cancel
Showing results for 
Search instead for 
Did you mean: 

Collect macOS XProtect logs with JumpCloud

creechy
Novitiate I

I found this article about collecting XProtect logs with Kolide...

https://www.kolide.com/features/device-inventory/properties/mac-xprotect-reports

is something like this possible with JumpCloud?  

1 ACCEPTED SOLUTION

TomBridge
JumpCloud Alumni
JumpCloud Alumni

Hi creechy!

Thanks for writing in - what an awesome topic. The XProtect database on your Macs is stored in a sqlite3 database in a location that you can read. For example, you can open the database from your machine with this command:

sudo sqlite3 /var/protected/xprotect/XPdb

Once open, you can review its contents with

select * from events;

 and review the events that XProtect detected on your device. Here's one such event:

                      id = 3643
           violated_rule = macOS.Browser.Generic
               exec_path = /usr/libexec/runningboardd
             exec_cdhash = bc010e2a467e18b7dd9735ea2d6dae8c86759eb4
         exec_signing_id = com.apple.runningboardd
            exec_team_id = 
             exec_sha256 = 6bef7c24fd259e415571c4f4d9c5ca4a1ed5fdd18b5e8809015979efc20c942a
       exec_is_notarized = 0
        responsible_path = /usr/libexec/runningboardd
      responsible_cdhash = bc010e2a467e18b7dd9735ea2d6dae8c86759eb4
  responsible_signing_id = com.apple.runningboardd
     responsible_team_id = 
      responsible_sha256 = 6bef7c24fd259e415571c4f4d9c5ca4a1ed5fdd18b5e8809015979efc20c942a
responsible_is_notarized = 0
                reported = 0
            profile_hash = 2908639582100820200
                      dt = 2024-01-31 17:01:37

Or, you could just dump the entire Events Table into a CSV file for parsing at a future time:

 sudo sqlite3 -header -csv /var/protected/xprotect/XPdb "select * from events;" > /Users/Shared/XPE.csv 

Uploading this data to a bucket of your choosing would then also be possible to string together in a Command, to give you a centralized source.

As JumpCloud supports periodic commands, you could write a periodic command to do this task once a month, and use the sqlite3 commands to only show you events since the last time it's run. 

While we don't currently collect a table for this information in our osquery implementation, I'd love a feature request for this, as we've got some good ideas around event detection and Apple's Endpoint Security Framework for the future.

View solution in original post

1 REPLY 1

TomBridge
JumpCloud Alumni
JumpCloud Alumni

Hi creechy!

Thanks for writing in - what an awesome topic. The XProtect database on your Macs is stored in a sqlite3 database in a location that you can read. For example, you can open the database from your machine with this command:

sudo sqlite3 /var/protected/xprotect/XPdb

Once open, you can review its contents with

select * from events;

 and review the events that XProtect detected on your device. Here's one such event:

                      id = 3643
           violated_rule = macOS.Browser.Generic
               exec_path = /usr/libexec/runningboardd
             exec_cdhash = bc010e2a467e18b7dd9735ea2d6dae8c86759eb4
         exec_signing_id = com.apple.runningboardd
            exec_team_id = 
             exec_sha256 = 6bef7c24fd259e415571c4f4d9c5ca4a1ed5fdd18b5e8809015979efc20c942a
       exec_is_notarized = 0
        responsible_path = /usr/libexec/runningboardd
      responsible_cdhash = bc010e2a467e18b7dd9735ea2d6dae8c86759eb4
  responsible_signing_id = com.apple.runningboardd
     responsible_team_id = 
      responsible_sha256 = 6bef7c24fd259e415571c4f4d9c5ca4a1ed5fdd18b5e8809015979efc20c942a
responsible_is_notarized = 0
                reported = 0
            profile_hash = 2908639582100820200
                      dt = 2024-01-31 17:01:37

Or, you could just dump the entire Events Table into a CSV file for parsing at a future time:

 sudo sqlite3 -header -csv /var/protected/xprotect/XPdb "select * from events;" > /Users/Shared/XPE.csv 

Uploading this data to a bucket of your choosing would then also be possible to string together in a Command, to give you a centralized source.

As JumpCloud supports periodic commands, you could write a periodic command to do this task once a month, and use the sqlite3 commands to only show you events since the last time it's run. 

While we don't currently collect a table for this information in our osquery implementation, I'd love a feature request for this, as we've got some good ideas around event detection and Apple's Endpoint Security Framework for the future.

You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.