This artifact parses Objective-See’s FileMonitor log.
More information about Objective-See and FileMonitor can be found here:
https://objective-see.org/products/utilities.html
name: MacOS.Files.FileMonitor
author: Wes Lambert -- @therealwlambert
description: |
This artifact parses Objective-See's FileMonitor log.
More information about Objective-See and FileMonitor can be found here:
https://objective-see.org/products/utilities.html
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
parameters:
- name: JSONLGlob
default:
- name: FileRegex
description: "Filter on file name"
default: .
type: regex
- name: PathRegex
description: "Filter on path name"
default: .
type: regex
- name: ProcessRegex
description: "Filter on process name"
default: .
type: regex
- name: UserIdRegex
description: "Filter on user ID"
default: .
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows' OR OS = 'linux' OR OS = 'darwin'
query: |
LET FileMonitorLogs <= SELECT FullPath FROM glob(globs=JSONLGlob)
SELECT * FROM foreach(row={
SELECT * FROM parse_jsonl(filename=FileMonitorLogs.FullPath)}, query={
SELECT
timestamp(string=timestamp) AS Time,
event AS Event,
file.destination AS File,
file.process.pid AS PID,
file.process.name AS Process,
file.process.path AS Path,
file.process.uid AS UID,
file.process.arguments AS Arguments,
file.process.ppid AS `Parent PID`,
file.process.ancestors AS Ancestors,
file.process.`signing info (reported)` AS `Signing Info (Reported)`,
file.process.`signing info (computed)` AS `Signing Info (Computed)`,
file AS _Content
FROM scope()
WHERE File =~ FileRegex
AND Path =~ PathRegex
AND Process =~ ProcessRegex
AND str(str=UID) =~ UserIdRegex
})