", 36 | "effective_user_id": 266, 37 | "effective_user_name": "_timed", 38 | "group_id": 266, 39 | "group_name": "_timed", 40 | "process_hash": "2EC19124474D13ABC02FAFF6A9DA5384B29020AD", 41 | "process_id": 243, 42 | "process_name": "/usr/libexec/timed", 43 | "session_id": 100000, 44 | "terminal_id": { 45 | "addr": [ 46 | 0 47 | ], 48 | "ip_address": "0.0.0.0", 49 | "port": 0, 50 | "type": 0 51 | }, 52 | "user_id": 266, 53 | "user_name": "_timed" 54 | } 55 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SHUTDOWN.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "fd": 40 5 | }, 6 | "header": { 7 | "event_id": 46, 8 | "event_modifier": 0, 9 | "event_name": "AUE_SHUTDOWN", 10 | "time_milliseconds_offset": 567, 11 | "time_seconds_epoch": 1570154220, 12 | "version": 11 13 | }, 14 | "host_info": { 15 | "host_name": "VMAC-2C23RW4DY", 16 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 17 | "osversion": "Version 10.14.6 (Build 18G95)", 18 | "primary_mac_address": "38:f9:e8:15:5a:82", 19 | "serial_number": "Z2C23RW4DY" 20 | }, 21 | "identity": { 22 | "cd_hash": "2b653dd2d5e326ebb89baf12107cc62de0d4a620", 23 | "signer_id": "com.apple.iTunes", 24 | "signer_id_truncated": 0, 25 | "signer_type": 1, 26 | "team_id": "", 27 | "team_id_truncated": 0 28 | }, 29 | "return": { 30 | "description": "success", 31 | "error": 0, 32 | "return_value": 0 33 | }, 34 | "subject": { 35 | "audit_id": 502, 36 | "audit_user_name": "john_appleseed", 37 | "effective_group_id": 20, 38 | "effective_group_name": "staff", 39 | "effective_user_id": 502, 40 | "effective_user_name": "john_appleseed", 41 | "group_id": 20, 42 | "group_name": "staff", 43 | "process_hash": "9972915513C86EC91658D822333177CE46E94E55", 44 | "process_id": 19011, 45 | "process_name": "/Applications/iTunes.app/Contents/MacOS/iTunes", 46 | "session_id": 100011, 47 | "terminal_id": { 48 | "addr": [ 49 | 0 50 | ], 51 | "ip_address": "0.0.0.0", 52 | "port": 50331650, 53 | "type": 0 54 | }, 55 | "user_id": 502, 56 | "user_name": "john_appleseed" 57 | } 58 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_SOCKETPAIR.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "domain": 1, 5 | "protocol": 0, 6 | "type": 2 7 | }, 8 | "header": { 9 | "event_id": 186, 10 | "event_modifier": 0, 11 | "event_name": "AUE_SOCKETPAIR", 12 | "time_milliseconds_offset": 560, 13 | "time_seconds_epoch": 1570154220, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.14.6 (Build 18G95)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "identity": { 24 | "cd_hash": "2b653dd2d5e326ebb89baf12107cc62de0d4a620", 25 | "signer_id": "com.apple.iTunes", 26 | "signer_id_truncated": 0, 27 | "signer_type": 1, 28 | "team_id": "", 29 | "team_id_truncated": 0 30 | }, 31 | "return": { 32 | "description": "success", 33 | "error": 0, 34 | "return_value": 0 35 | }, 36 | "subject": { 37 | "audit_id": 502, 38 | "audit_user_name": "john_appleseed", 39 | "effective_group_id": 20, 40 | "effective_group_name": "staff", 41 | "effective_user_id": 502, 42 | "effective_user_name": "john_appleseed", 43 | "group_id": 20, 44 | "group_name": "staff", 45 | "process_hash": "9972915513C86EC91658D822333177CE46E94E55", 46 | "process_id": 19011, 47 | "process_name": "/Applications/iTunes.app/Contents/MacOS/iTunes", 48 | "session_id": 100011, 49 | "terminal_id": { 50 | "addr": [ 51 | 0 52 | ], 53 | "ip_address": "0.0.0.0", 54 | "port": 50331650, 55 | "type": 0 56 | }, 57 | "user_id": 502, 58 | "user_name": "john_appleseed" 59 | } 60 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_TASKFORPID.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 10, 3 | "arguments": { 4 | "target_port": 259, 5 | "task_port": 7835 6 | }, 7 | "header": { 8 | "event_id": 43048, 9 | "event_modifier": 0, 10 | "event_name": "AUE_TASKFORPID", 11 | "time_milliseconds_offset": 630, 12 | "time_seconds_epoch": 1570154839, 13 | "version": 11 14 | }, 15 | "host_info": { 16 | "host_name": "VMAC-2C23RW4DY", 17 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 18 | "osversion": "Version 10.14.6 (Build 18G95)", 19 | "primary_mac_address": "38:f9:e8:15:5a:82", 20 | "serial_number": "Z2C23RW4DY" 21 | }, 22 | "process": { 23 | "audit_id": 502, 24 | "audit_user_name": "john_appleseed", 25 | "effective_group_id": 20, 26 | "effective_group_name": "staff", 27 | "effective_user_id": 502, 28 | "effective_user_name": "john_appleseed", 29 | "group_id": 20, 30 | "group_name": "staff", 31 | "process_hash": "F38B8461CEC4C0C3930350729C15ACEFFA7F1B10", 32 | "process_id": 97034, 33 | "process_name": "/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/WorkflowServiceRunner.xpc/Contents/MacOS/WorkflowServiceRunner", 34 | "session_id": 100011, 35 | "terminal_id": { 36 | "addr": [ 37 | 0, 38 | 298845290, 39 | 1, 40 | 1701734754 41 | ], 42 | "ip_address": "0.0.0.0", 43 | "port": 50331650, 44 | "type": 4 45 | }, 46 | "user_id": 502, 47 | "user_name": "john_appleseed" 48 | }, 49 | "return": { 50 | "description": "success", 51 | "error": 0, 52 | "return_value": 0 53 | }, 54 | "subject": { 55 | "audit_id": 4294967295, 56 | "audit_user_name": "-1", 57 | "effective_group_id": 0, 58 | "effective_group_name": "wheel", 59 | "effective_user_id": 0, 60 | "effective_user_name": "root", 61 | "group_id": 0, 62 | "group_name": "wheel", 63 | "process_hash": "564428A216F0E30BB51F31336EE53C61260B7E1D", 64 | "process_id": 774, 65 | "process_name": "/usr/libexec/sysmond", 66 | "session_id": 100000, 67 | "terminal_id": { 68 | "addr": [ 69 | 0 70 | ], 71 | "ip_address": "0.0.0.0", 72 | "port": 0, 73 | "type": 0 74 | }, 75 | "user_id": 0, 76 | "user_name": "root" 77 | } 78 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_TASKNAMEFORPID.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 10, 3 | "arguments": { 4 | "process": 0, 5 | "target_port": 259, 6 | "task_port": 7703 7 | }, 8 | "header": { 9 | "event_id": 43161, 10 | "event_modifier": 0, 11 | "event_name": "AUE_TASKNAMEFORPID", 12 | "time_milliseconds_offset": 468, 13 | "time_seconds_epoch": 1570154839, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.14.6 (Build 18G95)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "return": { 24 | "description": "success", 25 | "error": 0, 26 | "return_value": 0 27 | }, 28 | "subject": { 29 | "audit_id": 4294967295, 30 | "audit_user_name": "-1", 31 | "effective_group_id": 0, 32 | "effective_group_name": "wheel", 33 | "effective_user_id": 0, 34 | "effective_user_name": "root", 35 | "group_id": 0, 36 | "group_name": "wheel", 37 | "process_hash": "564428A216F0E30BB51F31336EE53C61260B7E1D", 38 | "process_id": 774, 39 | "process_name": "/usr/libexec/sysmond", 40 | "session_id": 100000, 41 | "terminal_id": { 42 | "addr": [ 43 | 0 44 | ], 45 | "ip_address": "0.0.0.0", 46 | "port": 0, 47 | "type": 0 48 | }, 49 | "user_id": 0, 50 | "user_name": "root" 51 | } 52 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_UNMOUNT.