From fab226c226a82e4a7e82628c51109eccadfb3236 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dami=C3=A0=20Poquet=20Femenia?= Date: Thu, 12 May 2022 13:45:19 +0200 Subject: [PATCH 1/6] update log samples for Santa based on version 2022.4 --- .../_dev/deploy/docker/sample_logs/santa.log | 21 ++++++++++--------- .../log/_dev/test/pipeline/test-santa-raw.log | 21 ++++++++++--------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/packages/santa/_dev/deploy/docker/sample_logs/santa.log b/packages/santa/_dev/deploy/docker/sample_logs/santa.log index eaadc123d0..359df8289b 100644 --- a/packages/santa/_dev/deploy/docker/sample_logs/santa.log +++ b/packages/santa/_dev/deploy/docker/sample_logs/santa.log @@ -1,10 +1,11 @@ -[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T06:45:16.851Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d|path=/usr/sbin/newsyslog|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29681|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T16:24:43.992Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106|path=/usr/bin/basename|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=40757|ppid=40756|uid=501|user=akroh|gid=20|group=staff|mode=M -[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M -[2018-12-17T03:03:52.337Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512L|serial=C026495006UHCHH1Q|bus=PCI-Express|dmgpath= \ No newline at end of file +[2022-05-12T11:38:03.923Z] I santad: action=EXEC|decision=ALLOW|reason=BINARY|explain=critical system binary|sha256=43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=71993|pidversion=1097732|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.CoreAuthentication.agent +[2022-05-12T11:38:42.781Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=7207307ca09d2707368ec394e67c6ccff6e48a2d1d86225a3115fe3535a8237c|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=72012|pidversion=1097765|ppid=1|uid=208|user=_trustevaluationagent|gid=208|group=_trustevaluationagent|mode=M|path=/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/Resources/trustevaluationagent|args=trustevaluationagent +[2022-05-12T11:33:56.696Z] I santad: action=DELETE|path=/private/var/db/SystemPolicy-journal|pid=377|pidversion=833|ppid=1|process=syspolicyd|processpath=/usr/libexec/syspolicyd|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:30:05.248Z] I santad: action=LINK|path=/private/var/db/santa/santa.log|newpath=/private/var/db/santa/santa.log.0|pid=71559|pidversion=1096716|ppid=1|process=newsyslog|processpath=/usr/sbin/newsyslog|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:30:16.125Z] I santad: action=RENAME|path=/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.tmp|newpath=/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.txt|pid=546|pidversion=1285|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:38:05.278Z] I santad: action=WRITE|path=/private/var/log/com.apple.xpc.launchd/launchd.log|pid=1|pidversion=521|ppid=0|process=launchd|processpath=/sbin/launchd|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:32:33.718Z] I santad: action=DISKDISAPPEAR|mount=/Volumes/GoogleDrive|volume=Google Drive|bsdname=(null) +[2022-05-12T11:32:44.184Z] I santad: action=DISKAPPEAR|mount=/Volumes/GoogleDrive|volume=Google Drive|bsdname=|fs=smbfs|model=|serial=(null)|bus=|dmgpath=|appearance=2001-01-01T00:00:00.000Z +[2022-05-12T11:33:57.166Z] I santad: action=DISKAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z +[2022-05-12T11:33:57.235Z] I santad: action=DISKAPPEAR|mount=/Volumes/Install Google Drive|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z +[2022-05-12T11:35:31.436Z] I santad: action=DISKDISAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2 \ No newline at end of file diff --git a/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log b/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log index eaadc123d0..359df8289b 100644 --- a/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log +++ b/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log @@ -1,10 +1,11 @@ -[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T06:45:16.851Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d|path=/usr/sbin/newsyslog|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29681|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M -[2018-12-10T16:24:43.992Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106|path=/usr/bin/basename|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=40757|ppid=40756|uid=501|user=akroh|gid=20|group=staff|mode=M -[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M -[2018-12-17T03:03:52.337Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512L|serial=C026495006UHCHH1Q|bus=PCI-Express|dmgpath= \ No newline at end of file +[2022-05-12T11:38:03.923Z] I santad: action=EXEC|decision=ALLOW|reason=BINARY|explain=critical system binary|sha256=43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=71993|pidversion=1097732|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.CoreAuthentication.agent +[2022-05-12T11:38:42.781Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=7207307ca09d2707368ec394e67c6ccff6e48a2d1d86225a3115fe3535a8237c|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=72012|pidversion=1097765|ppid=1|uid=208|user=_trustevaluationagent|gid=208|group=_trustevaluationagent|mode=M|path=/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/Resources/trustevaluationagent|args=trustevaluationagent +[2022-05-12T11:33:56.696Z] I santad: action=DELETE|path=/private/var/db/SystemPolicy-journal|pid=377|pidversion=833|ppid=1|process=syspolicyd|processpath=/usr/libexec/syspolicyd|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:30:05.248Z] I santad: action=LINK|path=/private/var/db/santa/santa.log|newpath=/private/var/db/santa/santa.log.0|pid=71559|pidversion=1096716|ppid=1|process=newsyslog|processpath=/usr/sbin/newsyslog|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:30:16.125Z] I