Apple Audit Logs

Overview

Evidence: Apple Audit Logs Description: Collect Apple Audit Logs Category: System Platform: macOS Short Name: audl Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers apple audit logs information from the macOS system. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.## Data Collected

This collector gathers structured data about apple audit logs.

Audit Log Data

Field
Description
Example

ID

Primary key (auto-increment)

1

AuditLogFile

Audit log file path

/private/var/audit/audit.log

Version

Audit version

2

Event

Audit event

execve

Modifier

Event modifier

0

Time

Event timestamp

2023-10-15 14:30:25

Msec

Milliseconds

123

AuditUID

Audit UID

501

UID

User ID

501

GID

Group ID

20

RUID

Real UID

501

RGID

Real GID

20

PID

Process ID

1234

SID

Session ID

1234

TID

Thread ID

1234

Errval

Error value

0

Retval

Return value

0

SignerType

Signer type

1

SigningID

Signing ID

com.apple.Safari

TeamID

Team ID

ABCD123456

CDHash

Code directory hash

a1b2c3d4e5f6...

ExecArgs

Execution arguments

Safari --args

FullPath

Full path

/Applications/Safari.app/Contents/MacOS/Safari

Path

Path

/Applications/Safari.app/Contents/MacOS/Safari

Collection Method

This collector parses the necessary data from the apple_audit_logs table.

Usage

This evidence is crucial for forensic investigations as it provides apple audit logs information. It helps investigators understand system activity, detect security incidents, and investigate system-related events. The data can reveal system changes, unauthorized activities, and potential security vulnerabilities. Analysts can use this information to identify system compromises, trace malicious activities, and assess system security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

Last updated

Was this helpful?