From da6b985aefc8953a87d1f96b552f69c1260a1c33 Mon Sep 17 00:00:00 2001 From: Tony Ramos Date: Wed, 28 Jan 2026 07:53:29 -0500 Subject: [PATCH 1/4] feat: add ioc logs for macos UL to test bindplane as an EDR --- data_library/ioc/access.log | 49 +++++++++++ data_library/ioc/readme.md | 156 ++++++++++++++++++++++++++++++++++++ 2 files changed, 205 insertions(+) create mode 100644 data_library/ioc/access.log create mode 100644 data_library/ioc/readme.md diff --git a/data_library/ioc/access.log b/data_library/ioc/access.log new file mode 100644 index 0000000..7dbed53 --- /dev/null +++ b/data_library/ioc/access.log @@ -0,0 +1,49 @@ +{"timestamp":"2026-01-27T15:01:01.102Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"}, +{"timestamp":"2026-01-27T15:01:02.311Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:03.144Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:04.009Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:04.038Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:04.071Z","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:09.882Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"}, +{"timestamp":"2026-01-27T15:01:11.101Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:12.021Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:12.054Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:18.774Z","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"}, + +{"timestamp":"2026-01-27T15:01:22.331Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:22.339Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:22.401Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:22.477Z","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"}, + +{"timestamp":"2026-01-27T15:01:23.991Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:25.144Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"} + +{"timestamp":"2026-01-27T15:01:01.102Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"}, +{"timestamp":"2026-01-27T15:01:02.311Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:03.144Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:04.009Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:04.038Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:04.071Z","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:09.882Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"}, +{"timestamp":"2026-01-27T15:01:11.101Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:12.021Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:12.054Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:18.774Z","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"}, + +{"timestamp":"2026-01-27T15:01:22.331Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"}, +{"timestamp":"2026-01-27T15:01:22.339Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:22.401Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:22.477Z","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"}, + +{"timestamp":"2026-01-27T15:01:23.991Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"}, + +{"timestamp":"2026-01-27T15:01:25.144Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"} \ No newline at end of file diff --git a/data_library/ioc/readme.md b/data_library/ioc/readme.md new file mode 100644 index 0000000..6077607 --- /dev/null +++ b/data_library/ioc/readme.md @@ -0,0 +1,156 @@ +# macOS Unified Log Simulation Dataset + +## Overview + +This dataset contains **synthetic macOS Unified Logging–style events** designed to model: + +- Normal macOS background and user activity +- Browser-based initial access +- Rapid download-to-execution behavior +- Post-execution cache activity used as the primary detection signal +- Automated host containment (network quarantine) + +The logs are intentionally **uncorrelated**, **vendor-neutral**, and suitable for feeding into +generators, analytics pipelines, or detection prototyping systems. + +All entries are **single-line JSON objects**, comma-separated, and follow a consistent schema. + +--- + +## Log Format + +Each log entry is a JSON object with the following top-level fields: + +- `timestamp` — ISO-8601 UTC timestamp +- `host` — macOS hostname +- `subsystem` — macOS Unified Log subsystem (synthetic but realistic) +- `category` — High-level event category +- `process` — Process name +- `pid` / `ppid` — Process and parent process IDs +- `user` — Executing user +- `event_type` — Normalized event action +- `message` — Human-readable description +- `path` — File path involved (if applicable) +- `network` — Network metadata (if applicable) +- `result` — Success / failure / unknown + +The schema is intentionally simple and **not aligned to Elastic, Splunk, or any other platform**. + +--- + +## Normal Traffic + +Normal traffic includes typical macOS background activity such as: + +- Power state changes +- Wi-Fi and Bluetooth connections +- Software update checks +- Time Machine backups +- Spotlight indexing +- iCloud synchronization +- Media streaming +- Printing and HID device activity +- Metrics and analytics uploads + +These logs provide **baseline noise** and are intended to obscure malicious sequences when mixed +into larger datasets. + +--- + +## Modeled Attack Pattern + +The malicious behavior models a **content injection–style initial access** followed by rapid execution +and delayed cache activity. + +### 1. Site Visit + +A user navigates to a website using a common browser: + +- Safari +- Google Chrome +- Firefox + +This is logged as normal navigation traffic. + +--- + +### 2. Download Start + +Shortly after navigation, a download is initiated by the browser. +The downloaded file is written to a