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "attributes": { 4 | "device": 0, 5 | "file_access_mode": 16877, 6 | "file_system_id": 16777224, 7 | "node_id": 2, 8 | "owner_group_id": 0, 9 | "owner_group_name": "wheel", 10 | "owner_user_id": 0, 11 | "owner_user_name": "root" 12 | }, 13 | "exec_chain_child": { 14 | "parent_path": "/usr/libexec/diskarbitrationd", 15 | "parent_pid": 229, 16 | "parent_uuid": "BE5CF774-ABEA-44AB-B38A-D33C8BF13EC4" 17 | }, 18 | "header": { 19 | "event_id": 56, 20 | "event_modifier": 0, 21 | "event_name": "AUE_UNMOUNT", 22 | "time_milliseconds_offset": 441, 23 | "time_seconds_epoch": 1571161051, 24 | "version": 11 25 | }, 26 | "host_info": { 27 | "host_name": "VMAC-2C23RW4DY", 28 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 29 | "osversion": "Version 10.15 (Build 19A582a)", 30 | "primary_mac_address": "38:f9:e8:15:5a:82", 31 | "serial_number": "Z2C23RW4DY" 32 | }, 33 | "identity": { 34 | "cd_hash": "cf57b45efd63818602eb1e833caeb34baa0358b9", 35 | "signer_id": "com.apple.umount", 36 | "signer_id_truncated": 0, 37 | "signer_type": 1, 38 | "team_id": "", 39 | "team_id_truncated": 0 40 | }, 41 | "path": [ 42 | "/Volumes/Recovery", 43 | "/Volumes/Recovery" 44 | ], 45 | "return": { 46 | "description": "success", 47 | "error": 0, 48 | "return_value": 0 49 | }, 50 | "subject": { 51 | "audit_id": 4294967295, 52 | "audit_user_name": "-1", 53 | "effective_group_id": 0, 54 | "effective_group_name": "wheel", 55 | "effective_user_id": 0, 56 | "effective_user_name": "root", 57 | "group_id": 0, 58 | "group_name": "wheel", 59 | "process_hash": "", 60 | "process_id": 19730, 61 | "process_name": "", 62 | "session_id": 100000, 63 | "terminal_id": { 64 | "addr": [ 65 | 0 66 | ], 67 | "ip_address": "0.0.0.0", 68 | "port": 0, 69 | "type": 0 70 | }, 71 | "user_id": 0, 72 | "user_name": "root" 73 | } 74 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_WAIT4.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "pid": 4294967295 5 | }, 6 | "header": { 7 | "event_id": 43060, 8 | "event_modifier": 0, 9 | "event_name": "AUE_WAIT4", 10 | "time_milliseconds_offset": 671, 11 | "time_seconds_epoch": 1570154832, 12 | "version": 11 13 | }, 14 | "host_info": { 15 | "host_name": "VMAC-2C23RW4DY", 16 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 17 | "osversion": "Version 10.14.6 (Build 18G95)", 18 | "primary_mac_address": "38:f9:e8:15:5a:82", 19 | "serial_number": "Z2C23RW4DY" 20 | }, 21 | "identity": { 22 | "cd_hash": "05ed42ef5e67e41ab135b8f24b59f7b42e9b324d", 23 | "signer_id": "com.apple.zsh", 24 | "signer_id_truncated": 0, 25 | "signer_type": 1, 26 | "team_id": "", 27 | "team_id_truncated": 0 28 | }, 29 | "return": { 30 | "description": "failure : No child processes", 31 | "error": 10, 32 | "return_value": 4294967295 33 | }, 34 | "subject": { 35 | "audit_id": 502, 36 | "audit_user_name": "john_appleseed", 37 | "effective_group_id": 20, 38 | "effective_group_name": "staff", 39 | "effective_user_id": 502, 40 | "effective_user_name": "john_appleseed", 41 | "group_id": 20, 42 | "group_name": "staff", 43 | "process_hash": "333153896BB2AFB5C0363D381A30D47ECF87243F", 44 | "process_id": 30537, 45 | "process_name": "/bin/zsh", 46 | "session_id": 100011, 47 | "terminal_id": { 48 | "addr": [ 49 | 0 50 | ], 51 | "ip_address": "0.0.0.0", 52 | "port": 50331650, 53 | "type": 0 54 | }, 55 | "user_id": 502, 56 | "user_name": "john_appleseed" 57 | } 58 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_auth_user.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "header": { 4 | "event_id": 45023, 5 | "event_modifier": 0, 6 | "event_name": "AUE_auth_user", 7 | "time_milliseconds_offset": 518, 8 | "time_seconds_epoch": 1571164390, 9 | "version": 11 10 | }, 11 | "host_info": { 12 | "host_name": "VMAC-2C23RW4DY", 13 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 14 | "osversion": "Version 10.15 (Build 19A582a)", 15 | "primary_mac_address": "38:f9:e8:15:5a:82", 16 | "serial_number": "Z2C23RW4DY" 17 | }, 18 | "identity": { 19 | "cd_hash": "7ef57b4d358abd21541f9c08f63a0b8fc4d306fc", 20 | "signer_id": "com.apple.biometrickitd", 21 | "signer_id_truncated": 0, 22 | "signer_type": 1, 23 | "team_id": "", 24 | "team_id_truncated": 0 25 | }, 26 | "return": { 27 | "description": "success", 28 | "error": 0, 29 | "return_value": 0 30 | }, 31 | "subject": { 32 | "audit_id": 502, 33 | "audit_user_name": "john_appleseed", 34 | "effective_group_id": 20, 35 | "effective_group_name": "staff", 36 | "effective_user_id": 502, 37 | "effective_user_name": "john_appleseed", 38 | "group_id": 20, 39 | "group_name": "staff", 40 | "process_hash": "F1886C0ACB95228F7DB86674EF6C36539F2BF1AE", 41 | "process_id": 599, 42 | "process_name": "/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd", 43 | "session_id": 100010, 44 | "terminal_id": { 45 | "addr": [ 46 | 0 47 | ], 48 | "ip_address": "0.0.0.0", 49 | "port": 0, 50 | "type": 0 51 | }, 52 | "user_id": 502, 53 | "user_name": "john_appleseed" 54 | }, 55 | "texts": [ 56 | "Touch ID authentication" 57 | ] 58 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_logout.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "exec_chain_child": { 4 | "parent_path": "/sbin/launchd", 5 | "parent_pid": 1, 6 | "parent_uuid": "072234D8-1BAB-47B6-82AC-0C275A190207" 7 | }, 8 | "header": { 9 | "event_id": 6153, 10 | "event_modifier": 0, 11 | "event_name": "AUE_logout", 12 | "time_milliseconds_offset": 957, 13 | "time_seconds_epoch": 1570742178, 14 | "version": 11 15 | }, 16 | "host_info": { 17 | "host_name": "VMAC-2C23RW4DY", 18 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 19 | "osversion": "Version 10.15 (Build 19A582a)", 20 | "primary_mac_address": "38:f9:e8:15:5a:82", 21 | "serial_number": "Z2C23RW4DY" 22 | }, 23 | "identity": { 24 | "cd_hash": "580aaa6336ebbab400f2a63c05526207f5e773cc", 25 | "signer_id": "com.apple.sessionlogoutd", 26 | "signer_id_truncated": 0, 27 | "signer_type": 1, 28 | "team_id": "", 29 | "team_id_truncated": 0 30 | }, 31 | "return": { 32 | "description": "success", 33 | "error": 0, 34 | "return_value": 0 35 | }, 36 | "subject": { 37 | "audit_id": 502, 38 | "audit_user_name": "john_appleseed", 39 | "effective_group_id": 0, 40 | "effective_group_name": "wheel", 41 | "effective_user_id": 0, 42 | "effective_user_name": "root", 43 | "group_id": 20, 44 | "group_name": "staff", 45 | "process_hash": "FAF7444E7CD0C15B8AAB1EB48AD7DE06C039F809", 46 | "process_id": 34693, 47 | "process_name": "/System/Library/CoreServices/sessionlogoutd", 48 | "session_id": 34693, 49 | "terminal_id": { 50 | "addr": [ 51 | 0 52 | ], 53 | "ip_address": "0.0.0.0", 54 | "port": 50331650, 55 | "type": 0 56 | }, 57 | "user_id": 502, 58 | "user_name": "john_appleseed" 59 | } 60 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_lw_login.