macOS Security Alerts and Logs Dictionary Reference

Note:

The content in this section applies to the legacy threat prevention strategy in macOS Security. The legacy strategy will be deprecated in a future version of macOS Security. For information and instructions on configuring threat prevention strategies, see Threat Prevention for macOS Strategies.

General Event Fields

Each event comprises numerous event fields, and the field names in this overview are common for all event types.


#	Field Name	Description	Data Type	Example Value
1	`input.eventType`	Defines event type	String	`GPFSEvent`
2	`input.host.ips`	IP Address	String	`192.168.1.2`
3	`input.host.serial`	Serial number	String	`C02TL0WGGAAA`
4	`input.host.hostname`	Hostname	String	`Jon’s MacBook Pro`
5	`input.match{}.tags{}`	Information tags	String	`MITRE TTPs`
6	`input.match{}.uuid`	UUID alert	String	`237BF758-408B-402A-87C2-64BCCFF7D0A2`
7	`input.match{}.event.timestamp`	Alert time	Integer	`1635055240.016535`
8	`input.match{}.facts{}.name`	Alert name	String	`SpearphishOfficeWritesExecutableResearch`
9	`input.match{}.facts{}.human`	Alert description	String	Occurrences when Office creates an executable file.
10	`input.match{}.actions{}.name`	Event based actions	String	`Log`
11	`input.match{}.custom`	Custom analytic identifier	Boolean	`false`
12	`input.match{}.context`	Additional metadata	String	`[ { "name": "ItemName", "value": "jamf", "valueType": "String" }, { "name": "Label", "value": "com.jamfsoftware.task.checkForTasks", "valueType": "String" }, { "name": "Args", "value": "/usr/local/jamf/bin/jamf manage -rebootIfNeeded -deleteLaunchdTask", "valueType": "String" }, { "name": "Name", "value": "com.jamfsoftware.task.checkForTasks.plist", "valueType": "String" }, { "name": "ItemBinary", "value": "/usr/local/jamf/bin/jamf", "valueType": "Binary" } ]`
13	`input.match{}.severity`	Alert severity	Integer	`0` = Informational `1` = Low `2` = Medium `3` = High
14	`input.related{}.users{}`	Event users array	Integer, String	"binaries": [ { "gid": 0, "uid": 0, "fsid": 16777225, "mode": 33261, "path": "/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper", "size": 293136, "inode": 19220446, "xattrs": [], "changed": 1698151132, "created": 1698151132, "sha1hex": "63182f5bda15fd2e262b512bf20104497b723b77", "accessed": 1698917972, "modified": 1698151132, "sha256hex": "f1ff86c81b106a4dc9445f01f2e62940fcca9117437941da99b0131dd98bb9e5", "isDownload": false, "objectType": "GPSystemObject", "isAppBundle": false, "isDirectory": false, "signingInfo": { "appid": "com.microsoft.autoupdate.helper", "cdhash": "l+/pmKVmSUighiu5PFt6q4t4pfs=", "status": 0, "teamid": "UBF8T346G9", "signerType": 2, "authorities": [ "Developer ID Application: Microsoft Corporation (UBF8T346G9)", "Developer ID Certification Authority", "Apple Root CA" ], "entitlements": [], "statusMessage": "No error.", "informationStage": "extended" }, "isScreenShot": false } ]
15	`input.related{}.groups{}`	Event groups array	Array	`"groups": [ { "gid": 0, "name": "wheel", "uuid": "Z2C23RW4DY0" }, { "gid": 33, "name": "_appstore", "uuid": "Z2C23RW4DY21" } ]`
16	`input.related{}.binaries{}`	Event binary information array^¹	Integer, String	{ "gid": 0, "uid": 0, "fsid": 16777230, "mode": 35273, "path": "/usr/libexec/security_authtrampoline", "size": 134768, "inode": 1152921500312504800, "xattrs": [], "changed": 1694870910, "created": 1694870910, "sha1hex": "82e899cb1c8a42b74653b05ca526d5feae92b9f6", "accessed": 1694870910, "modified": 1694870910, "sha256hex": "7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32", "isDownload": false, "objectType": "GPSystemObject", "isAppBundle": false, "isDirectory": false, "signingInfo": { "appid": "com.apple.security_authtrampoline", "cdhash": "rbIoddPMz9MoMMZl1ATihY8wlMk=", "status": 0, "teamid": "", "signerType": 0, "authorities": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ], "entitlements": [], "statusMessage": "No error.", "informationStage": "extended" }, "isScreenShot": false }
17	`input.related{}.binaries{}.uid`	File owner user identifier	Integer	`501`
18	`input.related{}.binaries{}.gid`	File owner group identifier	Integer	`80`
19	`input.related{}.binaries{}.path`	Binary path^¹	String	/Applications/iMyFone iBypasser.app/Contents/MacOS/iMyFone iBypasser
20	`input.related{}.binaries{}.sha1hex`	SHA-1 hash file hex string	String	`39655008a0a72cabf6d488cd0dcfb37e9883e0b8`
21	`input.related{}.binaries{}.sha256hex`	SHA-256 hash file hex string	String	`d2d07ceb1e637c555786d68b65f7b8913c8d52c5e4348881632aea0fa91c1643`
22	`input.related{}.binaries{}.xattrs{}`	File extended attributes array	String	`["com.dropbox.attrs", "com.jamf.protect.quarantined"]`