user-accessible location such as: + +- `~/Downloads` + +--- + +### 3. Rapid Execution + +Within seconds of the file being written: + +- A shell or helper process is spawned directly from the browser +- The downloaded file is executed almost immediately + +**The only executed payload in this dataset is an EICAR test file**, used to safely represent execution. + +This rapid download → execute sequence is a key behavioral signal. + +--- + +### 4. Delayed Cache Activity (Primary Detection Signal) + +Moments later, an **unrelated system process** writes files into a cache directory such as: + +- `~/Library/Caches` + +These cache writes are **not directly tied** to the browser or execution process. + +The cache directory is treated as the **source of truth for detection metrics**, and is used to: + +- Correlate execution artifacts +- Drive in-memory analysis +- Trigger downstream response logic + +--- + +### 5. Containment Response + +Following anomalous cache activity: + +- The host is quarantined from the network +- Network isolation is logged +- Memory snapshots and metric collection may occur + +This represents an automated containment workflow based on behavioral signals rather than single events. + +--- + +## Abuse-Reported IP Addresses + +Some network events include IP addresses sourced from abuse-reporting feeds. +These IPs: + +- May appear inbound or outbound +- Are not always directly correlated with execution +- Exist to support enrichment and contextual analysis + +--- + +## Intended Use Cases + +This dataset is suitable for: + +- Detection engineering +- Behavioral analytics development +- Metrics-driven correlation modeling +- Memory and cache–centric analysis pipelines +- Generator-based log synthesis +- Testing alert fatigue and signal-to-noise ratios + +--- + +## Notes + +- All data is synthetic. +- No real malware is included. +- No real users, systems, or infrastructure are represented. +- Timing relationships are intentional and important. \ No newline at end of file From d9e79285161a079c82c02b634861fbc9428a6ec6 Mon Sep 17 00:00:00 2001 From: Tony Ramos Date: Wed, 28 Jan 2026 11:12:43 -0500 Subject: [PATCH 2/4] use timestamp directives to auto pop times --- data_library/ioc/access.log | 68 ++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/data_library/ioc/access.log b/data_library/ioc/access.log index 7dbed53..98688a5 100644 --- a/data_library/ioc/access.log +++ b/data_library/ioc/access.log @@ -1,49 +1,49 @@ -{"timestamp":"2026-01-27T15:01:01.102Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"}, -{"timestamp":"2026-01-27T15:01:02.311Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:03.144Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:04.009Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:04.038Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:04.071Z","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:09.882Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"}, -{"timestamp":"2026-01-27T15:01:11.101Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:12.021Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:12.054Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:18.774Z","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.331Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.339Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.401Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.477Z","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"}, -{"timestamp":"2026-01-27T15:01:23.991Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:25.144Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"} +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"} -{"timestamp":"2026-01-27T15:01:01.102Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"}, -{"timestamp":"2026-01-27T15:01:02.311Z","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:03.144Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:04.009Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:04.038Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:04.071Z","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:09.882Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"}, -{"timestamp":"2026-01-27T15:01:11.101Z","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:12.021Z","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:12.054Z","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:18.774Z","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.331Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.339Z","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.401Z","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:22.477Z","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"}, -{"timestamp":"2026-01-27T15:01:23.991Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"}, +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"}, -{"timestamp":"2026-01-27T15:01:25.144Z","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"} \ No newline at end of file +{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"} \ No newline at end of file From 53e87000564524dea7ef1b018858e0c78422a62f Mon Sep 17 00:00:00 2001 From: Tony Ramos Date: Wed, 28 Jan 2026 11:13:01 -0500 Subject: [PATCH 3/4] add a doc section for adding an ew data library item --- docs/development.