Overview of macOS Threats category

Supported in:

This document provides an overview of the rule sets in the macOS Threats category, the required data sources, and configuration you can use to tune the alerts generated by these rule sets.

Rule sets in the macOS Threats category help identify threats in macOS environments using CrowdStrike Falcon, macOS Auditing System (AuditD), and Unix system logs. This category includes the following rule sets:

  • Mandiant Intel Emerging Threats: This rule set contains rules derived from Mandiant Intelligence Campaigns and Significant Events, which cover highly impactful geopolitical and threat activity, as assessed by Mandiant. This activity may include geopolitical conflict, exploitation, phishing, malvertising, ransomware, and supply chain compromises.

Supported devices and log types

This section lists the data required by each rule set. Contact your Google Security Operations representative if you are collecting endpoint data using different EDR software.

For a list of all Google Security Operations supported data sources, see Supported default parsers.

Mandiant Front-Line Threats and Mandiant Intel Emerging Threats rule sets

These rule sets have been tested and are supported with the following Google Security Operations supported EDR data sources:

  • Carbon Black (CB_EDR)
  • SentinelOne (SENTINEL_EDR)
  • Crowdstrike Falcon (CS_EDR)

These rule sets are being tested and optimized for the following Google Security Operations supported EDR data sources:

  • Tanium
  • Cybereason EDR (CYBEREASON_EDR)
  • Lima Charlie (LIMACHARLIE_EDR)
  • OSQuery
  • Zeek
  • Cylance (CYLANCE_PROTECT)

To ingest these logs to Google Security Operations, see Ingest Google Cloud data to Google Security Operations. Contact your Google Security Operations representative if you need to collect these logs using a different mechanism.

For a list of all Google Security Operations supported data sources, see Supported default parsers

Tuning alerts returned by macOS Threats category

You can reduce the number of detections a rule or rule set generates using rule exclusions.

In the rule exclusion, you define the criteria of a UDM event that excludes the event from being evaluated by the rule set.

Create one or more rule exclusions to identify criteria in a UDM event that exclude the event from being evaluated by this rule set or by specific rules in the rule set. See Configure rule exclusions for information about how to do this.