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "header": { 4 | "event_id": 45021, 5 | "event_modifier": 0, 6 | "event_name": "AUE_lw_login", 7 | "time_milliseconds_offset": 235, 8 | "time_seconds_epoch": 1570742279, 9 | "version": 11 10 | }, 11 | "host_info": { 12 | "host_name": "VMAC-2C23RW4DY", 13 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 14 | "osversion": "Version 10.15 (Build 19A582a)", 15 | "primary_mac_address": "38:f9:e8:15:5a:82", 16 | "serial_number": "Z2C23RW4DY" 17 | }, 18 | "identity": { 19 | "cd_hash": "2bf9e42cb57800f2e3a43cf2882b88f58282aab2", 20 | "signer_id": "com.apple.loginwindow", 21 | "signer_id_truncated": 0, 22 | "signer_type": 1, 23 | "team_id": "", 24 | "team_id_truncated": 0 25 | }, 26 | "return": { 27 | "description": "success", 28 | "error": 0, 29 | "return_value": 0 30 | }, 31 | "subject": { 32 | "audit_id": 502, 33 | "audit_user_name": "john_appleseed", 34 | "effective_group_id": 0, 35 | "effective_group_name": "wheel", 36 | "effective_user_id": 0, 37 | "effective_user_name": "root", 38 | "group_id": 20, 39 | "group_name": "staff", 40 | "process_hash": "25220F4B8B3ACAD2B28387AC333401D3E59840EA", 41 | "process_id": 286, 42 | "process_name": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", 43 | "session_id": 100007, 44 | "terminal_id": { 45 | "addr": [ 46 | 0, 47 | 4162898866, 48 | 32707, 49 | 4162897190 50 | ], 51 | "ip_address": "0.0.0.0", 52 | "port": 50331650, 53 | "type": 4 54 | }, 55 | "user_id": 502, 56 | "user_name": "john_appleseed" 57 | } 58 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_ssauthint.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "arguments": { 4 | "authenticated_as_john_appleseed": 502, 5 | "known_UID_": 502 6 | }, 7 | "header": { 8 | "event_id": 45026, 9 | "event_modifier": 0, 10 | "event_name": "AUE_ssauthint", 11 | "time_milliseconds_offset": 338, 12 | "time_seconds_epoch": 1571152560, 13 | "version": 11 14 | }, 15 | "host_info": { 16 | "host_name": "VMAC-2C23RW4DY", 17 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 18 | "osversion": "Version 10.15 (Build 19A582a)", 19 | "primary_mac_address": "38:f9:e8:15:5a:82", 20 | "serial_number": "Z2C23RW4DY" 21 | }, 22 | "identity": { 23 | "cd_hash": "64e8691427f6128ba9aae0cb29739414282f1009", 24 | "signer_id": "com.apple.authd", 25 | "signer_id_truncated": 0, 26 | "signer_type": 1, 27 | "team_id": "", 28 | "team_id_truncated": 0 29 | }, 30 | "return": { 31 | "description": "success", 32 | "error": 0, 33 | "return_value": 0 34 | }, 35 | "subject": { 36 | "audit_id": 502, 37 | "audit_user_name": "john_appleseed", 38 | "effective_group_id": 20, 39 | "effective_group_name": "staff", 40 | "effective_user_id": 502, 41 | "effective_user_name": "john_appleseed", 42 | "group_id": 20, 43 | "group_name": "staff", 44 | "process_hash": "BD94C0345A8F7D010D9EBE611F1CB347ECC4ADD5", 45 | "process_id": 806, 46 | "process_name": "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder", 47 | "session_id": 100007, 48 | "terminal_id": { 49 | "addr": [ 50 | 0 51 | ], 52 | "ip_address": "0.0.0.0", 53 | "port": 1871, 54 | "type": 0 55 | }, 56 | "user_id": 502, 57 | "user_name": "john_appleseed" 58 | }, 59 | "texts": [ 60 | "com.apple.desktopservices" 61 | ] 62 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_ssauthmech.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "header": { 4 | "event_id": 45030, 5 | "event_modifier": 0, 6 | "event_name": "AUE_ssauthmech", 7 | "time_milliseconds_offset": 338, 8 | "time_seconds_epoch": 1571152560, 9 | "version": 11 10 | }, 11 | "host_info": { 12 | "host_name": "VMAC-2C23RW4DY", 13 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 14 | "osversion": "Version 10.15 (Build 19A582a)", 15 | "primary_mac_address": "38:f9:e8:15:5a:82", 16 | "serial_number": "Z2C23RW4DY" 17 | }, 18 | "identity": { 19 | "cd_hash": "64e8691427f6128ba9aae0cb29739414282f1009", 20 | "signer_id": "com.apple.authd", 21 | "signer_id_truncated": 0, 22 | "signer_type": 1, 23 | "team_id": "", 24 | "team_id_truncated": 0 25 | }, 26 | "return": { 27 | "description": "success", 28 | "error": 0, 29 | "return_value": 0 30 | }, 31 | "subject": { 32 | "audit_id": 502, 33 | "audit_user_name": "john_appleseed", 34 | "effective_group_id": 20, 35 | "effective_group_name": "staff", 36 | "effective_user_id": 502, 37 | "effective_user_name": "john_appleseed", 38 | "group_id": 20, 39 | "group_name": "staff", 40 | "process_hash": "BD94C0345A8F7D010D9EBE611F1CB347ECC4ADD5", 41 | "process_id": 806, 42 | "process_name": "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder", 43 | "session_id": 100007, 44 | "terminal_id": { 45 | "addr": [ 46 | 0 47 | ], 48 | "ip_address": "0.0.0.0", 49 | "port": 1871, 50 | "type": 0 51 | }, 52 | "user_id": 502, 53 | "user_name": "john_appleseed" 54 | }, 55 | "texts": [ 56 | "com.apple.desktopservices", 57 | "mechanism PKINITMechanism:auth,privileged" 58 | ] 59 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/telemetry/samples/AUE_ssauthorize.json: -------------------------------------------------------------------------------- 1 | { 2 | "_event_score": 0, 3 | "header": { 4 | "event_id": 45025, 5 | "event_modifier": 0, 6 | "event_name": "AUE_ssauthorize", 7 | "time_milliseconds_offset": 567, 8 | "time_seconds_epoch": 1571158770, 9 | "version": 11 10 | }, 11 | "host_info": { 12 | "host_name": "VMAC-2C23RW4DY", 13 | "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF", 14 | "osversion": "Version 10.15 (Build 19A582a)", 15 | "primary_mac_address": "38:f9:e8:15:5a:82", 16 | "serial_number": "Z2C23RW4DY" 17 | }, 18 | "identity": { 19 | "cd_hash": "64e8691427f6128ba9aae0cb29739414282f1009", 20 | "signer_id": "com.apple.authd", 21 | "signer_id_truncated": 0, 22 | "signer_type": 1, 23 | "team_id": "", 24 | "team_id_truncated": 0 25 | }, 26 | "return": { 27 | "description": "success", 28 | "error": 0, 29 | "return_value": 0 30 | }, 31 | "subject": { 32 | "audit_id": 502, 33 | "audit_user_name": "john_appleseed", 34 | "effective_group_id": 20, 35 | "effective_group_name": "staff", 36 | "effective_user_id": 0, 37 | "effective_user_name": "root", 38 | "group_id": 20, 39 | "group_name": "staff", 40 | "process_hash": "3CF4DC499F24412D1953C3280E3974FE097EBD5A", 41 | "process_id": 7934, 42 | "process_name": "/private/var/folders/y1/_qx51bb12qgbj1w28d08f20h0000gp/T/AppTranslocation/C02DBF69-8162-44E3-A289-DFB955FC194E/d/Composer.app/Contents/MacOS/Composer", 43 | "session_id": 100007, 44 | "terminal_id": { 45 | "addr": [ 46 | 0 47 | ], 48 | "ip_address": "0.0.0.0", 49 | "port": 196762, 50 | "type": 0 51 | }, 52 | "user_id": 502, 53 | "user_name": "john_appleseed" 54 | }, 55 | "texts": [ 56 | "end evaluation" 57 | ] 58 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/web_protection/samples/NetworkTrafficStream.json: -------------------------------------------------------------------------------- 1 | { 2 | "event": { 3 | "account": { 4 | "customerId": "fb4567b6-4ee2-3c4c-abb9-4c78ec463b25", 5 | "parentId": "7c302632-7ac4-4234-8ada-11d76feb3730" 6 | }, 7 | "device": { 8 | "deviceId": "09f81436-de17-441e-a631-0461252c629b", 9 | "osType": "IOS 11.2.5", 10 | "externalId": "54f1c122-33c0-4c22-a7fe-df7d966ceac4" 11 | }, 12 | "source": { 13 | "ip": "1.2.3.4" 14 | }, 15 | "destination": { 16 | "ips": [ 17 | "74.125.193.99", 18 | "74.125.193.105", 19 | "74.125.193.103", 20 | "74.125.193.147", 21 | "74.125.193.106", 22 | "74.125.193.104" 23 | ] 24 | }, 25 | "domain": "google", 26 | "tld": "com", 27 | "dns": { 28 | "responseStatus": "NOERROR", 29 | "ttl": 1024, 30 | "recordType": "A" 31 | }, 32 | "timestamp": "2020-01-30T17:47:41.767Z", 33 | "networkInterface": null, 34 | "hostName": "www.google.com", 35 | "threat": { 36 | "result": "CLEAN", 37 | "types": [] 38 | }, 39 | "signatureId": { 40 | "id": "213", 