id: d941b837-88fa-4c77-a4d8-76af0044cac0 Function: Title: Parser for Jamf Protect Telemetry Events Version: '3.2.4' LastUpdated: '2025-03-25' Category: Microsoft Sentinel Parser FunctionName: JamfProtectTelemetry FunctionAlias: JamfProtectTelemetry FunctionQuery: | jamfprotecttelemetryv2_CL // Generic Fields | extend EventExpanded = tostring(parse_json(event)[strcat_array(bag_keys(event), '.')]), eventTypeHuman = tostring(bag_keys(event)[0]) | extend EventResult = iif((event[eventTypeHuman]['success'] == true), "Success", dynamic(null)) | extend EventMessage = case( eventTypeHuman == "authentication", "A user authentication happened", eventTypeHuman == "authorization_judgement", "A process has its rights petition judged", eventTypeHuman == "authorization_petition", "A process has its rights petition judged", eventTypeHuman == "bios_uefi", "Collection of bios and firmware data", eventTypeHuman == "btm_launch_item_add", "Apple's Background Task Manager notified that an item has been added", eventTypeHuman == "btm_launch_item_remove", "Apple's Background Task Manager notified that an existing item has been removed", eventTypeHuman == "chroot", "Software has changed its apparent root directory in which it's actively operating out of", eventTypeHuman == "cs_invalidated", "The system detected that a process has had its code signature marked as invalid", eventTypeHuman == "exec", "A new process has been executed", eventTypeHuman == "kextload", "A kernel extension (kext) was loaded", eventTypeHuman == "kextunload", "A kernel extension (kext) was unloaded", eventTypeHuman == "login_login", "A user attempted to log in using /usr/bin/login", eventTypeHuman == "login_logout", "A user logged out from /usr/bin/login", eventTypeHuman == "lw_session_lock", "A user has locked the screen", eventTypeHuman == "lw_session_login", "A user has logged in via the Login Window", eventTypeHuman == "lw_session_logout", "A user has logged out of an active graphical session", eventTypeHuman == "lw_session_unlock", "A user has unlocked the screen from the Login Window", eventTypeHuman == "mount", "A file system has been mounted", eventTypeHuman == "od_attribute_set", "Attribute set on user or group using Open Directory", eventTypeHuman == "od_attribute_value_add", "Attribute added to a user or group using Open Directory", eventTypeHuman == "od_attribute_value_remove", "Attribute removed from a user or group using Open Directory", eventTypeHuman == "od_create_group", "A group has been created using Open Directory", eventTypeHuman == "od_create_user", "A user has been created using Open Directory", eventTypeHuman == "od_delete_group", "A group has been deleted using Open Directory", eventTypeHuman == "od_delete_user", "A user has been deleted using Open Directory", eventTypeHuman == "od_disable_user", "A user has been disabled using Open Directory", eventTypeHuman == "od_enable_user", "A user has been enabled using Open Directory", eventTypeHuman == "od_group_add", "A member has been added to a group using Open Directory", eventTypeHuman == "od_group_remove", "A member has been removed from a group using Open Directory", eventTypeHuman == "od_group_set", "A group has a member initialised or replaced using Open Directory", eventTypeHuman == "od_modify_password", "A user password is modified via Open Directory", eventTypeHuman == "openssh_login", "A user has logged into the system via OpenSSH", eventTypeHuman == "openssh_logout", "A user has logged out of an OpenSSH session", eventTypeHuman == "performance", "Collection of system performance data", eventTypeHuman == "profile_add", "A configuration profile is installed on the system", eventTypeHuman == "profile_remove", "A configuration profile is removed from the system", eventTypeHuman == "remount", "A