Hi creechy!
Thanks for writing in - what an awesome topic. The XProtect database on your Macs is stored in a sqlite3 database in a location that you can read. For example, you can open the database from your machine with this command:
sudo sqlite3 /var/protected/xprotect/XPdb
Once open, you can review its contents with
select * from events;
and review the events that XProtect detected on your device. Here's one such event:
id = 3643
violated_rule = macOS.Browser.Generic
exec_path = /usr/libexec/runningboardd
exec_cdhash = bc010e2a467e18b7dd9735ea2d6dae8c86759eb4
exec_signing_id = com.apple.runningboardd
exec_team_id =
exec_sha256 = 6bef7c24fd259e415571c4f4d9c5ca4a1ed5fdd18b5e8809015979efc20c942a
exec_is_notarized = 0
responsible_path = /usr/libexec/runningboardd
responsible_cdhash = bc010e2a467e18b7dd9735ea2d6dae8c86759eb4
responsible_signing_id = com.apple.runningboardd
responsible_team_id =
responsible_sha256 = 6bef7c24fd259e415571c4f4d9c5ca4a1ed5fdd18b5e8809015979efc20c942a
responsible_is_notarized = 0
reported = 0
profile_hash = 2908639582100820200
dt = 2024-01-31 17:01:37
Or, you could just dump the entire Events Table into a CSV file for parsing at a future time:
sudo sqlite3 -header -csv /var/protected/xprotect/XPdb "select * from events;" > /Users/Shared/XPE.csv
Uploading this data to a bucket of your choosing would then also be possible to string together in a Command, to give you a centralized source.
As JumpCloud supports periodic commands, you could write a periodic command to do this task once a month, and use the sqlite3 commands to only show you events since the last time it's run.
While we don't currently collect a table for this information in our osquery implementation, I'd love a feature request for this, as we've got some good ideas around event detection and Apple's Endpoint Security Framework for the future.