41 | "name": "DNS Lookup" 42 | }, 43 | "blocked": false, 44 | "receiptTime": 1663844902414, 45 | "user": { 46 | "email": "user@mail.com", 47 | "name": "John Doe" 48 | }, 49 | "metadata": { 50 | "schemaVersion": "1.0", 51 | "vendor": "Jamf", 52 | "product": "Network Traffic Stream" 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /json_samples_and_schemas/web_protection/samples/ThreatEventsStream.json: -------------------------------------------------------------------------------- 1 | { 2 | "event": { 3 | "metadata": { 4 | "schemaVersion": "1.0", 5 | "vendor": "Jamf", 6 | "product": "Threat Events Stream" 7 | }, 8 | "timestamp": "2020-01-30T17:47:41.767Z", 9 | "alertId": "013b15c9-8f62-4bf1-948a-d82367af2a10", 10 | "account": { 11 | "customerId": "fb4567b6-4ee2-3c4c-abb9-4c78ec463b25", 12 | "parentId": "7c302632-7ac4-4234-8ada-11d76feb3730", 13 | "name": "Customer" 14 | }, 15 | "device": { 16 | "deviceId": "09f81436-de17-441e-a631-0461252c629b", 17 | "os": "IOS 11.2.5", 18 | "deviceName": "Apple iPhone 11 (11.2.5)", 19 | "userDeviceName": "Apple iPhone 11", 20 | "externalId": "5087dc0e-876c-4b0e-95ea-5b543476e0c4" 21 | }, 22 | "eventType": { 23 | "id": 213, 24 | "description": "Sideloaded App", 25 | "name": "SIDE_LOADED_APP_IN_INVENTORY" 26 | }, 27 | "app": { 28 | "id": "com.apple.iBooks", 29 | "name": "Books", 30 | "version": "1.1", 31 | "sha1": "16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2", 32 | "sha256": "16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042" 33 | }, 34 | "destination": { 35 | "name": "host", 36 | "ip": "ip", 37 | "port": 80 38 | }, 39 | "source": { 40 | "ip": "1.2.3.4", 41 | "port": 3025 42 | }, 43 | "location": "gb", 44 | "accessPoint": "AccessPoint", 45 | "accessPointBssid": "c6:9f:db:b1:73:5a", 46 | "severity": 6, 47 | "user": { 48 | "email": "user@mail.com", 49 | "name": "John Doe" 50 | }, 51 | "eventUrl": "https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767", 52 | "action": "Detected" 53 | } 54 | } -------------------------------------------------------------------------------- /soar_playbooks/README.md: -------------------------------------------------------------------------------- 1 | # SOAR Playbooks 2 | The SOAR playbooks contained within this repository are workflows designed to be executed on an endpoint by Jamf Pro, in response to an analytic detection Jamf Protect. This is achieved through the remediation integration between the two products, detailed [here](https://docs.jamf.com/jamf-protect/documentation/Setting_Up_Analytic_Remediation_With_Jamf_Pro.html). 3 | 4 | **Leveraging this integration requires the endpoint to be enrolled in both Jamf Protect as well as a Jamf Pro environment.** 5 | 6 | The general flow of the operations that occur through this operation is as follows: 7 | 1. A security event occurs on an endpoint 8 | 1. The event is detected by Jamf Protect's analytic feature 9 | 1. The Jamf Protect agent executes an action as a result of the positive detection that results in the endpoint being placed into a Smart Computer Group in Jamf Pro, whereby now it is eligible for scoping inclusion or exclusion of management objects such as Policies or Configuration Profiles 10 | 1. The Jamf Pro management framework will proactively check for and execute pending management actions from these features 11 | 12 | # 13 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 14 | -------------------------------------------------------------------------------- /soar_playbooks/aftermath_collection/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .vscode 3 | *.pkg 4 | pkgroot/* 5 | signed/* -------------------------------------------------------------------------------- /soar_playbooks/aftermath_collection/README.md: -------------------------------------------------------------------------------- 1 | # SOAR Playbook - Aftermath Collection 2 | 3 | This SOAR playbook is provided to collect the output from an Aftermath Scan and upload it to an cloud storage solution of choice. 4 | 5 | ## About Aftermath 6 | 7 | Aftermath is a Swift-based, open-source incident response framework, available on Jamf's open source GitHub repository (https://github.com/jamf/aftermath). 8 | 9 | Aftermath can be leveraged by defenders in order to collect and subsequently analyze the data from the compromised host. When deploying Aftermath via Jamf Pro, this script can be used in tandem with an Aftermath first run, ensuring the data is securely stored in a designated storage solution once an Aftermath collection is complete. 10 | 11 | ## Storage Solutions 12 | 13 | The workflows in this repository support but are not limited to: 14 | 15 | - [ ] [Amazon S3 Bucket](./aws_s3/) 16 | - [ ] [Google Cloud Storage Bucket](./google_cloud_storage/) 17 | - [ ] [Azure Files](./azure_files/) 18 | 19 | # 20 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /soar_playbooks/aftermath_collection/aws_s3/makefile: -------------------------------------------------------------------------------- 1 | PKGTITLE="aws_aftermath" 2 | PKGVERSION=1.0 3 | PKGID="com.jamf.aws.aftermath" 4 | PROJECT="aws_aftermath" 5 | DeveloperID="" 6 | 7 | clean: 8 | rm -f ./${PKGTITLE}-*.pkg 9 | rm -rf pkgroot 10 | rm -rf ./signed 11 | 12 | pkg: clean 13 | mkdir -p pkgroot/opt 14 | mkdir ./signed 15 | cp -r ~/.aws pkgroot/opt/ 16 | chmod -R 400 pkgroot/opt/.aws 17 | pkgbuild --root pkgroot --identifier ${PKGID} --version ${PKGVERSION} ./${PKGTITLE}-${PKGVERSION}.pkg 18 | # productsign --sign ${DeveloperID} ${PKGTITLE}-${PKGVERSION}.pkg signed/${PKGTITLE}-${PKGVERSION}.pkg -------------------------------------------------------------------------------- /soar_playbooks/aftermath_collection/azure_files/images/SASToken.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/soar_playbooks/aftermath_collection/azure_files/images/SASToken.png -------------------------------------------------------------------------------- /soar_playbooks/aftermath_collection/google_cloud_storage/makefile: -------------------------------------------------------------------------------- 1 | PKGTITLE="gcs_aftermath" 2 | PKGVERSION=1.0 3 | PKGID="com.jamf.gcs.aftermath" 4 | PROJECT="aws_aftermath" 5 | DeveloperID="" 6 | 7 | clean: 8 | rm -f ./${PKGTITLE}-*.pkg 9 | rm -rf pkgroot 10 | rm -rf ./signed 11 | 12 | pkg: clean 13 | mkdir -p pkgroot/opt 14 | mkdir ./signed 15 | cp ~/.boto pkgroot/opt/ 16 | chmod 400 pkgroot/opt/.boto 17 | pkgbuild --root pkgroot --identifier ${PKGID} --version ${PKGVERSION} ./${PKGTITLE}-${PKGVERSION}.pkg 18 | # productsign --sign ${DeveloperID} ${PKGTITLE}-${PKGVERSION}.pkg signed/${PKGTITLE}-${PKGVERSION}.pkg -------------------------------------------------------------------------------- /soar_playbooks/endpoint_network_isolation/README.md: -------------------------------------------------------------------------------- 1 | # SOAR Playbook - Endpoint Network Isolation 2 | 3 | This SOAR playbook is built to isolate an endpoint and prevent it from communicating to other endpoints and systems. 