23	`input.related{}.binaries{}.isDownload`	Internet downloaded file validation	Boolean	`true`
24	`input.related{}.binaries{}.isAppBundle`	App bundle directory file validation	Boolean	`true`
25	`input.related{}.binaries{}.isDirectory`	Directory file validation	Boolean	`true`
26	`input.related{}.binaries{}.isScreenShot`	Screenshot image file validation	Boolean	`true`
27	`input.related{}.binaries{}.signingInfo{}`	Binary signing information array^¹	String	`"signingInfo": { "appid": "com.microsoft.autoupdate.helper", "cdhash": "l+/pmKVmSUighiu5PFt6q4t4pfs=", "status": 0, "teamid": "UBF8T346G9", "signerType": 2, "authorities": [ "Developer ID Application: Microsoft Corporation (UBF8T346G9)", "Developer ID Certification Authority", "Apple Root CA" ], "entitlements": [], "statusMessage": "No error.", "informationStage": "extended" }`
28	`input.related{}.binaries{}.signingInfo.appid`	Binary identifier^¹	String	`com.jamf.protect.security-extension`
29	`input.related{}.binaries{}.signingInfo.cdhash`	Binary code directory hash^¹	String	`XeQsQOHD7J3vTAuYYZTMQP2mwm0=`
30	`input.related{}.binaries{}.signingInfo.teamid`	Binary development team signer identifier^¹	String	`483DWKW443`
31	`input.related{}.binaries{}.signingInfo.signerType`	Signature type and binary implicit trust level^¹	Integer	`2`
32	`input.related{}.binaries{}.signingInfo.authorities`	Signature signing authorities array	String	`[ "Developer ID Application: JAMF Software (483DWKW443)", "Developer ID Certification Authority", "Apple Root CA" ]`
33	`input.related{}.binaries{}.signingInfo.entitlements`	Binary granted entitlements array^¹	String	`[ "com.apple.private.responsibility.set-to-self", "com.apple.private.responsibility.set-to-other", "com.apple.private.security.storage.InstallerSandboxes", "com.apple.private.responsibility.set-hosted-properties" ]`
34	`input.related{}.binaries{}.signingInfo.statusMessage`	Signing information retrieval translated status code	String	`No error.`
35	`input.related{}.processes{}.uid`	Effective user executing process identifier	Integer	`501`
36	`input.related{}.processes{}.gid`	Effective group executing process identifier	Integer	`20`
37	`input.related{}.processes{}.ppid`	Parent process identifier	Integer	`1`
38	`input.related{}.processes{}.pgid`	Process group identifier	Integer	`1`
39	`input.related{}.processes{}.ruid`	Real user executing process identifier	Integer	`501`
40	`input.related{}.processes{}.rgid`	Real group executing process identifier	Integer	`20`
41	`input.related{}.processes{}.pid`	Process identifier (process)	Integer	`772`
42	`input.related{}.processes{}.responsiblePID`	Responsible process identifier	Integer	`19678`
43	`input.related{}.processes{}.originalParentPID`	Parent process identifier	Integer	`55064`
44	`input.related{}.processes{}.args{}`	Process passed optional arguments array	String	`[ "mv", "Slack.app", "/Users/ada.powers/Applications" ]`
45	`input.related{}.processes{}.name`	Process name	String	`Snap Camera`
46	`input.related{}.processes{}.path`	Process path	String	/Applications/Snap Camera.app/Contents/MacOS/Snap Camera
47	`input.related{}.processes{}.exitCode`	Process exit code	Integer	`0`
48	`input.related{}.process{}.signingInfo{}`	Process signing information array	String	`"signingInfo": { "appid": "com.microsoft.autoupdate.helper", "cdhash": "l+/pmKVmSUighiu5PFt6q4t4pfs=", "status": 0, "teamid": "UBF8T346G9", "signerType": 2, "authorities": [ "Developer ID Application: Microsoft Corporation (UBF8T346G9)", "Developer ID Certification Authority", "Apple Root CA" ], "entitlements": [], "statusMessage": "No error.", "informationStage": "extended" }`
49	`input.related{}.process{}.signingInfo.appid`	Bundle Identifier (process)	String	`MF.iMyFone iBypasser`
50	`input.related{}.process{}.signingInfo.cdhash`	Process code directory hash	String	`XeQsQOHD7J3vTAuYYZTMQP2mwm0=`
51	`input.related{}.process{}.signingInfo.teamid`	Process development team signing identifier	String	`483DWKW443`
52	`input.related{}.process{}.signingInfo.signerType`	Signature type and binary implicit trust level^¹	Integer	`2`
53	`input.related{}.process{}.signingInfo.authorities`	Signature signing authorities array	String	`[ "Developer ID Application: JAMF Software (483DWKW443)", "Developer ID Certification Authority", "Apple Root CA" ]`
54	`input.related{}.process{}.signingInfo.entitlements`	Process granted entitlements array	String	`com.apple.rootless.restricted-block-devices`
55	`input.related{}.binaries{}.signingInfo.statusMessage`	Signing information retrieval translated status code	String	`No error.`
56	`input.related{}.process{}.startTimetamp`	Process starting timestamp	Integer	`1657114862`
¹Any event related binary and not a Jamf binary.

