This is a simple, un-optimized artifact that leverages Mandiant’s macos-unifiedlogs/unifiedlog_parser to obtain parsed log information from macOS’s Unified Log.
From the project’s description:
A simple Rust library that can help parse the macOS Unified Log files.
Unified Logs were introduced in macOS version 10.12 (Sierra, 2016). Part of Apple’s goal to create a unified log format for all Apple products. They exist on macOS, iOS, watchOS, tvOS. The Unified Logs replace many of the old log formats Apple used. This simple library can be used to parse files.
Additional information: https://github.com/mandiant/macos-UnifiedLogs
name: MacOS.UnifiedLogParser
description: |
This is a simple, un-optimized artifact that leverages Mandiant's `macos-unifiedlogs`/`unifiedlog_parser` to obtain parsed log information from macOS's Unified Log.
From the project's description:
A simple Rust library that can help parse the macOS Unified Log files.
Unified Logs were introduced in macOS version 10.12 (Sierra, 2016). Part of Apple's goal to create a unified log format for all Apple products. They exist on macOS, iOS, watchOS, tvOS. The Unified Logs replace many of the old log formats Apple used. This simple library can be used to parse files.
Additional information: https://github.com/mandiant/macos-UnifiedLogs
author: Wes Lambert - @therealwlambert
reference:
- https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs
required_permissions:
- EXECVE
precondition: SELECT OS From info() where OS = 'darwin'
tools:
- name: UnifiedLogParser
url: https://github.com/mandiant/macos-UnifiedLogs/releases/download/v1.0.0/unifiedlog_parser
sources:
- query: |
LET ULP <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="UnifiedLogParser")
LET RunULP <= SELECT * FROM execve(argv=["./" + basename(path=ULP.FullPath[0])], cwd=dirname(path=ULP.FullPath[0]))
SELECT * FROM parse_csv(accessor="file", filename=dirname(path=ULP.FullPath[0]) + "/output.csv")