santad: action=RENAME|path=/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.tmp|newpath=/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.txt|pid=546|pidversion=1285|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:38:05.278Z] I santad: action=WRITE|path=/private/var/log/com.apple.xpc.launchd/launchd.log|pid=1|pidversion=521|ppid=0|process=launchd|processpath=/sbin/launchd|uid=0|user=root|gid=0|group=wheel +[2022-05-12T11:32:33.718Z] I santad: action=DISKDISAPPEAR|mount=/Volumes/GoogleDrive|volume=Google Drive|bsdname=(null) +[2022-05-12T11:32:44.184Z] I santad: action=DISKAPPEAR|mount=/Volumes/GoogleDrive|volume=Google Drive|bsdname=|fs=smbfs|model=|serial=(null)|bus=|dmgpath=|appearance=2001-01-01T00:00:00.000Z +[2022-05-12T11:33:57.166Z] I santad: action=DISKAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z +[2022-05-12T11:33:57.235Z] I santad: action=DISKAPPEAR|mount=/Volumes/Install Google Drive|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z +[2022-05-12T11:35:31.436Z] I santad: action=DISKDISAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2 \ No newline at end of file From dda224f2158f7b53336fd5610e24017d461db3c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dami=C3=A0=20Poquet=20Femenia?= Date: Thu, 12 May 2022 17:32:48 +0200 Subject: [PATCH 2/6] modify ingest pipeline and fields to match with Santa logs --- packages/santa/changelog.yml | 5 + .../pipeline/test-santa-raw.log-expected.json | 496 +++++------------- .../elasticsearch/ingest_pipeline/default.yml | 5 +- packages/santa/data_stream/log/fields/ecs.yml | 6 + .../data_stream/log/fields/package-fields.yml | 6 + packages/santa/data_stream/log/manifest.yml | 1 - packages/santa/docs/README.md | 8 + packages/santa/manifest.yml | 2 +- 8 files changed, 173 insertions(+), 356 deletions(-) diff --git a/packages/santa/changelog.yml b/packages/santa/changelog.yml index 1902d1b4c9..82bd8e742e 100644 --- a/packages/santa/changelog.yml +++ b/packages/santa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.0" + changes: + - description: Update log format + type: bugfix + link: https://github.com/elastic/integrations/pull/3347 - version: "2.1.0" changes: - description: Update to ECS 8.2 diff --git a/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json b/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json index 7fc49689f2..29f260aa6d 100644 --- a/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json +++ b/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2018-12-10T06:45:16.802Z", + "@timestamp": "2022-05-12T11:38:03.923Z", "ecs": { "version": "8.2.0" }, @@ -11,7 +11,7 @@ "process" ], "kind": "event", - "original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "original": "[2022-05-12T11:38:03.923Z] I santad: action=EXEC|decision=ALLOW|reason=BINARY|explain=critical system binary|sha256=43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=71993|pidversion=1097732|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.CoreAuthentication.agent", "outcome": "success", "type": [ "start" @@ -34,22 +34,24 @@ "process": { "args": [ "/usr/libexec/xpcproxy", - "/usr/sbin/newsyslog" + "xpcproxy", + "com.apple.CoreAuthentication.agent" ], "executable": "/usr/libexec/xpcproxy", "hash": { - "sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "sha256": "43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d" }, "parent": { "pid": 1 }, - "pid": 29678, - "start": "2018-12-10T06:45:16.802Z" + "pid": 71993, + "pidversion": 1097732, + "start": "2022-05-12T11:38:03.923Z" }, "related": { "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57", + "43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d" ], "user": [ "root" @@ -59,11 +61,12 @@ "action": "EXEC", "certificate": { "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" + "sha256": "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57" }, "decision": "ALLOW", + "explain": "critical system binary", "mode": "M", - "reason": "CERT" + "reason": "BINARY" }, "tags": [ "preserve_original_event" @@ -74,7 +77,7 @@ } }, { - "@timestamp": "2018-12-10T06:45:16.802Z", + "@timestamp": "2022-05-12T11:38:42.781Z", "ecs": { "version": "8.2.0" }, @@ -84,7 +87,7 @@ "process" ], "kind": "event", - "original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", + "original": "[2022-05-12T11:38:42.781Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=7207307ca09d2707368ec394e67c6ccff6e48a2d1d86225a3115fe3535a8237c|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=72012|pidversion=1097765|ppid=1|uid=208|user=_trustevaluationagent|gid=208|group=_trustevaluationagent|mode=M|path=/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/Resources/trustevaluationagent|args=trustevaluationagent", "outcome": "success", "type": [ "start" @@ -98,42 +101,42 @@ } }, "group": { - "id": "0", - "name": "wheel" + "id": "208", + "name": "_trustevaluationagent" }, "log": { "level": "I" }, "process": { "args": [ - "/usr/libexec/xpcproxy", - "xpcproxy", - "com.apple.systemstats.daily" + "/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/Resources/trustevaluationagent", + "trustevaluationagent" ], - "executable": "/usr/libexec/xpcproxy", + "executable": "/System/Library/PrivateFrameworks/TrustEvaluationAgent.framework/Versions/A/Resources/trustevaluationagent", "hash": { - "sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "sha256": "7207307ca09d2707368ec394e67c6ccff6e48a2d1d86225a3115fe3535a8237c" }, "parent": { "pid": 1 }, - "pid": 29679, - "start": "2018-12-10T06:45:16.802Z" + "pid": 72012, + "pidversion": 1097765, + "start": "2022-05-12T11:38:42.781Z" }, "related": { "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57", + "7207307ca09d2707368ec394e67c6ccff6e48a2d1d86225a3115fe3535a8237c" ], "user": [ - "root" + "_trustevaluationagent" ] }, "santa": { "action": "EXEC", "certificate": { "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" + "sha256": "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57" }, "decision": "ALLOW", "mode": "M", @@ -143,33 +146,22 @@ "preserve_original_event" ], "user": { - "id": "0", - "name": "root" + "id": "208", + "name": "_trustevaluationagent" } }, { - "@timestamp": "2018-12-10T06:45:16.851Z", + "@timestamp": "2022-05-12T11:33:56.696Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "exec", - "category": [ - "process" - ], + "action": "delete", "kind": "event", - "original": "[2018-12-10T06:45:16.851Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d|path=/usr/sbin/newsyslog|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", - "outcome": "success", - "type": [ - "start" - ] + "original": "[2022-05-12T11:33:56.696Z] I santad: action=DELETE|path=/private/var/db/SystemPolicy-journal|pid=377|pidversion=833|ppid=1|process=syspolicyd|processpath=/usr/libexec/syspolicyd|uid=0|user=root|gid=0|group=wheel" }, "file": { - "x509": { - "issuer": { - "common_name": "Software Signing" - } - } + "path": "/private/var/db/SystemPolicy-journal" }, "group": { "id": "0", @@ -180,37 +172,24 @@ }, "process": { "args": [ - "/usr/sbin/newsyslog", - "/usr/sbin/newsyslog" + "/usr/libexec/syspolicyd" ], - "executable": "/usr/sbin/newsyslog", - "hash": { - "sha256": "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d" - }, + "executable": "/usr/libexec/syspolicyd", + "name": "syspolicyd", "parent": { "pid": 1 }, - "pid": 29678, - "start": "2018-12-10T06:45:16.851Z" + "pid": 377, + "pidversion": 833, + "start": "2022-05-12T11:33:56.696Z" }, "related": { - "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d" - ], "user": [ "root" ] }, "santa": { - "action": "EXEC", - "certificate": { - "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" - }, - "decision": "ALLOW", - "mode": "M", - "reason": "CERT" + "action": "DELETE" }, "tags": [ "preserve_original_event" @@ -221,28 +200,18 @@ } }, { - "@timestamp": "2018-12-10T06:45:16.859Z", + "@timestamp": "2022-05-12T11:30:05.248Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "exec", - "category": [ - "process" - ], + "action": "link", "kind": "event", - "original": "[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", - "outcome": "success", - "type": [ - "start" - ] + "original": "[2022-05-12T11:30:05.248Z] I santad: action=LINK|path=/private/var/db/santa/santa.log|newpath=/private/var/db/santa/santa.log.0|pid=71559|pidversion=1096716|ppid=1|process=newsyslog|processpath=/usr/sbin/newsyslog|uid=0|user=root|gid=0|group=wheel" }, "file": { - "x509": { - "issuer": { - "common_name": "Software Signing" - } - } + "path": "/private/var/db/santa/santa.log", + "target_path": "/private/var/db/santa/santa.log.0" }, "group": { "id": "0", @@ -253,38 +222,24 @@ }, "process": { "args": [ - "/usr/sbin/systemstats", - "/usr/sbin/systemstats", - "--daily" + "/usr/sbin/newsyslog" ], - "executable": "/usr/sbin/systemstats", - "hash": { - "sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f" - }, + "executable": "/usr/sbin/newsyslog", + "name": "newsyslog", "parent": { "pid": 1 }, - "pid": 29679, - "start": "2018-12-10T06:45:16.859Z" + "pid": 71559, + "pidversion": 1096716, + "start": "2022-05-12T11:30:05.248Z" }, "related": { - "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f" - ], "user": [ "root" ] }, "santa": { - "action": "EXEC", - "certificate": { - "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" - }, - "decision": "ALLOW", - "mode": "M", - "reason": "CERT" + "action": "LINK" }, "tags": [ "preserve_original_event" @@ -295,28 +250,18 @@ } }, { - "@timestamp": "2018-12-10T08:45:27.810Z", + "@timestamp": "2022-05-12T11:30:16.125Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "exec", - "category": [ - "process" - ], + "action": "rename", "kind": "event", - "original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29681|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", - "outcome": "success", - "type": [ - "start" - ] + "original": "[2022-05-12T11:30:16.125Z] I santad: action=RENAME|path=/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.tmp|newpath=/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.txt|pid=546|pidversion=1285|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel" }, "file": { - "x509": { - "issuer": { - "common_name": "Software Signing" - } - } + "path": "/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.tmp", + "target_path": "/System/Volumes/Data/.Spotlight-V100/Store-V2/DA884A3F-2513-426E-95F0-59244D1625ED/Cache/0000/0000/00e1/14761134.txt" }, "group": { "id": "0", @@ -327,37 +272,24 @@ }, "process": { "args": [ - "/usr/libexec/xpcproxy", - "/usr/sbin/newsyslog" + "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores" ], - "executable": "/usr/libexec/xpcproxy", - "hash": { - "sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" - }, + "executable": "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores", + "name": "mds_stores", "parent": { "pid": 1 }, - "pid": 29681, - "start": "2018-12-10T08:45:27.810Z" + "pid": 546, + "pidversion": 1285, + "start": "2022-05-12T11:30:16.125Z" }, "related": { - "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" - ], "user": [ "root" ] }, "santa": { - "action": "EXEC", - "certificate": { - "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" - }, - "decision": "ALLOW", - "mode": "M", - "reason": "CERT" + "action": "RENAME" }, "tags": [ "preserve_original_event" @@ -368,28 +300,17 @@ } }, { - "@timestamp": "2018-12-10T08:45:27.810Z", + "@timestamp": "2022-05-12T11:38:05.278Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "exec", - "category": [ - "process" - ], + "action": "write", "kind": "event", - "original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", - "outcome": "success", - "type": [ - "start" - ] + "original": "[2022-05-12T11:38:05.278Z] I santad: action=WRITE|path=/private/var/log/com.apple.xpc.launchd/launchd.log|pid=1|pidversion=521|ppid=0|process=launchd|processpath=/sbin/launchd|uid=0|user=root|gid=0|group=wheel" }, "file": { - "x509": { - "issuer": { - "common_name": "Software Signing" - } - } + "path": "/private/var/log/com.apple.xpc.launchd/launchd.log" }, "group": { "id": "0", @@ -400,38 +321,24 @@ }, "process": { "args": [ - "/usr/libexec/xpcproxy", - "xpcproxy", - "com.adobe.AAM.Scheduler-1.0" + "/sbin/launchd" ], - "executable": "/usr/libexec/xpcproxy", - "hash": { - "sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" - }, + "executable": "/sbin/launchd", + "name": "launchd", "parent": { - "pid": 1 + "pid": 0 }, - "pid": 29680, - "start": "2018-12-10T08:45:27.810Z" + "pid": 1, + "pidversion": 521, + "start": "2022-05-12T11:38:05.278Z" }, "related": { - "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" - ], "user": [ "root" ] }, "santa": { - "action": "EXEC", - "certificate": { - "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" - }, - "decision": "ALLOW", - "mode": "M", - "reason": "CERT" + "action": "WRITE" }, "tags": [ "preserve_original_event" @@ -442,247 +349,132 @@ } }, { - "@timestamp": "2018-12-10T21:37:27.247Z", + "@timestamp": "2022-05-12T11:32:33.718Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "exec", - "category": [ - "process" - ], + "action": "diskdisappear", "kind": "event", - "original": "[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", - "outcome": "success", - "type": [ - "start" - ] - }, - "group": { - "id": "0", - "name": "wheel" + "original": "[2022-05-12T11:32:33.718Z] I santad: action=DISKDISAPPEAR|mount=/Volumes/GoogleDrive|volume=Google Drive|bsdname=(null)" }, "log": { "level": "I" }, - "process": { - "args": [ - "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", - "/usr/local/bin/osqueryd", - "--flagfile=/private/var/osquery/osquery.flags", - "--logger_min_stderr=1" - ], - "executable": "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", - "hash": { - "sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1" - }, - "parent": { - "pid": 1 - }, - "pid": 45084, - "start": "2018-12-10T21:37:27.247Z" - }, - "related": { - "hash": [ - "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1" - ], - "user": [ - "root" - ] - }, "santa": { - "action": "EXEC", - "decision": "ALLOW", - "mode": "M", - "reason": "UNKNOWN" + "action": "DISKDISAPPEAR", + "disk": { + "bsdname": "(null)", + "mount": "/Volumes/GoogleDrive", + "volume": "Google Drive" + } }, "tags": [ "preserve_original_event" - ], - "user": { - "id": "0", - "name": "root" - } + ] }, { - "@timestamp": "2018-12-10T16:24:43.992Z", + "@timestamp": "2022-05-12T11:32:44.184Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "exec", - "category": [ - "process" - ], + "action": "diskappear", "kind": "event", - "original": "[2018-12-10T16:24:43.992Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106|path=/usr/bin/basename|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=40757|ppid=40756|uid=501|user=akroh|gid=20|group=staff|mode=M", - "outcome": "success", - "type": [ - "start" - ] - }, - "file": { - "x509": { - "issuer": { - "common_name": "Software Signing" - } - } - }, - "group": { - "id": "20", - "name": "staff" + "original": "[2022-05-12T11:32:44.184Z] I santad: action=DISKAPPEAR|mount=/Volumes/GoogleDrive|volume=Google Drive|bsdname=|fs=smbfs|model=|serial=(null)|bus=|dmgpath=|appearance=2001-01-01T00:00:00.000Z" }, "log": { "level": "I" }, - "process": { - "args": [ - "/usr/bin/basename" - ], - "executable": "/usr/bin/basename", - "hash": { - "sha256": "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106" - }, - "parent": { - "pid": 40756 - }, - "pid": 40757, - "start": "2018-12-10T16:24:43.992Z" - }, - "related": { - "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106" - ], - "user": [ - "akroh" - ] - }, "santa": { - "action": "EXEC", - "certificate": { - "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" - }, - "decision": "ALLOW", - "mode": "M", - "reason": "CERT" + "action": "DISKAPPEAR", + "disk": { + "appearance": "2001-01-01T00:00:00.000Z", + "fs": "smbfs", + "mount": "/Volumes/GoogleDrive", + "serial": "(null)", + "volume": "Google Drive" + } }, "tags": [ "preserve_original_event" - ], - "user": { - "id": "501", - "name": "akroh" - } + ] }, { - "@timestamp": "2018-12-14T05:35:38.313Z", + "@timestamp": "2022-05-12T11:33:57.166Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "exec", - "category": [ - "process" - ], + "action": "diskappear", "kind": "event", - "original": "[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M", - "outcome": "success", - "type": [ - "start" - ] + "original": "[2022-05-12T11:33:57.166Z] I santad: action=DISKAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z" }, - "file": { - "x509": { - "issuer": { - "common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)" - } + "log": { + "level": "I" + }, + "santa": { + "action": "DISKAPPEAR", + "disk": { + "appearance": "2022-05-12T11:33:57.043Z", + "bsdname": "disk4s2", + "bus": "Virtual Interface", + "fs": "hfs", + "model": "Apple Disk Image", + "volume": "Install Google Drive" } }, - "group": { - "id": "20", - "name": "staff" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-05-12T11:33:57.235Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "diskappear", + "kind": "event", + "original": "[2022-05-12T11:33:57.235Z] I santad: action=DISKAPPEAR|mount=/Volumes/Install Google Drive|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z" }, "log": { "level": "I" }, - "process": { - "args": [ - "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", - "/Applications/Google", - "Chrome.app/Contents/Versions/70.0.3538.110/Google", - "Chrome", - "Helper.app/Contents/MacOS/Google", - "Chrome", - "Helper", - "--type=utility", - "--field-trial-handle=120122713615061869,9401617251746517350,131072", - "--lang=en-US", - "--service-sandbox-type=utility", - "--service-request-channel-token=10458143409865682077", - "--seatbelt-client=262" - ], - "executable": "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", - "hash": { - "sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7" - }, - "parent": { - "pid": 