GPClickEvent

Synthetic Click Events


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event{}.gid`	Synthetic click group identifier	Integer	`20`
2	`input.match{}.event{}.pid`	Synthetic click process identifier (PID)	Integer	`96657`
3	`input.match{}.event{}.uid`	Synthetic click user identifier	Integer	`501`
4	`input.match{}.event{}.clickType`	Click type	Integer	0 = `Other` 1 = `Left Down` 2 = `Left Up` 3 = `Right Down` 4 = `Right Up`
5	`input.match{}.event{}.targetpid`	Synthetic click target process identifier (PID)	Integer	`4456`

GPDownloadEvent

Monitors files downloaded from the internet.


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event.path`	Downloaded file path	String	/Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist
2	`input.related{}.files{}.gid`	File group identifier	Integer	`20`
3	`input.related{}.files{}.uid`	File owner user identifier	Integer	`501`
4	`input.related{}.files{}.fsid`	File system ID (FSID)	Integer	`16777234`
5	`input.related{}.files{}.mode`	Filetype and mode	Integer	`33188`
6	`input.related{}.files{}.path`	File path	String	/Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist
7	`input.related{}.files{}.size`	File size	Integer	`35249769`
8	`input.related{}.files{}.inode`	File inode identifier	Integer	`7174457`
9	`input.related{}.files{}.xattrs`	File extended attributes array	String	`["com.apple.macl", "com.apple.metadata:kMDItemDownloadedDate", "com.apple.metadata:kMDItemWhereFroms", "com.apple.quarantine"]`
10	`input.related{}.files{}.changed`	File change date	Integer	`1632496484`
11	`input.related{}.files{}.created`	File create date	Integer	`1632496484`
12	`input.related{}.files{}.sha1hex`	SHA-1 hash file hex string	String	`39655008a0a72cabf6d488cd0dcfb37e9883e0b8`
13	`input.related{}.files{}.accessed`	File last accessed date	Integer	`1632496484`
14	`input.related{}.files{}.modified`	File last modified date	Integer	`1632496484`
15	`input.related{}.files{}.sha256hex`	SHA-256 hash file hex string	String	`ca43054c05867b673d980bbcc97215d7ebaed5465ad1266eea4c776188bbd385`
16	`input.related{}.files{}.isDownload`	Internet downloaded file validation	Boolean	`true`
17	`input.related{}.files{}.isAppBundle`	App bundle directory file validation	Boolean	`true`
18	`input.related{}.files{}.isDirectory`	Directory file validation	Boolean	`true`
19	`input.related{}.files{}.signingInfo{}`	File signing information array	Integer, String	`{ "status": -67062, "authorities": [], "teamid": "", "signerType": 4, "statusMessage": "code object is not signed at all", "entitlements": [], "appid": "" },`
20	`input.related{}.files{}.signingInfo.appid`	File identifier	String	`GoogleChrome-97.0.4692.99-GGRO`
21	`input.related{}.files{}.signingInfo.cdhash`	File code directory hash	String	`WApZMfx1x99D8eRQhUFeID4YZDY=`
22	`input.related{}.files{}.signingInfo.teamid`	Development team signer identifier	String	`EQHXZ8M8AV`
23	`input.related{}.files{}.signingInfo.signerType`	Object signature type and implicit trust level	Integer	`2`
24	`input.related{}.files{}.signingInfo.authorities`	Signature signing authorities array	String	`["Developer ID Application: Google, Inc. (EQHXZ8M8AV)", "Developer ID Certification Authority", "Apple Root CA"]`
25	`input.related{}.files{}.signingInfo.entitlements`	File granted entitlements array	String	`com.apple.rootless.restricted-block-devices`
26	`input.related{}.files{}.isScreenShot`	Screenshot image file validation	Boolean	`true`
27	`input.related{}.files{}.downloadedFrom`	File download locations array	String	`https://files.jamf.com`