file system has been mounted", eventTypeHuman == "screensharing_attach", "A screensharing session has attached to a graphical session", eventTypeHuman == "screensharing_detach", "A screensharing session has detached from a graphical session", eventTypeHuman == "settime", "The system time was attempted to be set", eventTypeHuman == "su", "A user attempts to start a new shell using a substitute user identity", eventTypeHuman == "sudo", "A sudo attempt occured", eventTypeHuman == "unmount", "A file system has been mounted", eventTypeHuman == "xp_malware_detected", "Apple's XProtect detected malware on the system", eventTypeHuman == "xp_malware_remediated", "Apple's XProtect remediated malware on the system", eventTypeHuman == "file_collection", "A crash or diagnostic file has been collected", eventTypeHuman == "log_collection", "Entries from a log file have been collected", eventTypeHuman == "gatekeeper_user_override", "Gatekeeper controls were overridden", "No reason yet defined for this event" ), EventType = case( eventTypeHuman == "authentication", "Logon", eventTypeHuman == "authorization_judgement", "ProcessCreated", eventTypeHuman == "authorization_petition", "ProcessCreated", eventTypeHuman == "bios_uefi", "Hardware", eventTypeHuman == "btm_launch_item_add", "Create", eventTypeHuman == "btm_launch_item_remove", "Delete", eventTypeHuman == "chroot", "Set", eventTypeHuman == "cs_invalidated", "Other", eventTypeHuman == "exec", "ProcessCreated", eventTypeHuman == "kextload", "Create", eventTypeHuman == "kextunload", "Delete", eventTypeHuman == "login_login", "Logon", eventTypeHuman == "login_logout", "Logoff", eventTypeHuman == "lw_session_lock", "Logoff", eventTypeHuman == "lw_session_login", "Logon", eventTypeHuman == "lw_session_logout", "Logoff", eventTypeHuman == "lw_session_unlock", "Logon", eventTypeHuman == "mount", "FileSystemMounted", eventTypeHuman == "od_attribute_set", "Set", eventTypeHuman == "od_attribute_value_add", "Create", eventTypeHuman == "od_attribute_value_remove", "Delete", eventTypeHuman == "od_create_group", "GroupCreated", eventTypeHuman == "od_create_user", "UserCreated", eventTypeHuman == "od_delete_group", "GroupDeleted", eventTypeHuman == "od_delete_user", "UserDeleted", eventTypeHuman == "od_disable_user", "UserDisabled", eventTypeHuman == "od_enable_user", "UserEnabled", eventTypeHuman == "od_group_add", "UserAddedToGroup", eventTypeHuman == "od_group_remove", "UserRemovedFromGroup", eventTypeHuman == "od_group_set", "GroupModified", eventTypeHuman == "od_modify_password", "PasswordChanged", eventTypeHuman == "openssh_login", "Logon", eventTypeHuman == "openssh_logout", "Logoff", eventTypeHuman == "performance", "PerformanceData", eventTypeHuman == "profile_add", "Create", eventTypeHuman == "profile_remove", "Delete", eventTypeHuman == "remount", "FileSystemRemounted", eventTypeHuman == "screenscharing_attach", "Logon", eventTypeHuman == "screenscharing_detach", "Logoff", eventTypeHuman == "settime", "Set", eventTypeHuman == "su", "Elevate", eventTypeHuman == "sudo", "Elevate", eventTypeHuman == "unmount", "FileSystemUnmounted", eventTypeHuman == "xp_malware_detected", "MalwareDetected", eventTypeHuman == "xp_malware_remediated", "MalwareRemediated", eventTypeHuman == "xp_malware_remediated", "GatekeeperOverride", "" ), EventSubType = case( eventTypeHuman == "authentication", "Interactive", eventTypeHuman == "btm_launch_item_add", "btm", eventTypeHuman == "btm_launch_item_remove", "btm", eventTypeHuman == "chroot", "Directory", eventTypeHuman == "cs_invalidated", "Other", eventTypeHuman == "kextload", "System Settings", eventTypeHuman == "kextunload", "System Settings", eventTypeHuman == "login_login", "Interactive", eventTypeHuman == "login_logout", "Interactive", eventTypeHuman == "lw_session_lock", "Interactive", eventTypeHuman == "lw_session_login", "Interactive", eventTypeHuman == "lw_session_logout", "Interactive", eventTypeHuman == "lw_session_unlock", "Interactive", eventTypeHuman == "od_attribute_set", "Attribute", eventTypeHuman == "od_attribute_value_add", "Attribute", eventTypeHuman == "od_attribute_value_remove", "Attribute", eventTypeHuman == "openssh_login", "Interactive", eventTypeHuman == "openssh_logout", "Interactive", eventTypeHuman == "profile_add", "Configuration Profile", eventTypeHuman == "profile_remove", "Configuration Profile", eventTypeHuman == "screenscharing_attach", "RemoteInteractive", eventTypeHuman == "screenscharing_detach", "RemoteInteractive", eventTypeHuman == "settime", "System Settings", eventTypeHuman == "su", "Interactive", eventTypeHuman == "sudo", "Interactive", "" ) // Jamf Protect Telemetry - Event Process | extend eventContext = iif( isnotempty(event[eventTypeHuman]['app']['audit_token']), event[eventTypeHuman]['app'], iif( isnotempty(event[eventTypeHuman]['target']['audit_token']), event[eventTypeHuman]['target'], iif( isnotempty(event[eventTypeHuman]['data']['od']['audit_token']), event[eventTypeHuman]['data']['od'], iif( isnotempty(event[eventTypeHuman]['data']['token']['audit_token']), event[eventTypeHuman]['data']['token'], iif( isnotempty(event[eventTypeHuman]['data']['touchid']['audit_token']), event[eventTypeHuman]['data']['touchid'], iif( isnotempty(event[eventTypeHuman]['instigator']['audit_token']), event[eventTypeHuman]['instigator'], ['process'] ) ) ) ) ) ) | extend TargetProcessName = tostring(eventContext.executable.path), TargetProcessId = tostring(eventContext.audit_token.pid), TargetProcessGuid = tostring(eventContext.audit_token.uuid), TargetProcessCreationTime = tostring(eventContext.start_time), TargetProcessSHA1 = tostring(eventContext.executable.sha1), TargetProcessSHA256 = tostring(eventContext.executable.sha256), TargetProcessCommandLine = event[eventTypeHuman]['args'], TargetProcessTTY = tostring(eventContext.tty.path), TargetBinarySigningAppID = tostring(eventContext.signing_id), TargetBinarySigningTeamID = tostring(eventContext.team_id), TargetBinaryCDHash = tostring(eventContext.cdhash), TargetBinaryIsESClient = tobool(eventContext.is_es_client), TargetBinaryIsPlatformBinary = tobool(eventContext.is_platform_binary), TargetUserId = tostring(eventContext.audit_token.euid), ActingProcessId = tostring(eventContext.parent_audit_token.pid), ActingProcessGuid = tostring(eventContext.parent_audit_token.uuid), ActorUserId = tostring(eventContext.parent_audit_token.euid), ParentProcessId = tostring(eventContext.responsible_audit_token.pid), ParentProcessGuid = tostring(eventContext.responsible_audit_token.uuid) // Jamf Protect Telemetry - Revealing Code Signing flags | extend TargetProcessCodesignFlags = iif(isnotempty(eventContext.codesigning_flags), bag_pack( "CS_VALID", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000001) > 0, true, false), "CS_ADHOC", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000002) > 0, true, false), "CS_GET_TASK_ALLOW", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000004) > 0, true, false), "CS_INSTALLER", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000008) > 0, true, false), "CS_FORCED_LV", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000010) > 0, true, false), "CS_INVALID_ALLOWED", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000020) > 0, true, false), "CS_HARD", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000100) > 0, true, false), "CS_KILL", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000200) > 0, true, false), "CS_CHECK_EXPIRATION", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000400) > 