Skip to content

Ioc #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
itonyr wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Ioc #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
da6b985
feat: add ioc logs for macos UL to test bindplane as an EDR
itonyr Jan 28, 2026
d9e7928
use timestamp directives to auto pop times
itonyr Jan 28, 2026
53e8700
add a doc section for adding an ew data library item
itonyr Jan 28, 2026
b97e318
rename access.log to ul.log for unified logging, will add other .log …
itonyr Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions data_library/ioc/ul.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},

Copy link
Collaborator

@Dylan-M Dylan-M Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thing I noticed is that sometimes you have extra newlines. I don't know how that will affect the generator. I designed it with the sample files all not having them.

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"}

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"navigation","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to https://cdn-media-stream[.]net","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"104.248.89.146","remote_port":443},"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.Safari","category":"download","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"file","process":"Safari","pid":901,"ppid":1,"user":"alice","event_type":"file_write","message":"Browser wrote file to disk","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"navigation","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"http_request","message":"Visited streaming resource","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"195.184.76.65","remote_port":443},"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.google.Chrome","category":"download","process":"Google Chrome","pid":933,"ppid":1,"user":"alice","event_type":"download_start","message":"Download initiated","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"process_launch","message":"Child shell launched from Chrome","path":"/bin/sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"sh","pid":1492,"ppid":933,"user":"alice","event_type":"file_execute","message":"Executed recently written file","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"org.mozilla.firefox","category":"navigation","process":"Firefox","pid":977,"ppid":1,"user":"alice","event_type":"http_request","message":"Navigated to external media endpoint","path":null,"network":{"direction":"outbound","protocol":"https","remote_ip":"171.231.182.106","remote_port":443},"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"File written to cache directory","path":"/Users/alice/Library/Caches/com.apple.Safari/cache.tmp","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.coreservices","category":"file","process":"coreservicesd","pid":410,"ppid":1,"user":"root","event_type":"file_write","message":"Additional cache artifact created","path":"/Users/alice/Library/Caches/com.apple.Safari/blob_18472","network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.securityd","category":"decision","process":"securityd","pid":222,"ppid":1,"user":"root","event_type":"policy_evaluation","message":"Cache directory anomaly detected","path":"/Users/alice/Library/Caches","network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.networkextension","category":"containment","process":"neagent","pid":601,"ppid":1,"user":"root","event_type":"network_isolation","message":"Host quarantined from network","path":null,"network":{"direction":"outbound","protocol":null,"remote_ip":null,"remote_port":null},"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"snapshot","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"memory_snapshot","message":"In-memory execution snapshot captured","path":null,"network":null,"result":"success"},

{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.metrics","category":"cache","process":"metricsextension","pid":711,"ppid":1,"user":"root","event_type":"cache_analysis","message":"Cache directory used as primary telemetry source","path":"/Users/alice/Library/Caches","network":null,"result":"success"}
17 changes: 17 additions & 0 deletions docs/development.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,20 @@ make build
```bash
make test
```

## Adding a Data Library

To add a new data library, create a directory under `data_library/` with your log files:

```bash
mkdir -p data_library/my-dataset
# Add your log files to data_library/my-dataset/
```

The `filegen` generator automatically discovers and reads files from data library directories. Use it with:
Copy link
Collaborator

@Dylan-M Dylan-M Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This statement isn't true. This generator just accepts any arbitrary path to a directory or file.


```bash
./blitz --generator-type=filegen --generator-filegen-source=data_library/my-dataset --output-type=stdout
```

The generator reads files line-by-line and supports timestamp directives (e.g., `%Y-%m-%dT%H:%M:%SZ`) for dynamic timestamp generation.
Copy link
Collaborator

@Dylan-M Dylan-M Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't read them line by line (or shouldn't), it should randomly select from within the file on each generation.

Copy link
Author

@itonyr itonyr Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll correct both of these doc entries and ping you!

Copy link
Collaborator

@Dylan-M Dylan-M Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, you were correct. I don't know how that made it through. Stupid AI not following directions, and me not being clear enough with the goal of the change to the reviewers.

I've got a PR open to fix it though. #60