4 | 5 | If you are looking for a workflow that is using Network Threat Prevention then have a look at [automated network isolation with Jamf Protect](https://trusted.jamf.com/docs/automated-network-isolation-with-jamf-protect) 6 | 7 | The isolation mechanism is achieved using the Packet Filter (pfctl) binary on macOS and will block all inbound and outbound traffic from the endpoint except that which is needed for network connectivity to approved Apple and Jamf services. 8 | 9 | #### This ensures that the endpoint can continue to communicate with Jamf Pro for both non-MDM (e.g. a policy and script) and MDM-driven management (e.g. a configuration profile) for use in responding to a security event. 10 | 11 | There are three components to the playbook: 12 | 13 | 1. A script that will enforce the packet filter rules to block connectivity 14 | 2. A script that will revert the packet filter rules to the default on macOS, permitting connectivity once again 15 | 3. An extension attribute script for Jamf Pro that can be used to report on the status of the playbook once deployed, for reporting 16 | 17 | **Important** 18 | There is a shared variable used in all three scripts that must contain the same value in order for all three to function correctly. This is the `$fileName` variable, used to determine the names of the packet filter files. The default is `com.acmesoft.isolate` but this may be set as desired, ideally matching the format above and containing an identifier for your organisation or team. 19 | 20 | As of v2.0 of the enforce script, the packet filter rules will not re-apply after a system reboot. Encrypting endpoints with FileVault will cause a password to be required to unlock the system after reboot. 21 | # 22 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 23 | -------------------------------------------------------------------------------- /telemetry/README.MD: -------------------------------------------------------------------------------- 1 | 2 | # Telemetry 3 | 4 | The folders in this repository offer guidance and examples pertinent to using Telemetry in Jamf Protect. 5 | 6 | In this repository you will find examples for: 7 | - [ ] [Simple Log File Collection](./simple_log_file_collection/) 8 | 9 | **Disclaimer:** All resources contained in this repository are provided as-is and are not officially supported by Jamf Support -------------------------------------------------------------------------------- /telemetry/simple_log_file_collection/img/cups_access_log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/telemetry/simple_log_file_collection/img/cups_access_log.png -------------------------------------------------------------------------------- /telemetry/simple_log_file_collection/img/jamf_log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/telemetry/simple_log_file_collection/img/jamf_log.png -------------------------------------------------------------------------------- /third_party_integrations/README.md: -------------------------------------------------------------------------------- 1 | # Third Party Integrations 2 | 3 | In this repository, you will find all kinds of resources related to 3rd party integrations that can be used together with or alongside Jamf Protect. 4 | 5 | Currently you can find the following resources, we are adding more resources in the future. 6 | 7 | * Data Management examples 8 | 9 | **Disclaimer:** All resources contained in this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /third_party_integrations/ZTNA_Risk_Signaling/README.md: -------------------------------------------------------------------------------- 1 | # Private Access Risk Management 2 | 3 | This repository contains a collection of Webhook receiving scripts. 4 | 1. Event from Jamf Protect places a device into a Jamf Pro Smart Computer Group 5 | 2. Webhook from Jamf Pro based on Smart Computer Group membership sent to a webhook receiver 6 | 3. Webhook received interacts with Jamf Security Clouds Risk API and updates the risk accordingly 7 | 8 | -------------------------------------------------------------------------------- /third_party_integrations/ZTNA_Risk_Signaling/aws_lambda/README.md: -------------------------------------------------------------------------------- 1 | # Private Access Risk Management 2 | ## AWS Lambda Function 3 | 4 | This script is to be used with an AWS Lambda function which will be the webhook receiver. 5 | 6 | -------------------------------------------------------------------------------- /third_party_integrations/ZTNA_Risk_Signaling/aws_lambda/requests.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/third_party_integrations/ZTNA_Risk_Signaling/aws_lambda/requests.zip -------------------------------------------------------------------------------- /third_party_integrations/alerts_management/AWS/README.md: -------------------------------------------------------------------------------- 1 | # Alerts Management - AWS 2 | 3 | This workflow is provided to send alert data from the endpoint running Jamf Protect to an AWS API gateway which invokes a Lambda function 4 | The Lambda function parses the json data and sends a webhook to any chosen and configured third party tool. 5 | 6 | ## Workflow execution 7 | 8 | - [ ] Alert is generated by Jamf Protect 9 | - [ ] A JSON file containing the details of the alert is sent to an API gateway 10 | - [ ] The API gateway invokes a Lambda function 11 | - [ ] Lambda function parses the JSON data and extracts useful information 12 | - [ ] Webhook is sent to any chosen and configured third party tool 13 | 14 | 15 | ## Workflow Components 16 | 17 | - [ ] AWS API Gateway (REST or HTTP) 18 | - [ ] Lambda funtion 19 | - [ ] AWS Secrets Manager 20 | 21 | 22 | **AWS Configuration** 23 | 24 | - Create an AWS Lambda funtion to execute the script 25 | 26 | - From the Lambda Configuration editor, create an AWS API Gateway 27 | 28 | - The scripts are designed to use AWS Secret Manager to securely retrieve the credentials for Jamf Pro, Jamf Protect, Slack, Microsoft Teams, VirusTotal etc are stored there 29 | Edit the IAM Lambda user to privide access to `secretsmanager:GetSecretValue` 30 | ```{ 31 | "Version": "2012-10-17", 32 | "Statement": [ 33 | { 34 | "Effect": "Allow", 35 | "Action": [ 36 | "secretsmanager:GetSecretValue" 37 | ], 38 | "Resource": [ 39 | "arn:ARN_of_Secret_Manager_Secret_here" 40 | ] 41 | } 42 | ] 43 | }``` 44 | 45 | # 46 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. 47 | -------------------------------------------------------------------------------- /third_party_integrations/alerts_management/README.md: -------------------------------------------------------------------------------- 1 | # Alerts Management 2 | 3 | Jamf Protect supports sending alert data to an HTTPS endpoint via the Alert Collection Endpoints under Action Configuration. This allows an organization to send alert data from Jamf Protect to additional reporting tools. 4 | 5 | 6 | The following must be already configured within Jamf Protect: 7 | * Configure a Jamf Protect action to send alert data to an HTTPS endpoint [Alert Collection Endpoint](https://docs.jamf.com/jamf-protect/documentation/Creating_an_Action_Configuration.html) inside an Action configuration. 