What all i need to log to the SIEM as security logs on macOS?

Hi, i want to cover all security events on macOS to the SIEM, can i get some help about it?

Thank you

Up vote post of y0d4 Down vote post of y0d4
660 views
Posted by
y0d4
Reply
Add a Comment

Accepted Reply

I presume that SIEM refers to security information and event management.

It’s not clear from your post whether:

  • You’re trying to accomplish this task directly, or

  • You want to build a product to help others accomplish this task

Please clarify.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Hi Eskimo, yes, you are right. I am using Wazuh SIEM and have only rule for detection for this kind of events: _ level="info" process == "sudo" process == "sessionlogoutd" process == "sshd" process == "tccd" process == "screensharingd" message contains "Authentication" process == "securityd" eventMessage contains "Session" and subsystem == "com.apple.securityd"_

    I am sure that there is bunch more things for collecting regarding security ... for example syscalls?

    thank you

    y0d4
Add a Comment

Replies

I presume that SIEM refers to security information and event management.

It’s not clear from your post whether:

  • You’re trying to accomplish this task directly, or

  • You want to build a product to help others accomplish this task

Please clarify.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Hi Eskimo, yes, you are right. I am using Wazuh SIEM and have only rule for detection for this kind of events: _ level="info" process == "sudo" process == "sessionlogoutd" process == "sshd" process == "tccd" process == "screensharingd" message contains "Authentication" process == "securityd" eventMessage contains "Session" and subsystem == "com.apple.securityd"_

    I am sure that there is bunch more things for collecting regarding security ... for example syscalls?

    thank you

    y0d4
Add a Comment

Yes, that is correct, i want to monitor all log events which are related to security, for example syscalls?

Posted by
y0d4
Up vote reply of y0d4 Down vote reply of y0d4
Add a Comment

i want to monitor all log events which are related to security

Do you expect to write code to achieve this goal?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

to write code? what for? it is option if need of course..

Posted by
y0d4
Up vote reply of y0d4 Down vote reply of y0d4
Add a Comment

to write code? what for?

You asked your question on Apple Developer Forums, where our primary focus in helping developers write code. If you’re looking to use someone else’s endpoint security product, you’ll have better luck asking over in Apple Support Community, run by Apple Support, and specifically the in Business and Education topic area.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

oh, ok. my bad, i am sorry.

Posted by
y0d4
Up vote reply of y0d4 Down vote reply of y0d4
Add a Comment