0, true, false), "CS_RESTRICT", iff(binary_and(toint(eventContext.codesigning_flags), 0x00000800) > 0, true, false), "CS_ENFORCEMENT", iff(binary_and(toint(eventContext.codesigning_flags), 0x00001000) > 0, true, false), "CS_REQUIRE_LV", iff(binary_and(toint(eventContext.codesigning_flags), 0x00002000) > 0, true, false), "CS_ENTITLEMENTS_VALIDATED", iff(binary_and(toint(eventContext.codesigning_flags), 0x00004000) > 0, true, false), "CS_NVRAM_UNRESTRICTED", iff(binary_and(toint(eventContext.codesigning_flags), 0x00008000) > 0, true, false), "CS_RUNTIME", iff(binary_and(toint(eventContext.codesigning_flags), 0x00010000) > 0, true, false), "CS_LINKER_SIGNED", iff(binary_and(toint(eventContext.codesigning_flags), 0x20000) > 0, true, false), "CS_EXEC_SET_HARD", iff(binary_and(toint(eventContext.codesigning_flags), 0x00100000) > 0, true, false), "CS_EXEC_SET_KILL", iff(binary_and(toint(eventContext.codesigning_flags), 0x00200000) > 0, true, false), "CS_EXEC_SET_ENFORCEMENT", iff(binary_and(toint(eventContext.codesigning_flags), 0x00400000) > 0, true, false), "CS_EXEC_INHERIT_SIP", iff(binary_and(toint(eventContext.codesigning_flags), 0x00800000) > 0, true, false), "CS_KILLED", iff(binary_and(toint(eventContext.codesigning_flags), 0x01000000) > 0, true, false), "CS_DYLD_PLATFORM", iff(binary_and(toint(eventContext.codesigning_flags), 0x02000000) > 0, true, false), "CS_PLATFORM_BINARY", iff(binary_and(toint(eventContext.codesigning_flags), 0x04000000) > 0, true, false), "CS_PLATFORM_PATH", iff(binary_and(toint(eventContext.codesigning_flags), 0x08000000) > 0, true, false), "CS_DEBUGGED", iff(binary_and(toint(eventContext.codesigning_flags), 0x10000000) > 0, true, false), "CS_SIGNED", iff(binary_and(toint(eventContext.codesigning_flags), 0x20000000) > 0, true, false), "CS_DEV_CODE", iff(binary_and(toint(eventContext.codesigning_flags), 0x40000000) > 0, true, false), "CS_DATAVAULT_CONTROLLER", iff(binary_and(toint(eventContext.codesigning_flags), 0x80000000) > 0, true, false) ), "") // Event Specific - authentication | extend TargetUsername = iif( isnotempty(event[eventTypeHuman]['username']), event[eventTypeHuman]['username'], iif( isnotempty(event[eventTypeHuman]['to_username']), event[eventTypeHuman]['to_username'], iif( isnotempty(event[eventTypeHuman]['account_name']), event[eventTypeHuman]['account_name'], iif( isnotempty(event[eventTypeHuman]['user_name']), event[eventTypeHuman]['user_name'], iif( isnotempty(event[eventTypeHuman]['authentication_username']), event[eventTypeHuman]['authentication_username'], "" ) ) ) ) ) // Event Specific - authentication | extend ActorUsername = iif( isnotempty(event[eventTypeHuman]['from_username']), event[eventTypeHuman]['from_username'], iif( isnotempty(event[eventTypeHuman]['session_username']), event[eventTypeHuman]['session_username'], "" ) ) | extend Authentication = iif( eventTypeHuman == "authentication", bag_pack( "authentication_method", iff(isnotempty(event[eventTypeHuman].data), tostring(bag_keys(event[eventTypeHuman].data)[0]), "") ), dynamic(null) ) // Event Specific - bios_uefi | extend HardwareInformation = iif( eventTypeHuman == "bios_uefi", bag_pack( "host_architecture", iff(isnotempty(event[eventTypeHuman].architecture), event[eventTypeHuman].architecture, ""), "firmware_version", iff(isnotempty(event[eventTypeHuman].bios.['firmware-version']), event[eventTypeHuman].bios.['firmware-version'], ""), "system_firmware_version", iff(isnotempty(event[eventTypeHuman].bios.['system-firmware-version']), event[eventTypeHuman].bios.