GPFSEvent

File System Events


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event.dev`	File system event device IDs	Integer	`16777233`
2	`input.match{}.event.gid`	File group identifier	Integer	`0`
3	`input.match{}.event.pid`	File process identifier (PID)	Integer	`96657`
4	`input.match{}.event.uid`	File user identifier	Integer	`0`
5	`input.match{}.event.path`	File path	String	/Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist
6	`input.match{}.event.type`	File system events	Integer	`0` = Created `1` = Deleted `3` = Renamed `4` = Modified `7` = Created directory
7	`input.match{}.event.iNode`	File inode identifier	Integer	`3493490`
8	`input.match{}.event.eventID`	File system event identifier	Integer	`62816`
9	`input.match{}.event.prevFile`	File rename operation previous path	String	/Library/LaunchDaemons/.dat.nosync7991.BW4gMk
10	`input.related{}.files{}.gid`	File system operation group identifier	Integer	`0`
11	`input.related{}.files{}.uid`	File system operation user identifier	Integer	`0`
12	`input.related{}.files{}.fsid`	File FSID	Integer	`16777234`
13	`input.related{}.files{}.mode`	Filetype and mode	Integer	`33188`
14	`input.related{}.files{}.path`	File path	String	/Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist
15	`input.related{}.files{}.size`	File size	Integer	`0`
16	`input.related{}.files{}.inode`	File inode identifier	Integer	`7174457`
17	`input.related{}.files{}.xattrs`	File extended attributes array	String	`["com.apple.quarantine"]`
18	`input.related{}.files{}.changed`	File change date	Integer	`1632496484`
19	`input.related{}.files{}.created`	File create date	Integer	`1632496484`
20	`input.related{}.files{}.sha1hex`	SHA-1 hash file hex string	String	`39655008a0a72cabf6d488cd0dcfb37e9883e0b8`
21	`input.related{}.files{}.accessed`	File access date	Integer	`1632496484`
22	`input.related{}.files{}.modified`	File modify date	Integer	`1632496484`
23	`input.related{}.files{}.sha256hex`	SHA-256 hash file hex string	String	`ca43054c05867b673d980bbcc97215d7ebaed5465ad1266eea4c776188bbd385"`
24	`input.related{}.files{}.isDownload`	Internet downloaded file validation	Boolean	`false`
25	`input.related{}.files{}.isAppBundle`	App bundle directory file validation	Boolean	`false`
26	`input.related{}.files{}.isDirectory`	Directory file validation	Boolean	`false`
27	`input.related{}.files{}.signingInfo{}`	File signing information array	Array	`{ "status": -67062, "authorities": [], "teamid": "", "signerType": 4, "statusMessage": "code object is not signed at all", "entitlements": [], "appid": "" },`
28	`input.related{}.files{}.signingInfo.appid`	File identifier	String	`com.googlecode.iterm2`
29	`input.related{}.files{}.signingInfo.cdhash`	File code directory hash	String	`JmJW/m4Oafwj3PRZh8QspKxDUYw=`
30	`input.related{}.files{}.signingInfo.teamid`	Development team signer identifier	String	`AQPZ6F3ASY`
31	`input.related{}.files{}.signingInfo.signerType`	Object signature type and implicit trust level	Integer	`0` = Apple `1` = App Store `2` = Developer `3` = Ad hoc `4` = Unsigned
32	`input.related{}.files{}.signingInfo.authorities`	Signature signing authorities array	Array	`[ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ]`
33	`input.related{}.files{}.signingInfo.entitlements`	File entitlements array	Array	`com.apple.private.security.clear-library-validation`
34	`input.related{}.files{}.isScreenShot`	Screenshot image file validation	Boolean	`true`
35	`input.related{}.files{}.downloadedFrom`	File download locations array	String	`https://files.jamf.com`