8 | 9 | 10 | ## Serverless Solutions 11 | 12 | The workflows in this repository support but are not limited to: 13 | - [ ] [AWS](./AWS) 14 | - [ ] [Azure] Coming Soon 15 | 16 | # 17 | ## Please note that all resources contained within this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /third_party_integrations/data_management/README.md: -------------------------------------------------------------------------------- 1 | # SIEM and Data Storage Examples 2 | 3 | Jamf Protect supports forwarding alert and other types of data to the following third-party tools: 4 | * Security Information and Event Management (SIEM) solutions, including but not limited to Microsoft Sentinel and Splunk 5 | * Amazon S3 6 | 7 | The example queries, dashboards and workbooks contained within this repository are designed to help customers begin visualising data transmitted by Jamf Protect and enable active monitoring of security events across their Mac endpoints. 8 | 9 | Forwarding of data requires configuration of one or more of the following: 10 | * Integrate Jamf Protect with a SIEM using an [Alert Collection Endpoint](https://docs.jamf.com/jamf-protect/documentation/Splunk_Integration.html) inside an Action configuration 11 | * Enable the [Data Forwarding feature](https://docs.jamf.com/jamf-protect/documentation/Data_Forwarding_to_a_Third_Party_Storage_Solution.html) 12 | 13 | Updated documentation for the data transmission flow coming soon. 14 | 15 | In this repository you will find examples for: 16 | - [ ] Microsoft Sentinel 17 | - [ ] *Coming Soon* Splunk 18 | 19 | **Disclaimer:** All resources contained in this repository are provided as-is and are not officially supported by Jamf Support. -------------------------------------------------------------------------------- /third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Incidents_black.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Incidents_black.png -------------------------------------------------------------------------------- /third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Incidents_white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Incidents_white.png -------------------------------------------------------------------------------- /third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Workbook_black.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Workbook_black.png -------------------------------------------------------------------------------- /third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Workbook_white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jamf/jamfprotect/2e8c144976f9393a468e8654a57db802aacbcf2a/third_party_integrations/data_management/microsoft_sentinel/Images/.Microsoft_Sentinel_Workbook_white.png -------------------------------------------------------------------------------- /third_party_integrations/data_management/microsoft_sentinel/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel 2 | The files contained in this repository provides example workbooks and queries for Microsoft Sentinel with having Jamf Protect as data source. 3 | 4 | **Microsoft Sentinel: Workbooks:** 5 | 6 | Recently we have published **Jamf Protect for Microsoft Sentinel** solution in the Azure Marketplace and Microsoft Sentinel Content Hub. 7 | 8 | The Jamf Protect for Microsoft Sentinel solution creates detailed event data from macOS endpoints into a Microsoft Sentinel workspace in a simple and easy workflow. The solution provides you with full visibility into Apple Endpoint Security by leveraging Workbooks containing Alert and Unified Logging events captured by Jamf Protect and the macOS built-in security events that occurred across the protected organisational endpoints. 9 | 10 | Navigate to the [Jamf Protect for Microsoft Sentinel](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/jamfsoftwareaustraliaptyltd1620360395539.jamf_protect?tab=Overview) Azure Marketplace listing to find out more! 11 | 12 | ![](./Images/.Microsoft_Sentinel_Workbook_white.png) 13 | 14 | **Microsoft Sentinel: Analytics** 15 | 16 | *Steps to use example Analytics contained within this repository:* 17 | 18 | 1. Open the .json file with your preferred text editor and find and replace jamfprotect_CL with your custom Log Type Name. (You can find the Log Type Name in Jamf Protect -> Administrative -> Data -> Microsoft Sentinel -> Log Type) and save the file. 19 | 2. Navigate to _https://portal.azure.com_ 20 | 3. Navigate to Microsoft Sentinel 21 | 4. Navigate to the Sentinel Workspace that is being used for Jamf Protect 22 | 5. Navigate to Analytics 23 | 6. Click on the import button in the top menu bar 24 | 7. Select the Analytic .JSON file you want to import and click Upload 25 | 26 | ![](./Images/.Microsoft_Sentinel_Incidents_white.png) 27 | 28 | **Disclaimer:** All resources contained in this repository are provided as-is and are not officially supported by Jamf Support. 29 | -------------------------------------------------------------------------------- /unified_log_filters/.template_unified_log_filter: -------------------------------------------------------------------------------- 1 | # .template_unified_log_filter 2 | # 3 | # This Unified Log filter may be used to report on . 4 | # This filter functions by monitoring logging from . 5 | 6 | # Filter Predicate(s): 7 | 8 | 9 | 10 | # Example output: 11 | 12 | 13 | 14 | # Additional Information: 15 | 16 | # 17 | 18 | # Private Data Expected 19 | # See https://github.com/jamf/jamfprotect/wiki/Unified-Log-Filtering 20 | 21 | Yes / No 22 | -------------------------------------------------------------------------------- /unified_log_filters/airdrop_transfer_outbound.yaml: -------------------------------------------------------------------------------- 1 | name: "Airdrop Transfer Outbound" 2 | description: "This Unified Log filter may be used to report on outbound AirDrop file transfers from the Mac, this filter functions by monitoring logging from an AirDrop process spawning from a valid location and a logged string known to indicate an outbound file transfer was offered." 3 | predicate: "subsystem == "com.apple.sharing" AND process == "AirDrop" AND processImagePath BEGINSWITH "/System/Library" AND eventMessage BEGINSWITH "Successfully issued sandbox extension for"" 4 | tags: 5 | - visibility 6 | - DataLossPrevention 7 | enabled: true 8 | -------------------------------------------------------------------------------- /unified_log_filters/application_firewall_logging.yaml: -------------------------------------------------------------------------------- 1 | name: "Application Firewall Logging" 2 | description: "This Unified Log filter may be used to report on logging from the Application Firewall in macOS. this filter functions by monitoring logging from the com.apple.alf subsystem." 3 | predicate: "subsystem == "com.apple.alf"" 4 | tags: 5 | - visibility 6 | enabled: true 7 | 8 | # If executing these commands locally in Terminal "sudo" will be required. 