['system-firmware-version'], "") ), dynamic(null) ) // Event Specific - btm_launch_item_add & btm_launch_item_remove | extend BtmItem = iif( eventTypeHuman in ("btm_launch_item_add", "btm_launch_item_remove", "remount"), bag_pack( "btm_executable_path", iff(isnotempty(event[eventTypeHuman].executable_path), event[eventTypeHuman].executable_path, ""), "btm_item_app_url", iff(isnotempty(event[eventTypeHuman].item.app_url), event[eventTypeHuman].item.app_url, ""), "btm_item_url", iff(isnotempty(event[eventTypeHuman].item.item_url), event[eventTypeHuman].item.item_url, ""), "btm_item_managed", iff(isnotempty(event[eventTypeHuman].item.managed), event[eventTypeHuman].item.managed, ""), "btm_item_legacy", iff(isnotempty(event[eventTypeHuman].item.legacy), event[eventTypeHuman].item.legacy, ""), "btm_item_uid", iff(isnotempty(event[eventTypeHuman].item.uid), event[eventTypeHuman].item.uid, ""), "btm_item_type", iff( isnotempty(event[eventTypeHuman].item.item_type), case( event[eventTypeHuman].item.item_type == 0, "UserItem", event[eventTypeHuman].item.item_type == 1, "App", event[eventTypeHuman].item.item_type == 2, "LoginItem", event[eventTypeHuman].item.item_type == 3, "LaunchAgent", event[eventTypeHuman].item.item_type == 4, "LaunchDaemon", "Unknown" ), "" ) ), dynamic(null) ) // Event Specific - chroot | extend Chroot = iif( eventTypeHuman == "chroot", bag_pack( "apparent_root_directory", iff(isnotempty(event[eventTypeHuman].target), event[eventTypeHuman].target.path, ""), "stats", iff(isnotempty(event[eventTypeHuman].target.stat), event[eventTypeHuman].target.stat, "") ), dynamic(null) ) // Event Specific - cs_invalidated // Event Specific - exec // Event Specific - kextload & kextunload | extend KernelExtension = iif( eventTypeHuman in ("kextload", "kextunload"), bag_pack( "kext_identifier", iff(isnotempty(event[eventTypeHuman].identifier), event[eventTypeHuman].identifier, "") ), dynamic(null) ) // Event Specific - lw_session_lock & lw_session_unlock & lw_session_login & lw_session_logout | extend LoginWindowSession = iif( eventTypeHuman in ("lw_session_lock", "lw_session_unlock", "lw_session_login", "lw_session_logout"), bag_pack( "graphical_session_id", iff(isnotempty(event[eventTypeHuman].graphical_session_id), event[eventTypeHuman].graphical_session_id, "") ), dynamic(null) ) // Event Specific - mount & remount & unmount | extend FileSystem = iif( eventTypeHuman in ("mount", "unmount", "remount"), bag_pack( "volume_device_name", iff(isnotempty(event[eventTypeHuman].statfs.f_mntfromname), event[eventTypeHuman].statfs.f_mntfromname, ""), "volume_mount_name", iff(isnotempty(event[eventTypeHuman].statfs.f_mntonname), event[eventTypeHuman].statfs.f_mntonname, ""), "volume_file_system_type", iff(isnotempty(event[eventTypeHuman].statfs.f_fstypename), event[eventTypeHuman].statfs.f_fstypename, ""), "volume_size", iff(isnotempty(event[eventTypeHuman].statfs.f_bsize), event[eventTypeHuman].statfs.f_bsize, "") ), dynamic(null) ) // Event Specific - od_attribute_set & od_attribute_value_add & od_attribute_value_remove & od_create_group & od_create_user & od_delete_group & od_delete_user & od_disable_user & od_enable_user | extend OpenDirectory = iif( eventTypeHuman in ("od_attribute_set", "od_attribute_value_add", "od_attribute_value_remove", "od_create_group", "od_create_user", "od_delete_group", "od_delete_user", "od_disable_user", "od_enable_user"), bag_pack( "group_name", iff(isnotempty(event[eventTypeHuman].group_name), event[eventTypeHuman].group_name, ""), "member_array", iff(isnotempty(event[eventTypeHuman].members.member_array), event[eventTypeHuman].members.member_array, ""), "member_value", iff(isnotempty(event[eventTypeHuman].member.member_value), event[eventTypeHuman].member.member_value, ""), "user_name", iff(isnotempty(event[eventTypeHuman].user_name), event[eventTypeHuman].user_name, ""), "account_name", iff(isnotempty(event[eventTypeHuman].account_name), event[eventTypeHuman].account_name, ""), "db_path", iff(isnotempty(event[eventTypeHuman].db_path), event[eventTypeHuman].db_path, ""), "record_name", iff(isnotempty(event[eventTypeHuman].record_name), event[eventTypeHuman].record_name, ""), "attribute_name", iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, ""), "attribute_value", iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, ""), "node_name", iff(isnotempty(event[eventTypeHuman].node_name), event[eventTypeHuman].node_name, "") ), dynamic(null) ) // Event