GPProcessEvent

Monitors processes that are launched or terminated on computers.


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event.pid`	Process event identifier	Integer	`96657`
2	`input.match{},event.type`	Process activity	Integer	`1`
3	`input.match{},event.subType`	Detailed process activity	Integer	`23`

GPKeylogRegisterEvent

Monitors for new "event tap" registrations via the Core Graphics framework on macOS. Core Graphic event taps are often used by certain types of keylogging and accessibility software.


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event{}.options`	Options set when key tap for log was registered.	String	`defaultTap` = Default tap `listenOnly` = Listen only
2	`input.match{}.event{}.sourcePID`	Source process ID (key tap for log registration request)	Integer	`86939`
3	`input.match{}.event{}.destinationPID`	Destination process ID (key tap for log registration request)	Integer	`0`

GPGatekeeperEvent

Monitors actions and logs from Gatekeeper, Apple's built-in feature for enforcing code signing and verifying downloaded apps before opening them.


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event{}.pid`	Process ID (GateKeeper event)	Integer	`39357`
2	`input.match{}.event{}.name`	Event name	String	`CrashReporter`
3	`input.match{}.event{}.path`	Process path (GateKeeper event)	String	/Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist
4	`input.match{}.event{}.sender`	Log message sender	String	`AppleSystemPolicy`
5	`input.match{}.event{}.process`	Log message sender process	String	`kernel`
6	`input.match{}.event{}.category`	Logging category	String	`XPEvent.structured`
7	`input.match{}.event{}.subsystem`	Logging subsystem	String	`com.apple.XProtectFramework.PluginAPI`
8	`input.match{}.event{}.composedMessage`	Log message	String	`ASP: Security policy would not allow process: 30659, /Applications/JamfComplianceReporter.app/Contents/Helpers/JamfComplianceReporterAgent.app/Contents/MacOS/JamfComplianceReporterAgent`
9	`input.match{}.event{}.senderImagePath`	Image path (log message sender)	String	/System/Library/Extensions/AppleSystemPolicy.kext/Contents/MacOS/AppleSystemPolicy
10	`input.match{}.event{}.processImagePath`	Process path (log message sender)	String	/kernel
11	`input.match{}.event{}.processIdentifier`	Process ID (log message sender)	Integer	`0`
12	`input.match{}.facts{}.name`	Alert name	String	`GatekeeperBlockedSigned`

GPMRTEvent

Monitors actions and logs from Malware Removal Tool (MRT), Apple's built-in application responsible for removing targeted files from macOS.


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event{}.pid`	Process ID (GateKeeper event)	Integer	`96657`
2	`input.match{}.event{}.name`	Event name	String	`JamfComplianceReporterAgent`
3	`input.match{}.event{}.path`	Process path (GateKeeper event)	String	/Library/LaunchDaemons/com.jamfsoftware.task.checkForTasks.plist
4	`input.match{}.event{}.sender`	Log message sender	String	`AppleSystemPolicy`
5	`input.match{}.event{}.process`	Log message sender process	String	`kernel`
6	`input.match{}.event{}.category`	Logging category	String	`XPEvent.structured`
7	`input.match{}.event{}.subsystem`	Logging subsystem	String	`com.apple.XProtectFramework.PluginAPI`
8	`input.match{}.event{}.composedMessage`	Log message	String	`ASP: Security policy would not allow process: 30659, /Applications/JamfComplianceReporter.app/Contents/Helpers/JamfComplianceReporterAgent.app/Contents/MacOS/JamfComplianceReporterAgent"`
9	`input.match{}.event{}.senderImagePath`	Image path (log message sender)	String	/System/Library/Extensions/AppleSystemPolicy.kext/Contents/MacOS/AppleSystemPolicy
10	`input.match{}.event{}.processImagePath`	Process path (log message sender)	String	/kernel
11	`input.match{}.event{}.processIdentifier`	Process ID (log message sender)	Integer	`0`
12	`input.match{}.facts{}.name`	`SpearphishOfficeWritesExecutableResearch`	String	`LaunchDaemon`