9 | 10 | # By default private data (such as IP addresses and ports) will be redacted by Apple"s Private Logging feature. In order to disable this for the Application Firewall logging specifically this configuration profile may be enforced: 11 | # https://github.com/usnistgov/macos_security/blob/monterey/includes/com.apple.alf.private_data.mobileconfig 12 | -------------------------------------------------------------------------------- /unified_log_filters/bluetooth_file_exchange_transfer_outbound.yaml: -------------------------------------------------------------------------------- 1 | name: "Bluetooth File Exchange Transfer Outbound" 2 | description: "This Unified Log filter may be used to report on outbound Bluetooth File Exchange file transfers from the Mac. this filter functions by monitoring logging from an Bluetooth File Exchange process spawning from a valid location and a logged string known to indicate an outbound file transfer was initiated." 3 | predicate: "process == "Bluetooth File Exchange" AND eventMessage CONTAINS[c] "[sendFile]:"" 4 | tags: 5 | - visibility 6 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/cloud_idp_authentication_bypass_and_local_user_authentication.yaml: -------------------------------------------------------------------------------- 1 | name: "Cloud iDP Authentication bypass and Local User Authentication" 2 | description: "This Unified Log filter may be used to report on a user bypassing authentication to the Cloud Identity Provider configured for use with Jamf Connect and instead completing an authentication against a local user account on the device only. 3 | This filter functions by monitoring logging from the Jamf Connect subsystem where the event message contains a known string indicating the behaviour." 4 | predicate: "subsystem == "com.jamf.connect.login" AND eventMessage CONTAINS[c] "Local auth success, allowing login for user"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/failed_authentication_via_jc.yaml: -------------------------------------------------------------------------------- 1 | name: "Failed Authentication through Jamf Connect" 2 | description: "This Unified Log filter may be used to report on failed authentication attempts through the Jamf Connect application. 3 | This filter functions by monitoring logging from the Jamf Connect process where the event message contains a known string indicating the behaviour." 4 | predicate: "process == "Jamf Connect" AND eventMessage CONTAINS[c] "Authentication failed"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/local_password_change_via_jc_attempt.yaml: -------------------------------------------------------------------------------- 1 | name: "Local Password Change through Jamf Connect Attempt" 2 | description: "This Unified Log filter may be used to report on attempted changes of the users local password by Jamf Connect to sync with their cloud identity provider password. 3 | This filter functions by monitoring logging from the Jamf Connect process, subsystem, the category used for such events and a specific string known to indicate an attempt at a password change." 4 | predicate: "process == Jamf Connect AND subsystem == com.jamf.connect AND category == OpenDirectory AND eventMessage CONTAINS Attempting to change password for:" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/local_password_change_via_jc_failure.yaml: -------------------------------------------------------------------------------- 1 | name: "Local Password Change through Jamf Connect Failure" 2 | description: "This Unified Log filter may be used to report on failed attempts at changing of the users local password by Jamf Connect to sync with their cloud identity provider password. 3 | This filter functions by monitoring logging from the Jamf Connect process, subsystem, the category used for such events and a specific string known to indicate a failed attempt at a password change." 4 | predicate: "process == "Jamf Connect" AND subsystem == "com.jamf.connect" AND category == "OpenDirectory" AND eventMessage CONTAINS "Password change failed"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/local_password_change_via_jc_success.yaml: -------------------------------------------------------------------------------- 1 | name: "Local Password Change through Jamf Connect Success" 2 | description: "This Unified Log filter may be used to report on successful changes of the users local password by Jamf Connect to sync with their cloud identity provider password. 3 | This filter functions by monitoring logging from the Jamf Connect process, subsystem, the category used for such events and a specific string known to indicate a successful password change." 4 | predicate: "process == "Jamf Connect" AND subsystem == "com.jamf.connect" AND category == "OpenDirectory" AND eventMessage CONTAINS "Succesfully changed password for:"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/local_password_sync_via_jc_menu_bar_failure.yaml: -------------------------------------------------------------------------------- 1 | name: "Local Password Sync through Jamf Connect MenuBar Failure" 2 | description: "This Unified Log filter may be used to report on failed password synchronisation events from the Jamf Connect menu-bar application due to no saved credentials being avaialble. 3 | This filter functions by monitoring logging from the Jamf Connect process where the event message contains a known string indicating the behaviour." 4 | predicate: "process == "Jamf Connect" AND eventMessage CONTAINS[c] "Error: noSavedCredentials"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/mfa_through_jc_login_window_failure.yaml: -------------------------------------------------------------------------------- 1 | name: "MFA Through Jamf Connect LoginWindow Failure" 2 | description: "This Unified Log filter may be used to report on failed multi-factor authentication (MFA) events at the Jamf Connect login window. 3 | This filter functions by monitoring logging from the Jamf Connect process where the event message contains a known string indicating the behaviour." 4 | predicate: "subsystem == "com.jamf.connect.login" AND eventMessage CONTAINS[c] "completeAuthFailed(shortName:isOtpRunning:error:completion"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/privilege_elevation_all.yaml: -------------------------------------------------------------------------------- 1 | name: "Privilege Elevation Through Jamf Connect" 2 | description: "This Unified Log filter may be used to report on all user privilege elevations and demotions caused by Jamf Connect and all related event messages. 3 | This filter functions by monitoring logging from the Jamf Connect process where the event message contains a known string indicating the behaviour." 4 | predicate: "subsystem == "com.jamf.connect.daemon" && category == "PrivilegeElevation"" 5 | tags: 6 | - visibility 7 | - jamfconnect 8 | - privileges 9 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_connect/privilege_elevation_elevate_and_demote.yaml: -------------------------------------------------------------------------------- 1 | name: "Privilege Elevation Through Jamf Connect" 2 | description: "This Unified Log filter may be used to report on all user privilege elevations and demotions caused by Jamf Connect. 