[New Rules] macOS Unified Logs Apple Event Detections#5867
Open
DefSecSentinel wants to merge 17 commits intomainfrom
Open
[New Rules] macOS Unified Logs Apple Event Detections#5867DefSecSentinel wants to merge 17 commits intomainfrom
DefSecSentinel wants to merge 17 commits intomainfrom
Conversation
Adds 5 new alerting rules and 1 hunting query leveraging the macOS Unified Logs integration to detect malicious AppleScript activity via Apple Event telemetry from the com.apple.appleevents subsystem. Alerting rules: - Hidden Text Password Prompt via AppleScript (T1056.002) - Volume Mute via AppleScript (T1059.002) - Clipboard Access via AppleScript (T1115) - AppleScript ASCII Character Obfuscation and Shell Execution (T1027, T1059.002) - AppleScript Run Script from Hidden File in Staging Directory (T1059.002, T1564.001) Hunting query: - Do Shell Script Execution via Apple Events (T1059.002) Relates to: elastic/ia-trade-team#847 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
DefSecSentinel
added
dev
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
- Convert all 4 KQL alerting rules to EQL (`any where ... message like`) to avoid wildcard queries on `message` field which is `match_only_text` type and does not support KQL wildcards - Add missing markdown documentation for the hunting query at hunting/macos/docs/execution_do_shell_script_via_apple_events.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
Register `message` as `match_only_text` for the `logs-unified_logs.log-*` index pattern so the EQL validator recognizes the field in Apple Event detection rules. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
The EQL validator's KqlSchema2Eql type_mapping only supports keyword, ip, float, integer, and boolean. Text types (including match_only_text) return None and cause "Field not recognized" errors. Register message as keyword so EQL treats it as a string type. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
6 tasks
4 tasks
|
⛔️ Test failed Results
|
Switch from message wildcard matching to enriched keyword fields (apple_event.type_code, apple_event.mute, apple_event.decoded_payloads, apple_event.parameters). Update index pattern from logs-unified_logs.log-* to logs-unifiedlogs.unifiedlogs-* and event.dataset to match actual integration naming. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
- Pull unifiedlogs integration manifest and schema via CLI - Fix integration tag: unified_logs -> unifiedlogs (matches EPR package) - Fix index pattern: logs-unifiedlogs.log-* -> logs-unifiedlogs.unifiedlogs-* - Fix event.dataset: unifiedlogs.log -> unifiedlogs.unifiedlogs - All rules pass local validation with updated schemas Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
data_stream.dataset is "unifiedlogs.unifiedlogs" but event.dataset is set to "unifiedlogs.log" by the integration. Rules query on event.dataset so must use the correct value. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
- Convert 4 non-sequence rules from EQL to ES|QL to avoid text field issues and schema validation problems - ASCII obfuscation sequence rule stays EQL (ES|QL doesn't support sequences) - Add 'log' dataset alias in schema to match event.dataset value (unifiedlogs.log splits to package=unifiedlogs, integration=log) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
Contributor
Author
Testing & Validation UpdateAll Apple Event detection rules have been validated end-to-end against live unified log data on the trade lab cluster ( Changes Made During Testing
Emulation Commands (run on macOS host with Unified Logs integration)Password Prompt via AppleScript: osascript -e 'display dialog "Enter your password:" default answer "" with hidden answer'Volume Mute via AppleScript: osascript -e 'set volume with output muted'Clipboard Access via AppleScript: osascript -e 'the clipboard'ASCII Obfuscation + Shell Exec: osascript -e 'set cmd to (ASCII character 108) & (ASCII character 115)' -e 'do shell script cmd'Run Script from Hidden File: echo '#!/bin/bash\necho test' > /tmp/.hidden_test.sh && chmod +x /tmp/.hidden_test.sh
osascript -e 'do shell script "/tmp/.hidden_test.sh"'
rm /tmp/.hidden_test.shIntegration Prerequisites
Validation Results
|
Unified Logs integration is now GA. Rules are validated and ready for production use. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
- Fix investigation guide title to match rule name for hidden file rule - Add "Resources: Investigation Guide" tag to all rules with note field Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
com.apple.appleeventssubsystem)New Alerting Rules
New Hunting Query
Key Design Decisions
messagefield since the Unified Logs integration (v0.4.0 beta) has sparse ECS field mappingslogs-unified_logs.log-*runs=5to require repeated ASCII character obfuscation before shell execution/tmp/,/private/tmp/,/var/tmp/, and/Users/Shared/developmentgiven the beta status of the integrationRelates to: https://github.com/elastic/ia-trade-team/issues/847
Test plan
detection_rules validate-rule(requires Python 3.12 env)runs=5threshold🤖 Generated with Claude Code