[New Rules] macOS Unified Logs Login Window and XProtect Detections#5874
Open
DefSecSentinel wants to merge 13 commits intomainfrom
Open
[New Rules] macOS Unified Logs Login Window and XProtect Detections#5874DefSecSentinel wants to merge 13 commits intomainfrom
DefSecSentinel wants to merge 13 commits intomainfrom
Conversation
|
⛔️ Test failed Results
|
DefSecSentinel
added
dev
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
|
⛔️ Test failed Results
|
Samirbous
reviewed
Mar 23, 2026
|
|
||
| query = ''' | ||
| any where event.dataset == "unified_logs.log" and host.os.type == "macos" and | ||
| message like "*performAutolaunch*" |
Contributor
There was a problem hiding this comment.
don't think message field is supported in EQL :
maybe convert it to KQL
terrancedejesus
approved these changes
Mar 23, 2026
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Mikaayenson
reviewed
Mar 23, 2026
| [metadata] | ||
| creation_date = "2026/03/23" | ||
| integration = ["unified_logs"] | ||
| maturity = "development" |
Contributor
There was a problem hiding this comment.
Suggested change
| maturity = "development" | |
| maturity = "production" |
| "system.process.cpu.total.norm.pct": "double", | ||
| "system.cpu.total.norm.pct": "double" | ||
| }, | ||
| "logs-unified_logs.log-*": { |
Contributor
There was a problem hiding this comment.
This should probably be removed and instead add the integration manifest update
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Contributor
Author
Testing & Validation UpdateLogin Window and XProtect detection rules validated against live unified log data on the trade lab cluster ( Changes Made During Testing
Emulation Commands (run on macOS host with Unified Logs integration)Login Item Persistence Execution: # 1. Add a test login item
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/Calculator.app", hidden:false}'
# 2. Log out and log back in (Apple Menu > Log Out)
# The LoginItemsLauncher events fire during the login window phase
# 3. Cleanup
osascript -e 'tell application "System Events" to delete login item "Calculator"'XProtect Malware Scan Match: Cannot be reliably emulated — requires an actual malware signature match from XProtect. Rule pattern validated structurally. Integration Prerequisites
Validation Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Contributor
|
++ Check out the feedback in #5867 (review) to adjust in this PR |
Contributor
Author
|
@Mikaayenson Applied the same feedback from 5867: switched to |
Adds 2 new alerting rules leveraging macOS Unified Logs telemetry for login item persistence and XProtect malware detection. New rules: - Login Item Persistence Execution via Unified Logs (T1547.015) com.apple.loginwindow.logging subsystem, performAutolaunch pattern - XProtect Malware Scan Match Detected (T1036) com.apple.XProtectFramework.PluginAPI subsystem, high severity Also adds message field as keyword in non-ECS schema for the logs-unified_logs.log-* index pattern to support EQL validation. Relates to: elastic/ia-trade-team#847 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Switch from EQL to KQL since message is match_only_text. Use unified_log.subsystem keyword field for efficient filtering. Update index pattern and event.dataset to match actual integration naming. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The ingest pipeline normalizes event.dataset to "unifiedlogs.log" regardless of the data stream name. Update all rules and index patterns accordingly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Pull unifiedlogs integration manifest and schema via CLI - Fix integration tag: unified_logs -> unifiedlogs (matches EPR package) - Fix index pattern: logs-unifiedlogs.log-* -> logs-unifiedlogs.unifiedlogs-* - Fix event.dataset: unifiedlogs.log -> unifiedlogs.unifiedlogs - All rules pass local validation with updated schemas Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The unifiedlogs integration package names its data streams with version suffixes (e.g. unifiedlogs-0.5.0) which breaks the schema lookup. Renamed dataset keys to match expected format. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
data_stream.dataset is "unifiedlogs.unifiedlogs" but event.dataset is set to "unifiedlogs.log" by the integration. Rules query on event.dataset so must use the correct value. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
KQL cannot query the message field (match_only_text type with no keyword sub-field). ES|QL's LIKE operator works correctly on text fields. Converted both rules to ES|QL with METADATA and KEEP. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
user.name, process.name, process.executable don't exist in the unifiedlogs index. Removed from KEEP to prevent query errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
event.dataset is unifiedlogs.log which maps to package=unifiedlogs, integration=log. Schema needs a 'log' dataset key. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The performAutolaunch pattern doesn't exist in the actual unified logs on current macOS versions. The real login item execution pattern is LoginItemsLauncher, which fires during user login when login items are launched. Updated rule query and description. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Unified Logs integration is now GA. Rules are validated and ready for production use. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Switch ES|QL rules from explicit KEEP field lists to KEEP * - Fix tags: Domain: macOS -> Domain: Endpoint, add OS: macOS - Revert non-ecs-schema.json addition of logs-unified_logs.log-* Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
DefSecSentinel
force-pushed
the
colson/loginwindow-xprotect-unified-log-detections
branch
from
1f99fa6 to
a7fb122
Compare
|
⛔️ Test failed Results
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New Alerting Rules
com.apple.loginwindow.loggingperformAutolaunchcom.apple.XProtectFramework.PluginAPIDesign Notes
high(risk_score 73) given the confidence level.message: keywordtonon-ecs-schema.jsonforlogs-unified_logs.log-*(same fix as companion PRs).Relates to: https://github.com/elastic/ia-trade-team/issues/847
Test plan
detection_rules validate-rule🤖 Generated with Claude Code