GPPreventedExecutionEvent

Custom Prevent List Events


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event{}.blocked`	Was app blocked	Boolean	`true`
2	`input.match{}.event{}.matchType`	Matching method	String	`signingID`
3	`input.match{}.event{}.matchValue`	Prevented app name	String	`scriptingosx.desktoppr`
4	`input.match{}.event{}.process{}.gid`	Process effective group identifier	Integer	`20`
5	`input.match{}.event{}.process{}.pid`	Process identifier (process)	Integer	`40990`
6	`input.match{}.event{}.process{}.uid`	Process effective user identifier	Integer	`501`
7	`input.match{}.event{}.process{}.args`	Possible arguments passed by process array	String	`[ "/tmp/PKInstallSandbox.nVjzpr/Scripts/com.jamf.ce.Wallpaper.43ZvSw/desktoppr", "/Library/Desktop Pictures/wallpaper.heic" ] "/tmp/PKInstallSandbox.nVjzpr/Scripts /com.jamf.ce.Wallpaper.43ZvSw/desktoppr", "/Library/Desktop Pictures/wallpaper.heic" ]`
8	`input.match{}.event{}.process{}.name`	Process name	String	`desktoppr`
9	`input.match{}.event{}.process{}.path`	Process path	String	/tmp/PKInstallSandbox.nVjzpr/Scripts/com.jamf.ce.Wallpaper.43ZvSw/desktoppr
10	`input.match{}.event{}.process{}.pgid`	Process group identifier	Integer	`40990`
11	`input.match{}.event{}.process{}.rgid`	Process real group identifier	Integer	`20`
12	`input.match{}.event{}.process{}.ruid`	Process real user identifier	Integer	`501`
13	`input.match{}.event{}.process{}.uuid`	Event unique identifier	String	`ade83c7a-2eaa-4bd3-b468-d1643483746f`
14	`input.match{}.event{}.process{}.signingInfo{}`	Process signing information array	Integer, String	`[ "appid": "com.scriptingosx.desktoppr", "cdhash": "oA74w5FQMn1N1G7k1Ar0lyClqu8=", "status": 0, "teamid": "JME5BW3F3R", "signerType": 2, "authorities": [ "Developer ID Application: Jon Smith (JME5BW3F3R)", "Developer ID Certification Authority", "Apple Root CA" ]`
15	`input.match{}.event{}.process{}.signingInfo{}.appid`	Identifier (process)	String	`com.scriptingosx.desktoppr`
16	`input.match{}.event{}.process{}.signingInfo{}.cdhash`	Process code directory hash	String	`oA74w5FQMn1N1G7k1Ar0lyClqu8=`
17	`input.match{}.event{}.process{}.signingInfo{}.status`	Signing information retrieval status	Integer	`0` = Apple `1` = App Store `2` = Developer `3` = Ad Hoc `4` = Unsigned
18	`input.match{}.event{}.process{}.signingInfo{}.teamid`	Process development team signer identifier	String	`JME5BW3F3R`
19	`input.match{}.event{}.process{}.signingInfo{}.signerType`	Signature type and implicit trust level	Integer	`0` = Apple `1` = App Store `2` = Developer `3` = Ad Hoc `4` = Unsigned
20	`input.match{}.event{}.process{}.signingInfo{}.authorities`	Signature signing authorities array	String	`[ "Developer ID Application: Jon Smith (JME5BW3F3R)", "Developer ID Certification Authority", "Apple Root CA" ]`
21	`input.match{}.event{}.process{}.signingInfo{}.entitlements`	Process granted entitlements array	String	`com.apple.private.security.clear-library-validation`
22	`input.match{}.event{}.process{}.signingInfo{}.statusMessage`	Signing information retrieval status code	String	`No error.`
23	`input.match{}.event{}.process{}.startTimestamp`	Process starting timestamp	Integer	`1668431165`
24	`input.match{}.event{}.process{}.orginalParentPID`	Parent process identifier	Integer	`1`