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/development.md b/docs/development.md index 72f997b..5ba2915 100644 --- a/docs/development.md +++ b/docs/development.md @@ -19,3 +19,20 @@ make build ```bash make test ``` + +## Adding a Data Library + +To add a new data library, create a directory under `data_library/` with your log files: + +```bash +mkdir -p data_library/my-dataset +# Add your log files to data_library/my-dataset/ +``` + +The `filegen` generator automatically discovers and reads files from data library directories. Use it with: + +```bash +./blitz --generator-type=filegen --generator-filegen-source=data_library/my-dataset --output-type=stdout +``` + +The generator reads files line-by-line and supports timestamp directives (e.g., `%Y-%m-%dT%H:%M:%SZ`) for dynamic timestamp generation. From b97e318273ace20358c2ff0e7fa70c5b2733fbf9 Mon Sep 17 00:00:00 2001 From: Tony Ramos Date: Wed, 28 Jan 2026 11:16:45 -0500 Subject: [PATCH 4/4] rename access.log to ul.log for unified logging, will add other .log files for other areas that have IOCs --- data_library/ioc/readme.md | 156 ------------------------ data_library/ioc/{access.log => ul.log} | 0 2 files changed, 156 deletions(-) delete mode 100644 data_library/ioc/readme.md rename data_library/ioc/{access.log => ul.log} (100%) diff --git a/data_library/ioc/readme.md b/data_library/ioc/readme.md deleted file mode 100644 index 6077607..0000000 --- a/data_library/ioc/readme.md +++ /dev/null @@ -1,156 +0,0 @@ -# macOS Unified Log Simulation Dataset - -## Overview - -This dataset contains **synthetic macOS Unified Logging–style events** designed to model: - -- Normal macOS background and user activity -- Browser-based initial access -- Rapid download-to-execution behavior -- Post-execution cache activity used as the primary detection signal -- Automated host containment (network quarantine) - -The logs are intentionally **uncorrelated**, **vendor-neutral**, and suitable for feeding into -generators, analytics pipelines, or detection prototyping systems. - -All entries are **single-line JSON objects**, comma-separated, and follow a consistent schema. - ---- - -## Log Format - -Each log entry is a JSON object with the following top-level fields: - -- `timestamp` — ISO-8601 UTC timestamp -- `host` — macOS hostname -- `subsystem` — macOS Unified Log subsystem (synthetic but realistic) -- `category` — High-level event category -- `process` — Process name -- `pid` / `ppid` — Process and parent process IDs -- `user` — Executing user -- `event_type` — Normalized event action -- `message` — Human-readable description -- `path` — File path involved (if applicable) -- `network` — Network metadata (if applicable) -- `result` — Success / failure / unknown - -The schema is intentionally simple and **not aligned to Elastic, Splunk, or any other platform**. - ---- - -## Normal Traffic - -Normal traffic includes typical macOS background activity such as: - -- Power state changes -- Wi-Fi and Bluetooth connections -- Software update checks -- Time Machine backups -- Spotlight indexing -- iCloud synchronization -- Media streaming -- Printing and HID device activity -- Metrics and analytics uploads - -These logs provide **baseline noise** and are intended to obscure malicious sequences when mixed -into larger datasets. - ---- - -## Modeled Attack Pattern - -The malicious behavior models a **content injection–style initial access** followed by rapid execution -and delayed cache activity. - -### 1. Site Visit - -A user navigates to a website using a common browser: - -- Safari -- Google Chrome -- Firefox - -This is logged as normal navigation traffic. - ---- - -### 2. Download Start - -Shortly after navigation, a download is initiated by the browser. -The downloaded file is written to a user-accessible location such as: - -- `~/Downloads` - ---- - -### 3. Rapid Execution - -Within seconds of the file being written: - -- A shell or helper process is spawned directly from the browser -- The downloaded file is executed almost immediately - -**The only executed payload in this dataset is an EICAR test file**, used to safely represent execution. - -This rapid download → execute sequence is a key behavioral signal. - ---- - -### 4. Delayed Cache Activity (Primary Detection Signal) - -Moments later, an **unrelated system process** writes files into a cache directory such as: - -- `~/Library/Caches` - -These cache writes are **not directly tied** to the browser or execution process. - -The cache directory is treated as the **source of truth for detection metrics**, and is used to: - -- Correlate execution artifacts -- Drive in-memory analysis -- Trigger downstream response logic - ---- - -### 5. Containment Response - -Following anomalous cache activity: - -- The host is quarantined from the network -- Network isolation is logged -- Memory snapshots and metric collection may occur - -This represents an automated containment workflow based on behavioral signals rather than single events. - ---- - -## Abuse-Reported IP Addresses - -Some network events include IP addresses sourced from abuse-reporting feeds. -These IPs: - -- May appear inbound or outbound -- Are not always directly correlated with execution -- Exist to support enrichment and contextual analysis - ---- - -## Intended Use Cases - -This dataset is suitable for: - -- Detection engineering -- Behavioral analytics development -- Metrics-driven correlation modeling -- Memory and cache–centric analysis pipelines -- Generator-based log synthesis -- Testing alert fatigue and signal-to-noise ratios - ---- - -## Notes - -- All data is synthetic. -- No real malware is included. -- No real users, systems, or infrastructure are represented. -- Timing relationships are intentional and important. \ No newline at end of file diff --git a/data_library/ioc/access.log b/data_library/ioc/ul.log similarity index 100% rename from data_library/ioc/access.log rename to data_library/ioc/ul.log