Skip to content

New MacOS detections T1016 #3672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 7 commits into
base: develop
Choose a base branch
from
Draft

New MacOS detections T1016 #3672

wants to merge 7 commits into from
+105 −2

Conversation

@jwindley
Copy link
Contributor

@jwindley jwindley commented Sep 8, 2025

Adding a couple of MacOS detections (first of many, hopefully), using data captured from TA-osquery.

@ljstella
Copy link
Contributor

ljstella commented Sep 8, 2025

Testing is failing - Testing environment does not currently have the osquery TA for this dataset, a new release hasn't been cut on that repo, and the app itself is archived from Splunkbase (don't think it'll be unarchived either due to changes in Splunk Works) - We'll need an actual release package of that TA and getting it into the config before testing can pass.

@nasbench nasbench added the WIP DO NOT MERGE Work in Progress label Oct 24, 2025
@nasbench nasbench marked this pull request as draft October 24, 2025 12:42
@patel-bhavin
Copy link
Contributor

patel-bhavin commented Nov 10, 2025

@jwindley : You think we can get this TA unarchived by the Splunkbase folks or maybe we can consider shipping these detections as experimental and have detailed info in the how to implement section due to lack of supported TA?

@jwindley
Copy link
Contributor Author

jwindley commented Nov 11, 2025

Hi @patel-bhavin . Regarding the TA - I have made updates to https://github.com/splunk/TA-osquery to bring it up-to-date. Not sure the process for getting this latest version on to Splunkbase. @josehelps owns the TA so perhaps he can help?

Happy for you to ship as experimental if you wish.

nasbench
nasbench reviewed Nov 12, 2025
View reviewed changes
@nasbench
Copy link
Contributor

nasbench commented Nov 12, 2025

@jwindley : You think we can get this TA unarchived by the Splunkbase folks or maybe we can consider shipping these detections as experimental and have detailed info in the how to implement section due to lack of supported TA?

Does not make sense to ship these if there is no easy way for a customer to get this data imo. We should work to get the TA back on splunkbase or just keep this on hold

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench left review comments

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Detections WIP DO NOT MERGE Work in Progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jwindley @ljstella @patel-bhavin @nasbench