3 | This filter functions by monitoring logging from the Jamf Connect process where the event message contains a known string indicating the behaviour." 4 | predicate: "subsystem == "com.jamf.connect.daemon" && category == "PrivilegeElevation" && (eventMessage CONTAINS "Added user" OR eventMessage CONTAINS "Removed user")" 5 | tags: 6 | - visibility 7 | - jamfconnect 8 | - privileges 9 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_pro/jamf_pro_management_binary_logging.yaml: -------------------------------------------------------------------------------- 1 | name: "Jamf Pro Management Binary Logging" 2 | description: "This Unified Log filter may be used to report on the activity and logging of the Jamf Pro management binary on a managed Mac and is the same information sent by the binary to /var/log/jamf.log on each endpoint. 3 | This filter functions by monitoring logging from the jamf binary process, subsystem and with a process path that matches the valid jamf binary." 4 | predicate: "subsystem == "com.jamf.management.binary" AND process == "jamf" AND processImagePath == "/usr/local/jamf/bin/jamf"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_pro/jamf_pro_management_framework_removal.yaml: -------------------------------------------------------------------------------- 1 | name: "Jamf Pro Management Framework Removal" 2 | description: "This Unified Log filter may be used to report on successful removal of the Jamf Pro management framework. 3 | This filter functions by monitoring logging from the Jamf Pro management binary subsystem and for event messages containing known strings that indicate a successful removal." 4 | predicate: "subsystem == "com.jamf.management.binary" AND process == "jamf" AND processImagePath == "/usr/local/jamf/bin/jamf" AND (eventMessage CONTAINS "Removing JAMF Preferences file" OR eventMessage CONTAINS "Removing JAMF Daemon Log files" OR eventMessage CONTAINS "Removing self service" OR eventMessage CONTAINS "Removing scheduled tasks")" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_trust/jamf_trust_disabled.yaml: -------------------------------------------------------------------------------- 1 | name: "Jamf Trust Disabled" 2 | description: "This Unified Log filter may be used to report on Jamf Trust being deactivated on a macOS endpoint. 3 | This filter functions by monitoring logging from the Jamf Trust process, and a specific event message containing information around tunnel deactivation." 4 | predicate: "processImagePath ENDSWITH[c] "Jamf Trust" AND eventMessage contains[c] "WGLOG: Tunnel deactivation succeeded."" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/jamf_trust/jamf_trust_enabled.yaml: -------------------------------------------------------------------------------- 1 | name: "Jamf Trust Enabled" 2 | description: "This Unified Log filter may be used to report on Jamf Trust being activated on a macOS endpoint. 3 | This filter functions by monitoring logging from the Jamf Trust process, and a specific event message containing information around tunnel activation." 4 | predicate: "processImagePath ENDSWITH[c] "Jamf Trust" AND eventMessage contains[c] "WGLOG: Tunnel activation succeeded."" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/lock_screen_unlock_failure.yaml: -------------------------------------------------------------------------------- 1 | name: "Lock Screen Unlock Failure" 2 | description: "This Unified Log filter may be used to report on failed unlock attempts at the macOS lock screen. 3 | This filter functions by monitoring logging from loginwindow process where the event messaging contains a known string indicating a failed unlock attempt." 4 | predicate: "processImagePath BEGINSWITH "/System/Library/CoreServices" AND process == "loginwindow" AND eventMessage CONTAINS[c] "INCORRECT"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/mdm_profile_manual_removal.yaml: -------------------------------------------------------------------------------- 1 | name: "MDM Profile Manual Removal" 2 | description: "This Unified Log filter may be used to report on removal of the MDM Profile off of an endpoint where the action was completed manually, such as via System Preferences or with a jamf removeMdmProfile command. 3 | This filter functions by monitoring logging from the ManagedClient subsystem where the event messaging contains a known string found when the MDM Profile is removed." 4 | predicate: "subsystem == "com.apple.ManagedClient" AND eventMessage CONTAINS "Removed configuration profile: MDM Profile" AND eventMessage CONTAINS "Source: Manual"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/modifications_dns_settings.yaml: -------------------------------------------------------------------------------- 1 | name: "Modification of DNS Settings" 2 | description: "This Unified Log filter may be used to report on enabling or disabling the DNS Settings filter in Network Preferences. 3 | This filter functions by monitoring logging from the NetworkExtension subsystem and nehelper nesessionmanager process and event message containing a string known to indicate enablement or disablement of the DNS Settings filter in Network System Preferences." 4 | predicate: "subsystem == "com.apple.networkextension" and process == "nehelper" and eventMessage CONTAINS "DNS settings are enabled" OR subsystem == "com.apple.networkextension" and process == "nesessionmanager" and eventMessage contains "status changed to disconnected, last stop reason Configuration was disabled"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/root_user_enabled_or_password_changed.yaml: -------------------------------------------------------------------------------- 1 | name: "Root user Enabled or Password Changed" 2 | description: "This Unified Log filter may be used to report on the root user being enabled or a password change event for a root user already enabled. 3 | This filter functions by monitoring logging from the opendirectoryd process with a string message known to indicate these events." 4 | predicate: "processImagePath == "/usr/libexec/opendirectoryd" AND process == "opendirectoryd" AND subsystem == "com.apple.opendirectoryd" AND eventMessage CONTAINS "Password changed for root"" 5 | tags: 6 | - visibility 7 | enabled: true -------------------------------------------------------------------------------- /unified_log_filters/third_party/sap_privileges_user_rights_elevations_and_demotions.yaml: -------------------------------------------------------------------------------- 1 | name: "SAP Privileges User Rights Elevations and Demotions" 2 | description: "This Unified Log filter may be used to report on logging from SAP Privileges.app. 3 | This filter functions by monitoring logging from corp.sap.privileges.helper process and event messages containing SAPCorp." 4 | predicate: "process == "corp.sap.privileges.helper" AND eventMessage CONTAINS "SAPCorp"" 5 | tags: 6 | - ThirdParty 7 | - PrivilegeEscalation 8 | enabled: true --------------------------------------------------------------------------------