This artifact parses JSONL-formatted logs generated by MacMonitor.
name: MacOS.Logs.MacMonitor
description: |
This artifact parses JSONL-formatted logs generated by MacMonitor.
reference:
- https://github.com/redcanaryco/mac-monitor
parameters:
- name: JSONLGlob
default:
- name: ProcessRegex
description: "Filter on process name"
default: .
type: regex
- name: InitiatingProcessRegex
description: "Filter on initiating process name"
default: .
type: regex
sources:
- query: |
LET MacMonitorLogs <= SELECT FullPath FROM glob(globs=JSONLGlob)
SELECT
activity_at_ts AS Timestamp,
substr(start=14, str=es_event_type) AS EventType,
target AS ProcessName,
initiating_process_path AS InitiatingProcessPath,
initiating_process_name AS InitiatingProcessName,
initiating_pid AS InitiatingPID,
initiating_process_signing_id AS InitiatingProcessSigningID,
initiating_ruid_human AS InitiatingUser,
initiating_euid_human AS InitiatingEffectiveUser,
initiating_ruid AS InitiatingUserId,
initiating_ruid AS InitiatingEffectiveUserId,
initiating_process_group_id AS InitiatingProcessGID,
initiating_process_file_quarantine_type AS InitiatingProcessQuarantineType,
initiating_process_cdhash AS InitiatingProcessCDHash,
audit_token AS AuditToken,
responsible_audit_token AS ResponseAuditToken,
parent_audit_token AS ParentAuditToken,
macOS AS OSVersion,
sensor_id AS SensorId,
path_is_truncated AS PathIsTruncated//,
//fork_event AS ForkEvent
FROM parse_jsonl(accessor="file", filename=MacMonitorLogs.FullPath)
WHERE ProcessName =~ ProcessRegex AND
InitiatingProcessName =~ InitiatingProcessRegex