GPThreatMatchExecEvent

Threat Prevention Events


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event{}.blocked`	Was threat blocked	Boolean	`true`
2	`input.match{}.event{}.matchType`	Database matching	String	`Threat Signature`
3	`input.match{}.event{}.matchValue`	Threat name	String	`applejeus_jmt_a`
4	`input.match{}.event{}.scriptPath`	Script path	String	`/tmp/CrashReporter.sh`
5	`input.match{}.event{}.process{}.gid`	Effective group executing process identifier	Integer	`0`
6	`input.match{}.event{}.process{}.pid`	Process identifier (process)	Integer	`39356`
7	`input.match{}.event{}.process{}.uid`	Effective user executing process identifier	Integer	`0`
8	`input.match{}.event{}.process{}.args`	Process passed optional arguments array	String	`[ "/Library/JMTTrader/CrashReporter", "Maintain" ]`
9	`input.match{}.event{}.process{}.name`	Process name	String	`CrashReporter`
10	`input.match{}.event{}.process{}.path`	Process path	String	/Library/radar/CrashReporter
11	`input.match{}.event{}.process{}.pgid`	Process group identifier	Integer	`39356`
12	`input.match{}.event{}.process{}.rgid`	Real group executing process identifier	Integer	`0`
13	`input.match{}.event{}.process{}.ruid`	Real user executing process identifier	Integer	`0`
14	`input.match{}.event{}.process{}.uuid`	Event unique identifier	String	`3a842375-29f4-4516-8c8e-aca148c3ab32`
15	`input.match{}.event{}.process{}.signingInfo{}`	Process signing information array	Integer, String	`{ "appid": "com.microsoft.autoupdate.helper", "cdhash": "l+/pmKVmSUighiu5PFt6q4t4pfs=", "status": 0, "teamid": "UBF8T346G9", "signerType": 2, "authorities": [ "Developer ID Application: Microsoft Corporation (UBF8T346G9)", "Developer ID Certification Authority", "Apple Root CA" ], "entitlements": [], "statusMessage": "No error.", "informationStage": "extended" }`
16	`input.match{}.event{}.process{}.signingInfo{}.appid`	Identifier (process)	String	`com.scriptingosx.desktoppr`
17	`input.match{}.event{}.process{}.signingInfo{}.cdhash`	Process code directory hash	String	`oA74w5FQMn1N1G7k1Ar0lyClqu8=`
18	`input.match{}.event{}.process{}.signingInfo{}.status`	Signing information retrieval status	Integer	`-67068`
19	`input.match{}.event{}.process{}.signingInfo{}.teamid`	Process development team signing identifier	String	`JME5BW3F3R`
20	`input.match{}.event{}.process{}.signingInfo{}.signerType`	Object signature type and implicit trust level	Integer	`0` = Apple `1` = App Store `2` = Developer `3` = Ad hoc `4` = Unsigned
21	`input.match{}.event{}.process{}.signingInfo{}.authorities`	Signature signing authorities array	String	`[ "Developer ID Application: Jon Smith (JME5BW3F3R)", "Developer ID Certification Authority", "Apple Root CA" ]`
22	`input.match{}.event{}.process{}.signingInfo{}.entitlements`	Process granted entitlements array	String	`com.apple.private.security.clear-library-validation`
23	`input.match{}.event{}.process{}.signingInfo{}.statusMessage`	Signing information retrieval translated status code	String	`cannot find code object on disk`
24	`input.match{}.event{}.process{}.startTimestamp`	Process starting timestamp	Integer	`1668430737`
25	`input.match{}.event{}.process{}.orginalParentPID`	Parent process identifier	Integer	`1`
26	`input.match.facts{}.version`	Endpoint threat prevention version	Integer	`11568`

GPUnifiedLogEvent

Unified Log Events


#	Field Name	Description	Data Type	Example Value
1	`input.match{}.event{}.sender`	Log message sender	String	`XProtectRadarSecurity`
2	`input.match{}.event{}.process`	Log message sender process	String	`XProtectRadarSecurity`
3	`input.match{}.event{}.category`	Logging category	String	`XPEvent.structured`
4	`input.match{}.event{}.subsystem`	Logging subsystem	String	`com.apple.XProtectFramework.PluginAPI`
5	`input.match{}.event{}.composedMessage`	Log message	String	`{\"caused_by\":[],\"status_message\":\"NoThreatDetected\",\"status_code\":20,\"execution_duration\":0.7135159969329834}`
6	`input.match{}.event{}.senderImagePath`	Log message sender image path	String	`/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRadarSecurity`
7	`input.match{}.event{}.processImagePath`	Log message sender process path	String	`/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRLibrary/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRadarSecurity`
8	`input.match{}.event{}.processIdentifier`	Log message sender process ID	Integer	`6925`

GPUSBEvent

Monitors USB devices inserted into computers.


