[New Rules] macOS Unified Logs Login Window and XProtect Detections

detection_rules/etc/non-ecs-schema.json

@@ -282,5 +282,8 @@
   "metrics-*": {
     "system.process.cpu.total.norm.pct": "double",
     "system.cpu.total.norm.pct": "double"
+  },
+  "logs-unified_logs.log-*": {
+    "message": "keyword"
   }
 }

rules/integrations/unified_logs/defense_evasion_xprotect_malware_scan_match.toml

@@ -0,0 +1,104 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects XProtect malware scan matches via the macOS Unified Logs `com.apple.XProtectFramework.PluginAPI` subsystem.
+XProtect is Apple's built-in malware detection system that scans files using YARA-based signature rules. When a scan
+produces a match, it indicates that a known malware signature was detected on the endpoint. While XProtect events are
+rare, they are extremely high-confidence indicators of malicious software presence. This rule correlates XProtect scan
+results with Elastic Security telemetry to provide additional context for investigation and response. This subsystem
+does not require debug or private data enablement.
+"""
+false_positives = [
+    """
+    XProtect scan matches are high-confidence indicators and false positives are uncommon. However, legitimate
+    security research tools, penetration testing software, or sample files used in security training may trigger
+    XProtect signatures. Verify the detected file and its context before taking remediation action.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "XProtect Malware Scan Match Detected"
+note = """## Triage and analysis
+
+### Investigating XProtect Malware Scan Match Detected
+
+This rule detects when Apple's XProtect framework identifies a malware signature match during a file scan. XProtect uses YARA-based rules maintained by Apple and is a strong indicator that known malware is present on the endpoint.
+
+### Possible investigation steps
+
+- Review the `message` field to identify the XProtect signature that matched and the scanned file details.
+- Correlate with Elastic Defend telemetry to determine the full context: which process created or downloaded the flagged file, and what activity followed.
+- Check if XProtect quarantined or blocked the file, or if the malware was able to execute.
+- Look up the XProtect signature name against Apple's published XProtect rules or public malware databases for additional intelligence.
+- Review the host for additional indicators of compromise, including persistence mechanisms, network connections, and other suspicious process activity.
+- Check the file's origin — was it downloaded from the internet, received via email, or transferred from removable media?
+
+### False positive analysis
+
+- XProtect matches are high-confidence and rarely produce false positives.
+- Security research samples or penetration testing tools may trigger legitimate detections.
+- Archived or quarantined malware samples stored on disk could trigger scans.
+
+### Response and remediation
+
+- Immediately isolate the affected host if the malware is confirmed active.
+- Verify XProtect's remediation action (quarantine, block, or allow) and take manual action if needed.
+- Collect the flagged file for further analysis if not already quarantined.
+- Review the infection vector and timeline to determine if other hosts may be affected.
+- Check for post-compromise activity (lateral movement, data exfiltration, persistence).
+"""
+references = [
+    "https://support.apple.com/en-us/102445",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 73
+rule_id = "d33b49d6-dd67-4a5d-ad9a-c3437dffc487"
+severity = "high"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Defense Evasion",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND unified_log.subsystem == "com.apple.XProtectFramework.PluginAPI"
+  AND message LIKE "*match*"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "unified_log.subsystem",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]

rules/integrations/unified_logs/persistence_login_item_persistence_execution_via_loginwindow.toml

@@ -0,0 +1,109 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects login item persistence execution via the macOS Unified Logs `com.apple.loginwindow.logging` subsystem. The
+`LoginItemsLauncher` message indicates that login items were launched during user login. Login items are a common
+persistence mechanism used by macOS malware to ensure execution after system reboot. While many legitimate
+applications register login items for auto-start behavior, unexpected or recently added login items warrant
+investigation. This subsystem produces very low event volume with high signal fidelity, making it an effective
+detection source. This rule operates at default log level and does not require debug or private data enablement.
+"""
+false_positives = [
+    """
+    Many legitimate applications register login items for auto-start behavior, including cloud storage clients
+    (Dropbox, Google Drive), communication tools (Slack, Teams), security software, and system utilities. Review
+    the launched application identity in the message field to determine if the login item is expected.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Login Item Persistence Execution via Unified Logs"
+note = """## Triage and analysis
+
+### Investigating Login Item Persistence Execution via Unified Logs
+
+This rule detects the `LoginItemsLauncher` pattern from the `com.apple.loginwindow.logging` subsystem, which fires when login items are launched during user login. Login items persist across reboots and are a favored persistence mechanism for macOS malware.
+
+### Possible investigation steps
+
+- Review the `message` field to identify the application or script that was auto-launched at login.
+- Correlate with Elastic Defend telemetry to determine the full process chain and binary details (code signature, path, hash).
+- Check whether the login item was recently added by reviewing Login Items in System Settings or via `sfltool dumpbtm`.
+- Look for other persistence mechanisms on the same host (LaunchAgents, LaunchDaemons, cron jobs) that may be part of the same attack chain.
+- Check if the auto-launched application performs suspicious post-login activity (network connections, credential access, data collection).
+- Review the host for recent software installations or modifications that could explain the new login item.
+
+### False positive analysis
+
+- Cloud storage sync clients (Dropbox, iCloud Drive, Google Drive) commonly register login items.
+- Communication tools (Slack, Microsoft Teams, Discord) use login items for auto-start.
+- Security and IT management software (antivirus, MDM agents) register login items.
+- macOS system services and Apple applications may trigger this pattern during updates.
+
+### Response and remediation
+
+- If the login item is unrecognized, investigate its origin and remove it via System Settings > General > Login Items.
+- Check for associated persistence files in `~/Library/LaunchAgents/`, `/Library/LaunchAgents/`, or the BackgroundTaskManagement database.
+- If the login item is confirmed malicious, remove all associated files and persistence mechanisms.
+- Review the host for additional indicators of compromise.
+"""
+references = [
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+    "https://developer.apple.com/documentation/servicemanagement/smappservice",
+]
+risk_score = 21
+rule_id = "e360db98-825c-4674-9dbc-0b3d42cc706f"
+severity = "low"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Persistence",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND unified_log.subsystem == "com.apple.loginwindow.logging"
+  AND message LIKE "*LoginItemsLauncher*"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1547"
+name = "Boot or Logon Autostart Execution"
+reference = "https://attack.mitre.org/techniques/T1547/"
+[[rule.threat.technique.subtechnique]]
+id = "T1547.015"
+name = "Login Items"
+reference = "https://attack.mitre.org/techniques/T1547/015/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "unified_log.subsystem",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]