Specific - openssh_login & openssh_logout | extend SSHContext = iif( eventTypeHuman in ("openssh_login", "openssh_logout"), bag_pack( "source_address_type", iff( isnotempty(event[eventTypeHuman].source_address_type), case( event[eventTypeHuman].source_address_type == 0, "Unknown", event[eventTypeHuman].source_address_type == 1, "IPv4", event[eventTypeHuman].source_address_type == 2, "IPv6", event[eventTypeHuman].source_address_type == 3, "UNIX Socket", "Unknown" ), "" ), "result_type", iff( isnotempty(event[eventTypeHuman].result_type), case( event[eventTypeHuman].result_type == 0, "Exceeded maximum attempts", event[eventTypeHuman].result_type == 1, "Denied by root", event[eventTypeHuman].result_type == 2, "Success", event[eventTypeHuman].result_type == 3, "No reason", event[eventTypeHuman].result_type == 4, "Password", event[eventTypeHuman].result_type == 5, "kbdint", event[eventTypeHuman].result_type == 6, "Public key", event[eventTypeHuman].result_type == 7, "Host based", event[eventTypeHuman].result_type == 8, "GSS API", event[eventTypeHuman].result_type == 9, "Invalid user", "Unknown" ), "" ) ), dynamic(null) ) // Event Specific - performance // Event Specific - profile_add & profile_remove | extend Profile = iif( eventTypeHuman in ("profile_add", "profile_remove"), bag_pack( "profile_scope", iff(isnotempty(event[eventTypeHuman].profile.scope), event[eventTypeHuman].profile.scope, ""), "profile_identifier", iff(isnotempty(event[eventTypeHuman].profile.identifier), event[eventTypeHuman].profile.identifiery, ""), "profile_uuid", iff(isnotempty(event[eventTypeHuman].profile.uuid), event[eventTypeHuman].profile.uuid, ""), "profile_display_name", iff(isnotempty(event[eventTypeHuman].profile.display_name), event[eventTypeHuman].profile.display_name, ""), "profile_organization", iff(isnotempty(event[eventTypeHuman].profile.organization), event[eventTypeHuman].profile.organization, ""), "profile_is_updated", iff(isnotempty(event[eventTypeHuman].is_update), event[eventTypeHuman].is_update, ""), "profile_install_source", iff( isnotempty(event[eventTypeHuman].profile.install_source), case( event[eventTypeHuman].profile.install_source == 0, "mdm", event[eventTypeHuman].profile.install_source == 1, "manual", "Unknown" ), "" ) ), dynamic(null) ) // Event Specific - screenscharing_attach & screensharing_detach | extend Screensharing = iif( eventTypeHuman in ("screensharing_attach", "screensharing_detach"), bag_pack( "existing_session", iff(isnotempty(event[eventTypeHuman].existing_session), event[eventTypeHuman].existing_session, ""), "graphical_session_id", iff(isnotempty(event[eventTypeHuman].graphical_authentication_username), event[eventTypeHuman].graphical_authentication_username, ""), "session_username", iff(isnotempty(event[eventTypeHuman].session_username), event[eventTypeHuman].session_username, ""), "viewer_appleid", iff(isnotempty(event[eventTypeHuman].viewer_appleid), event[eventTypeHuman].viewer_appleid, ""), "authentication_type", iff(isnotempty(event[eventTypeHuman].authentication_type), event[eventTypeHuman].authentication_type, ""), "source_address", iff(isnotempty(event[eventTypeHuman].source_address), event[eventTypeHuman].source_address, ""), "source_address_type", iff( isnotempty(event[eventTypeHuman].source_address_type), case( event[eventTypeHuman].source_address_type == 0, "Unknown", event[eventTypeHuman].source_address_type == 1, "IPv4", event[eventTypeHuman].source_address_type == 2, "IPv6", event[eventTypeHuman].source_address_type == 3, "UNIX Socket", "Unknown" ), "" ) ), dynamic(null) ) // Event Specific - su | extend Su = iif( eventTypeHuman == "su", bag_pack( "username", iff(isnotempty(event[eventTypeHuman].username), event[eventTypeHuman].username, ""), "uid", iff(isnotempty(event[eventTypeHuman].uid), event[eventTypeHuman].uid, ""), "args", iff(isnotempty(event[eventTypeHuman].argv), event[eventTypeHuman].argv, ""), "env_vars", iff(isnotempty(event[eventTypeHuman].env), event[eventTypeHuman].env, ""), "env_count", iff(isnotempty(event[eventTypeHuman].env_count), event[eventTypeHuman].env_count, ""), "from_username", iff(isnotempty(event[eventTypeHuman].from_username), event[eventTypeHuman].from_username, ""), "to_username", iff(isnotempty(event[eventTypeHuman].to_username), event[eventTypeHuman].to_username, ""), "failure_message", iff(isnotempty(event[eventTypeHuman].failure_reason), event[eventTypeHuman].failure_reason, "") ), dynamic(null) ) // Event Specific - sudo | extend Sudo = iif( eventTypeHuman == "sudo", bag_pack( "TargetProcessCommandLine", iff(isnotempty(event[eventTypeHuman].command), event[eventTypeHuman].command, ""), "attribute_name", iff(isnotempty(event[eventTypeHuman].attribute_name), event[eventTypeHuman].attribute_name, ""), "attribute_value", iff(isnotempty(event[eventTypeHuman].attribute_value), event[eventTypeHuman].attribute_value, "") ), dynamic(null) ) // Event Specific - xp_malware_detected & xp_malware_remediated | extend Xprotect = iif( eventTypeHuman in ("xp_malware_detected", "xp_malware_remediated"), bag_pack( "detected_path", iff(isnotempty(event[eventTypeHuman].detected_path), event[eventTypeHuman].detected_path, ""), "remediated_path", iff(isnotempty(event[eventTypeHuman].remediated_path), event[eventTypeHuman].remediated_path, ""), "malware_identifier", iff(isnotempty(event[eventTypeHuman].malware_identifier), event[eventTypeHuman].malware_identifier, ""), "signature_version", iff(isnotempty(event[eventTypeHuman].signature_version), event[eventTypeHuman].signature_version, "") ), dynamic(null) ) // Event Specific - gatekeeper_user_override | extend GatekeeperOverride = iif( eventTypeHuman == "gatekeeper_user_override", bag_pack( "TargetFilePath", iff(isnotempty(event[eventTypeHuman].file.path), event[eventTypeHuman].file.path, ""), "TargetFileSize", iff(isnotempty(event[eventTypeHuman].file.stat.st_size), event[eventTypeHuman].file.stat.st_size, ""), "TargetFileCreationTime", iff(isnotempty(event[eventTypeHuman].file.stat.st_birthtimespec), event[eventTypeHuman].file.stat.st_birthtimespec, ""), "TargetFileAccessedTime", iff(isnotempty(event[eventTypeHuman].file.stat.st_atimespec), event[eventTypeHuman].file.stat.st_atimespec, ""), "ActorUserId", iff(isnotempty(event[eventTypeHuman].file.stat.st_uid), event[eventTypeHuman].file.stat.st_uid, ""), "GroupId", iff(isnotempty(event[eventTypeHuman].file.stat.st_gid), event[eventTypeHuman].file.stat.st_gid, ""), "TargetFileSHA256", iff(isnotempty(event[eventTypeHuman].sha256), event[eventTypeHuman].sha256, ""), "TargetFileCdHash", iff(isnotempty(event[eventTypeHuman].signing_info.cdhash), event[eventTypeHuman].signing_info.cdhash, ""), "TargetBinarySigningTeamID", iff(isnotempty(event[eventTypeHuman].signing_info.team_id), event[eventTypeHuman].signing_info.team_id, ""), "TargetBinarySigningAppID", iff(isnotempty(event[eventTypeHuman].signing_info.signing_id), event[eventTypeHuman].signing_info.signing_id, ""), "ThreatFilePath", iff(isnotempty(event[eventTypeHuman].file.path), event[eventTypeHuman].file.path, ""), ThreatCategory = "Malware", ThreatName = "User did override Gatekeeper" ), dynamic(null) ) | project-away action, event, process