#	Field Name	Description	Data Type	Example Value
1	`input.match.type`	USB event type	Integer	`0` = Device inserted `1` = Device removed
2	`input.match.usbAddress`	USB address	Integer	`6`
3	`input.match{}.device{}.mediaPath`	Media path	String	`IODeviceTree:/PCI0@0/RP05@1C,4/UPSB@0/DSB2@2/XHC2@0/@1:0`
4	`input.match{}.device{}.protocol`	Protocol	String	`USB`
5	`input.match{}.device{}.deviceModel`	Model	String	`Ultra USB 3.0`
6	`input.match{}.device{}.isRemovable`	Removable	Boolean	`true`
7	`input.match{}.device{}.mediaName`	Media name	String	`SanDisk Ultra USB 3.0 Media`
8	`input.match{}.device{}.bsdMinor`	BSD minor	Integer	`11`
9	`input.match{}.device{}.vendorName`	USB device vendor	String	`Apple Inc.`
10	`input.match{}.device{}.isWhole`	Whole	Boolean	`false`
11	`input.match{}.device{}.unit`	Unit	Integer	`1`
12	`input.match{}.device{}.deviceSubclass`	USB device subclass	Integer	`0`
13	`input.match{}.device{}.serialNumber`	USB device serial number	String	`FM79997PJ3VYB7+SET`
14	`input.match{}.device{}.bsdUnit`	BSD unit	Integer	`2`
15	`input.match{}.device{},busPath`	Bus path	String	IODeviceTree:/PCI0@0/RP05@1C,4/UPSB@0/DSB2@2/XHC2@0
16	`input.match{}.device{}.isLeaf`	Leaf	Boolean	`true`
17	`input.match{}.device{}.isInternal`	Internal	Boolean	`true`
18	`input.match{}.device{}.busName`	busName	String	`XHC2`
19	`input.match{}.device{}.bsdMajor`	BSD major	Integer	`1`
20	`input.match{}.device{}.isEjectable`	Ejectable	Boolean	`true`
21	`input.match{}.device{}.isEncrypted`	Encrypted	Boolean	`true`
22	`input.match{}.device{}.devicePath`	Device path	String	IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP05@1C,4/IOPP/UPSB@0/IOPP/DSB2@2/IOPP/XHC2@0/XHC2@00000000/SSP1@00100000/Ultra USB 3.0@00100000/IOUSBHostInterface@0/IOUSBMassStorageInterfaceNub/IOUSBMassStorageDriverNub/IOUSBMassStorageDriver/IOSCSILogicalUnitNub@0/IOSCSIPeripheralDeviceType00/IOBlockStorageServices
23	`input.match{}.device{}.bsdName`	BSD name	String	`disk2`
24	`input.match{}.device{}.vendorId`	USB device vendor identifier	String	`0x05ac`
25	`input.match{}.device{}.content`	Device content	String	`GUID_partition_scheme`
26	`input.match{}.device{}.revision`	Device revision	String	`1.00`
27	`input.match{}.device{}.size`	Device size	Integer	`15376000000`
28	`input.match{}.device{}.isNetworkVolume`	Network volume	Boolean	`true`
29	`input.match{}.device{}.blocksize`	Block size	Integer	`512`
30	`input.match{}.device{}.productName`	USB product name	String	`Apple Internal Keyboard / Trackpad`
31	`input.match{}.device{}.mediaKind`	Media kind	String	`IOMedia`
32	`input.match{}.device{}.isWritable`	Device writable	Boolean	`true`
33	`input.match{}.device{}.productId`	USB device product identifier	String	`0x027b`
34	`input.match{}.device{}.deviceClass`	USB device class	Integer	`0`
35	`input.match{}.device{}.encryptionDetail`	Encryption detail	Integer	`0`