704 - }, - "pid": 89238, - "start": "2018-12-14T05:35:38.313Z" - }, - "related": { - "hash": [ - "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5", - "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7" - ], - "user": [ - "akroh" - ] - }, "santa": { - "action": "EXEC", - "certificate": { - "common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", - "sha256": "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5" - }, - "decision": "ALLOW", - "mode": "M", - "reason": "UNKNOWN" + "action": "DISKAPPEAR", + "disk": { + "appearance": "2022-05-12T11:33:57.043Z", + "bsdname": "disk4s2", + "bus": "Virtual Interface", + "fs": "hfs", + "model": "Apple Disk Image", + "mount": "/Volumes/Install Google Drive", + "volume": "Install Google Drive" + } }, "tags": [ "preserve_original_event" - ], - "user": { - "id": "501", - "name": "akroh" - } + ] }, { - "@timestamp": "2018-12-17T03:03:52.337Z", + "@timestamp": "2022-05-12T11:35:31.436Z", "ecs": { "version": "8.2.0" }, "event": { - "action": "diskappear", + "action": "diskdisappear", "kind": "event", - "original": "[2018-12-17T03:03:52.337Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512L|serial=C026495006UHCHH1Q|bus=PCI-Express|dmgpath=" + "original": "[2022-05-12T11:35:31.436Z] I santad: action=DISKDISAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2" }, "log": { "level": "I" }, "santa": { - "action": "DISKAPPEAR", + "action": "DISKDISAPPEAR", "disk": { - "bsdname": "disk1s3", - "bus": "PCI-Express", - "fs": "apfs", - "model": "APPLE SSD SM0512L", - "mount": "/Volumes/Recovery", - "serial": "C026495006UHCHH1Q", - "volume": "Recovery" + "bsdname": "disk4s2", + "volume": "Install Google Drive" } }, "tags": [ diff --git a/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index ad51e78fd1..a051a7d100 100644 --- a/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -11,8 +11,9 @@ processors: - grok: field: event.original patterns: - - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}\|sha256=%{NOT_SEPARATOR:process.hash.sha256}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|ppid=%{NUMBER:process.parent.pid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}' - - '\[%{TIMESTAMP_ISO8601:timestamp}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|mount=%{NOT_SEPARATOR:santa.disk.mount}\|volume=%{NOT_SEPARATOR:santa.disk.volume}\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}\|fs=%{NOT_SEPARATOR:santa.disk.fs}\|model=%{NOT_SEPARATOR:santa.disk.model}\|serial=%{NOT_SEPARATOR:santa.disk.serial}\|bus=%{NOT_SEPARATOR:santa.disk.bus}\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?' + - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}(\|explain=%{NOT_SEPARATOR:santa.explain})?\|sha256=%{NOT_SEPARATOR:process.hash.sha256}(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:process.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?' + - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|path=%{NOT_SEPARATOR:file.path}(\|newpath=%{NOT_SEPARATOR:file.target_path})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:process.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|process=%{NOT_SEPARATOR:process.name}\|processpath=%{NOT_SEPARATOR:process.executable}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}' + - '\[%{TIMESTAMP_ISO8601:timestamp}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|mount=%{NOT_SEPARATOR:santa.disk.mount}?\|volume=%{NOT_SEPARATOR:santa.disk.volume}\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}?(\|fs=%{NOT_SEPARATOR:santa.disk.fs})?(\|model=%{NOT_SEPARATOR:santa.disk.model}?)?(\|serial=%{NOT_SEPARATOR:santa.disk.serial}?)?(\|bus=%{NOT_SEPARATOR:santa.disk.bus}?)?(\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?)?(\|appearance=%{TIMESTAMP_ISO8601:santa.disk.appearance})?' pattern_definitions: NOT_SEPARATOR: '[^\|]+' - date: diff --git a/packages/santa/data_stream/log/fields/ecs.yml b/packages/santa/data_stream/log/fields/ecs.yml index c54a6a3b13..64d94d0110 100644 --- a/packages/santa/data_stream/log/fields/ecs.yml +++ b/packages/santa/data_stream/log/fields/ecs.yml @@ -2,6 +2,10 @@ name: ecs.version - external: ecs name: event.ingested +- external: ecs + name: file.path +- external: ecs + name: file.target_path - external: ecs name: file.x509.issuer.common_name - external: ecs @@ -22,6 +26,8 @@ name: process.pid - external: ecs name: process.parent.pid +- external: ecs + name: process.name - external: ecs name: process.start - external: ecs diff --git a/packages/santa/data_stream/log/fields/package-fields.yml b/packages/santa/data_stream/log/fields/package-fields.yml index 144d6dacf3..6887ce8d3c 100644 --- a/packages/santa/data_stream/log/fields/package-fields.yml +++ b/packages/santa/data_stream/log/fields/package-fields.yml @@ -10,6 +10,9 @@ - name: reason type: keyword description: Reason for the decision. + - name: explain + type: keyword + description: Further details for the decision. - name: mode type: keyword description: Operating mode of Santa. @@ -37,6 +40,9 @@ - name: mount type: keyword description: The disk volume path. + - name: appearance + type: date + description: Timestamp for volume operation. - name: certificate.common_name type: keyword description: Common name from code signing certificate. diff --git a/packages/santa/data_stream/log/manifest.yml b/packages/santa/data_stream/log/manifest.yml index 48cbba9534..77d82dcf3a 100644 --- a/packages/santa/data_stream/log/manifest.yml +++ b/packages/santa/data_stream/log/manifest.yml @@ -10,7 +10,6 @@ streams: required: true show_user: true default: - - /var/log/santa.log - /var/db/santa/santa.log - name: tags type: text diff --git a/packages/santa/docs/README.md b/packages/santa/docs/README.md index 1da29ed028..756fec6033 100644 --- a/packages/santa/docs/README.md +++ b/packages/santa/docs/README.md @@ -168,6 +168,10 @@ An example event for `log` looks as following: | event.dataset | Event dataset | constant_keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.module | Event module | constant_keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | | file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | @@ -196,6 +200,8 @@ An example event for `log` looks as following: | process.executable | Absolute path to the process executable. | keyword | | process.executable.text | Multi-field of `process.executable`. | match_only_text | | process.hash.sha256 | SHA256 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | | process.parent.pid | Process id. | long | | process.pid | Process id. | long | | process.start | The time the process started. | date | @@ -205,6 +211,7 @@ An example event for `log` looks as following: | santa.certificate.common_name | Common name from code signing certificate. | keyword | | santa.certificate.sha256 | SHA256 hash of code signing certificate. | keyword | | santa.decision | Decision that santad took. | keyword | +| santa.disk.appearance | Timestamp for volume operation. | date | | santa.disk.bsdname | The disk BSD name. | keyword | | santa.disk.bus | The disk bus protocol. | keyword | | santa.disk.fs | The disk volume kind (filesystem type). | keyword | @@ -212,6 +219,7 @@ An example event for `log` looks as following: | santa.disk.mount | The disk volume path. | keyword | | santa.disk.serial | The disk serial number. | keyword | | santa.disk.volume | The volume name. | keyword | +| santa.explain | Further details for the decision. | keyword | | santa.mode | Operating mode of Santa. | keyword | | santa.reason | Reason for the decision. | keyword | | tags | List of keywords used to tag each event. | keyword | diff --git a/packages/santa/manifest.yml b/packages/santa/manifest.yml index bf20151914..d1fe575358 100644 --- a/packages/santa/manifest.yml +++ b/packages/santa/manifest.yml @@ -1,6 +1,6 @@ name: santa title: Google Santa Logs -version: 2.1.0 +version: 2.2.0 release: ga description: Collect and parse logs from Google Santa instances with Elastic Agent. type: integration From d7850ebb4d732778156c0704068fdb5e205d0e70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dami=C3=A0=20Poquet=20Femenia?= Date: Thu, 12 May 2022 17:45:31 +0200 Subject: [PATCH 3/6] update README.md --- packages/santa/docs/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/santa/docs/README.md b/packages/santa/docs/README.md index 756fec6033..d3ab95478f 100644 --- a/packages/santa/docs/README.md +++ b/packages/santa/docs/README.md @@ -5,11 +5,11 @@ binaries. ## Compatibility -The Google Santa integration was tested with logs from Santa 0.9.14. +The Google Santa integration was tested with logs from Santa 2022.4. **Google Santa is available for MacOS only.** -The integration is by default configured to read logs from `/var/log/santa.log`. +The integration is by default configured to read logs from `/var/db/santa/santa.log`. ## Logs From 4ca682bf8fd0808a4ac4806a4b90f0ad30793412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dami=C3=A0=20Poquet=20Femenia?= Date: Mon, 16 May 2022 12:04:47 +0200 Subject: [PATCH 4/6] update documentation --- packages/santa/_dev/build/docs/README.md | 4 +- .../santa/data_stream/log/sample_event.json | 75 ++++--------------- packages/santa/docs/README.md | 75 ++++--------------- 3 files changed, 32 insertions(+), 122 deletions(-) diff --git a/packages/santa/_dev/build/docs/README.md b/packages/santa/_dev/build/docs/README.md index a624f03088..53d9cf1b70 100644 --- a/packages/santa/_dev/build/docs/README.md +++ b/packages/santa/_dev/build/docs/README.md @@ -5,11 +5,11 @@ binaries. ## Compatibility -The Google Santa integration was tested with logs from Santa 0.9.14. +The Google Santa integration was tested with logs from Santa 2022.4. **Google Santa is available for MacOS only.** -The integration is by default configured to read logs from `/var/log/santa.log`. +The integration is by default configured to read logs from `/var/db/santa/santa.log`. ## Logs diff --git a/packages/santa/data_stream/log/sample_event.json b/packages/santa/data_stream/log/sample_event.json index 268e5c1d0b..7aed19d965 100644 --- a/packages/santa/data_stream/log/sample_event.json +++ b/packages/santa/data_stream/log/sample_event.json @@ -1,34 +1,15 @@ { - "@timestamp": "2018-12-10T06:45:16.802Z", - "agent": { - "ephemeral_id": "e9d120ee-3138-47d0-9bf8-5b007a85f20e", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "santa.log", - "namespace": "ep", - "type": "logs" - }, + "@timestamp": "2022-05-12T11:38:03.923Z", "ecs": { "version": "8.2.0" }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, "event": { "action": "exec", - "agent_id_status": "verified", "category": [ "process" ], - "dataset": "santa.log", - "ingested": "2022-02-02T05:02:06Z", "kind": "event", + "original": "[2022-05-12T11:38:03.923Z] I santad: action=EXEC|decision=ALLOW|reason=BINARY|explain=critical system binary|sha256=43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=71993|pidversion=1097732|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.CoreAuthentication.agent", "outcome": "success", "type": [ "start" @@ -45,57 +26,30 @@ "id": "0", "name": "wheel" }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.19.0.6" - ], - "mac": [ - "02:42:ac:13:00:06" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.13.0-27-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "log" - }, "log": { - "file": { - "path": "/tmp/service_logs/santa.log" - }, - "level": "I", - "offset": 0 + "level": "I" }, "process": { "args": [ "/usr/libexec/xpcproxy", - "/usr/sbin/newsyslog" + "xpcproxy", + "com.apple.CoreAuthentication.agent" ], "executable": "/usr/libexec/xpcproxy", "hash": { - "sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "sha256": "43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d" }, "parent": { "pid": 1 }, - "pid": 29678, - "start": "2018-12-10T06:45:16.802Z" + "pid": 71993, + "pidversion": 1097732, + "start": "2022-05-12T11:38:03.923Z" }, "related": { "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57", + "43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d" ], "user": [ "root" @@ -105,14 +59,15 @@ "action": "EXEC", "certificate": { "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" + "sha256": "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57" }, "decision": "ALLOW", + "explain": "critical system binary", "mode": "M", - "reason": "CERT" + "reason": "BINARY" }, "tags": [ - "santa-log" + "preserve_original_event" ], "user": { "id": "0", diff --git a/packages/santa/docs/README.md b/packages/santa/docs/README.md index d3ab95478f..bfd8e97312 100644 --- a/packages/santa/docs/README.md +++ b/packages/santa/docs/README.md @@ -21,36 +21,17 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2018-12-10T06:45:16.802Z", - "agent": { - "ephemeral_id": "e9d120ee-3138-47d0-9bf8-5b007a85f20e", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "santa.log", - "namespace": "ep", - "type": "logs" - }, + "@timestamp": "2022-05-12T11:38:03.923Z", "ecs": { "version": "8.2.0" }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, "event": { "action": "exec", - "agent_id_status": "verified", "category": [ "process" ], - "dataset": "santa.log", - "ingested": "2022-02-02T05:02:06Z", "kind": "event", + "original": "[2022-05-12T11:38:03.923Z] I santad: action=EXEC|decision=ALLOW|reason=BINARY|explain=critical system binary|sha256=43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d|cert_sha256=d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57|cert_cn=Software Signing|pid=71993|pidversion=1097732|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.CoreAuthentication.agent", "outcome": "success", "type": [ "start" @@ -67,57 +48,30 @@ An example event for `log` looks as following: "id": "0", "name": "wheel" }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.19.0.6" - ], - "mac": [ - "02:42:ac:13:00:06" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.13.0-27-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "log" - }, "log": { - "file": { - "path": "/tmp/service_logs/santa.log" - }, - "level": "I", - "offset": 0 + "level": "I" }, "process": { "args": [ "/usr/libexec/xpcproxy", - "/usr/sbin/newsyslog" + "xpcproxy", + "com.apple.CoreAuthentication.agent" ], "executable": "/usr/libexec/xpcproxy", "hash": { - "sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "sha256": "43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d" }, "parent": { "pid": 1 }, - "pid": 29678, - "start": "2018-12-10T06:45:16.802Z" + "pid": 71993, + "pidversion": 1097732, + "start": "2022-05-12T11:38:03.923Z" }, "related": { "hash": [ - "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", - "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57", + "43158bf397bf52001067319c591249307e2862daf8690828c15cdcc1ddf6166d" ], "user": [ "root" @@ -127,14 +81,15 @@ An example event for `log` looks as following: "action": "EXEC", "certificate": { "common_name": "Software Signing", - "sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32" + "sha256": "d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57" }, "decision": "ALLOW", + "explain": "critical system binary", "mode": "M", - "reason": "CERT" + "reason": "BINARY" }, "tags": [ - "santa-log" + "preserve_original_event" ], "user": { "id": "0", From 575dd1d63e62aae94e0564b4ee93064c9c178c6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dami=C3=A0=20Poquet=20Femenia?= Date: Mon, 16 May 2022 16:02:10 +0200 Subject: [PATCH 5/6] mark release as breaking-change --- packages/santa/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/santa/changelog.yml b/packages/santa/changelog.yml index 82bd8e742e..defd75a9c2 100644 --- a/packages/santa/changelog.yml +++ b/packages/santa/changelog.yml @@ -2,7 +2,7 @@ - version: "2.2.0" changes: - description: Update log format - type: bugfix + type: breaking-change link: https://github.com/elastic/integrations/pull/3347 - version: "2.1.0" changes: From f4f44c604be8066e7e54277a122b7b8b23bce067 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dami=C3=A0=20Poquet=20Femenia?= Date: Tue, 17 May 2022 09:37:43 +0200 Subject: [PATCH 6/6] change pidversion field and package version description --- packages/santa/changelog.yml | 4 ++-- .../pipeline/test-santa-raw.log-expected.json | 20 +++++++++---------- .../elasticsearch/ingest_pipeline/default.yml | 4 ++-- .../data_stream/log/fields/package-fields.yml | 3 +++ .../santa/data_stream/log/sample_event.json | 2 +- packages/santa/docs/README.md | 3 ++- packages/santa/manifest.yml | 2 +- 7 files changed, 21 insertions(+), 17 deletions(-) diff --git a/packages/santa/changelog.yml b/packages/santa/changelog.yml index defd75a9c2..5028e1cd08 100644 --- a/packages/santa/changelog.yml +++ b/packages/santa/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top -- version: "2.2.0" +- version: "3.0.0" changes: - - description: Update log format + - description: Update log format to support the GA releases of Santa. The pre-GA Santa log format (circa 2017) is no longer accepted. type: breaking-change link: https://github.com/elastic/integrations/pull/3347 - version: "2.1.0" diff --git a/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json b/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json index 29f260aa6d..aca0ba1701 100644 --- a/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json +++ b/packages/santa/data_stream/log/_dev/test/pipeline/test-santa-raw.log-expected.json @@ -45,7 +45,6 @@ "pid": 1 }, "pid": 71993, - "pidversion": 1097732, "start": "2022-05-12T11:38:03.923Z" }, "related": { @@ -66,6 +65,7 @@ "decision": "ALLOW", "explain": "critical system binary", "mode": "M", + "pidversion": 1097732, "reason": "BINARY" }, "tags": [ @@ -120,7 +120,6 @@ "pid": 1 }, "pid": 72012, - "pidversion": 1097765, "start": "2022-05-12T11:38:42.781Z" }, "related": { @@ -140,6 +139,7 @@ }, "decision": "ALLOW", "mode": "M", + "pidversion": 1097765, "reason": "CERT" }, "tags": [ @@ -180,7 +180,6 @@ "pid": 1 }, "pid": 377, - "pidversion": 833, "start": "2022-05-12T11:33:56.696Z" }, "related": { @@ -189,7 +188,8 @@ ] }, "santa": { - "action": "DELETE" + "action": "DELETE", + "pidversion": 833 }, "tags": [ "preserve_original_event" @@ -230,7 +230,6 @@ "pid": 1 }, "pid": 71559, - "pidversion": 1096716, "start": "2022-05-12T11:30:05.248Z" }, "related": { @@ -239,7 +238,8 @@ ] }, "santa": { - "action": "LINK" + "action": "LINK", + "pidversion": 1096716 }, "tags": [ "preserve_original_event" @@ -280,7 +280,6 @@ "pid": 1 }, "pid": 546, - "pidversion": 1285, "start": "2022-05-12T11:30:16.125Z" }, "related": { @@ -289,7 +288,8 @@ ] }, "santa": { - "action": "RENAME" + "action": "RENAME", + "pidversion": 1285 }, "tags": [ "preserve_original_event" @@ -329,7 +329,6 @@ "pid": 0 }, "pid": 1, - "pidversion": 521, "start": "2022-05-12T11:38:05.278Z" }, "related": { @@ -338,7 +337,8 @@ ] }, "santa": { - "action": "WRITE" + "action": "WRITE", + "pidversion": 521 }, "tags": [ "preserve_original_event" diff --git a/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index a051a7d100..fab9d306a7 100644 --- a/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -11,8 +11,8 @@ processors: - grok: field: event.original patterns: - - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}(\|explain=%{NOT_SEPARATOR:santa.explain})?\|sha256=%{NOT_SEPARATOR:process.hash.sha256}(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:process.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?' - - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|path=%{NOT_SEPARATOR:file.path}(\|newpath=%{NOT_SEPARATOR:file.target_path})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:process.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|process=%{NOT_SEPARATOR:process.name}\|processpath=%{NOT_SEPARATOR:process.executable}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}' + - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}(\|explain=%{NOT_SEPARATOR:santa.explain})?\|sha256=%{NOT_SEPARATOR:process.hash.sha256}(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:santa.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?' + - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|path=%{NOT_SEPARATOR:file.path}(\|newpath=%{NOT_SEPARATOR:file.target_path})?\|pid=%{NUMBER:process.pid:long}\|pidversion=%{NUMBER:santa.pidversion:long}\|ppid=%{NUMBER:process.parent.pid:long}\|process=%{NOT_SEPARATOR:process.name}\|processpath=%{NOT_SEPARATOR:process.executable}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}' - '\[%{TIMESTAMP_ISO8601:timestamp}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|mount=%{NOT_SEPARATOR:santa.disk.mount}?\|volume=%{NOT_SEPARATOR:santa.disk.volume}\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}?(\|fs=%{NOT_SEPARATOR:santa.disk.fs})?(\|model=%{NOT_SEPARATOR:santa.disk.model}?)?(\|serial=%{NOT_SEPARATOR:santa.disk.serial}?)?(\|bus=%{NOT_SEPARATOR:santa.disk.bus}?)?(\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?)?(\|appearance=%{TIMESTAMP_ISO8601:santa.disk.appearance})?' pattern_definitions: NOT_SEPARATOR: '[^\|]+' diff --git a/packages/santa/data_stream/log/fields/package-fields.yml b/packages/santa/data_stream/log/fields/package-fields.yml index 6887ce8d3c..e53706fbcc 100644 --- a/packages/santa/data_stream/log/fields/package-fields.yml +++ b/packages/santa/data_stream/log/fields/package-fields.yml @@ -49,3 +49,6 @@ - name: certificate.sha256 type: keyword description: SHA256 hash of code signing certificate. + - name: pidversion + type: long + description: macOS process identity version. diff --git a/packages/santa/data_stream/log/sample_event.json b/packages/santa/data_stream/log/sample_event.json index 7aed19d965..66e962dc5f 100644 --- a/packages/santa/data_stream/log/sample_event.json +++ b/packages/santa/data_stream/log/sample_event.json @@ -43,7 +43,6 @@ "pid": 1 }, "pid": 71993, - "pidversion": 1097732, "start": "2022-05-12T11:38:03.923Z" }, "related": { @@ -64,6 +63,7 @@ "decision": "ALLOW", "explain": "critical system binary", "mode": "M", + "pidversion": 1097732, "reason": "BINARY" }, "tags": [ diff --git a/packages/santa/docs/README.md b/packages/santa/docs/README.md index bfd8e97312..eace619b35 100644 --- a/packages/santa/docs/README.md +++ b/packages/santa/docs/README.md @@ -65,7 +65,6 @@ An example event for `log` looks as following: "pid": 1 }, "pid": 71993, - "pidversion": 1097732, "start": "2022-05-12T11:38:03.923Z" }, "related": { @@ -86,6 +85,7 @@ An example event for `log` looks as following: "decision": "ALLOW", "explain": "critical system binary", "mode": "M", + "pidversion": 1097732, "reason": "BINARY" }, "tags": [ @@ -176,6 +176,7 @@ An example event for `log` looks as following: | santa.disk.volume | The volume name. | keyword | | santa.explain | Further details for the decision. | keyword | | santa.mode | Operating mode of Santa. | keyword | +| santa.pidversion | macOS process identity version. | long | | santa.reason | Reason for the decision. | keyword | | tags | List of keywords used to tag each event. | keyword | | user.id | Unique identifier of the user. | keyword | diff --git a/packages/santa/manifest.yml b/packages/santa/manifest.yml index d1fe575358..9fcd71b70f 100644 --- a/packages/santa/manifest.yml +++ b/packages/santa/manifest.yml @@ -1,6 +1,6 @@ name: santa title: Google Santa Logs -version: 2.2.0 +version: 3.0.0 release: ga description: Collect and parse logs from Google Santa instances with Elastic Agent. type: integration