Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.
Describe the bug
When I remove an event from the Artifact Filtering -> ES events to see it in the view, I can't add it back. I need to fully disable filtering and reenable it to be able to filter out the event.
Expected behavior
When I click "remove", there should be a button to "add".
To Reproduce
Steps to reproduce the behavior:
Platform specifics (please complete the following information):
At a high level -- can you summarize your request?
It would be nice to be able to order columns alphabetically when clicking on the column name.
What is the current alternative solution?
Export the events and do it in another tool
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
None, just general filtering/sorting
Anything else?
NA
Hi Brandon and Red Canary Team,
are you planing to make the package available in homebrew ?
kind regards
At a high level -- can you summarize your request?
For atomic tests for larger environment. Several agent can forward this events to siem.Its better for large volume log storage.Better add gathered event to forward siem using syslog protocol.
What is the current alternative solution?
There is some alternative solutions but no opensource.
At a high level -- can you summarize your request?
If I have a lot of events that look similar it would be nice to quickly be able to use the arrow keys to navigate down the list while looking at the event metadata to see something like if there are different parent processes for these. Even if its just a non usable text "summary" view of the event facts underneath the mini-chart
What is the current alternative solution?
Open each event in event metadata and manually compare
Describe the bug
When clicking on the column headings ( eg. Event Type, Target, Effective User, Source process) I would expect these columns to then sort alphabetically, but the heading title just responds like a button without any effect on the table
Expected behavior
Clicking on col headings rotates through sorting alphabetically, reverse alphabetically and none/default
To Reproduce
Steps to reproduce the behavior:
Platform specifics (please complete the following information):
13.2.1At a high level -- can you summarize your request?
Would be nice to be able to quickly filter events based on Target Paths, just like we have an option for Process Path filtering.
What is the current alternative solution?
Use muted paths in main settings, or export events and filter them manually.
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
No, this only helps with general event filtering.
Anything else?
No
Describe the bug
When I subscribe to a new event, it should appear under Artifact Filtering -> ES events, but it only appears if I disable/enable it.
Expected behavior
See above
To Reproduce
Steps to reproduce the behavior:
Platform specifics (please complete the following information):
Massive thank you to @golbiga for the suggestion and the profile! We'll be adding this in the repository along with some brief instructions!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedTeamIdentifiers</key>
<array>
<string>UA6JCQGF3F</string>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>D6064C03-0056-4E62-9CDC-141BA0FB4215</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>D6064C03-0056-4E62-9CDC-141BA0FB4215</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Privacy Preferences Policy Control</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>F00137CF-4CB6-48E4-9630-50D235ECD47D</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>F00137CF-4CB6-48E4-9630-50D235ECD47D</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.redcanary.agent.securityextension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UA6JCQGF3F)</string>
<key>Identifier</key>
<string>com.redcanary.agent.securityextension</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Red Canary Mac Monitor</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>B942042C-CE97-46E5-9093-407DBFD45C9D</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>B942042C-CE97-46E5-9093-407DBFD45C9D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
At a high level -- can you summarize your request?
Would like the ability to see time stamps for all events in the main pane without having to go into the event metadata for each event.
What is the current alternative solution?
Timestamps do not appear to be visible in the main page. Going to the event metadata allows you to see the timestamps.
Describe the bug
I've tried installing v1.0.3 through homebrew and also using the released .pkg file. In both cases the behavior is the same. I am unable to start recording events even after granting permissions.
Expected behavior
I expect to be able to start recording events.
To Reproduce
Steps to reproduce the behavior:
Platform specifics (please complete the following information):
I have downloaded the package from the releases page and the installation went well. After starting "Red Canary Mac Monitor" there was no prompt regarding the installation of the extension. Selecting the install command in the "Security Extension" menu does nothing. I am on 13.5.2.
At a high level -- can you summarize your request?
I would very much like to be able to send the data from mac monitor to my wazuh server xdr/siem for analysis. This would require a custom decoder and rules
and shipping off from the agent. Wazuh already supports macos formated logs
What is the current alternative solution?
On a Mac? Very little Defender/Intune maybe there is no sysmon or auditd for macs like this appears to be.
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
So many threats have been emerging for apple products lately this kind of enhanced telemetry would really give defenders an advantage in detection as sysmon does for windows systems.
Anything else?
N/A
At a high level -- can you summarize your request?
I would like the ability to stream events from the command line similar to the logging offered by little snitch https://help.obdev.at/littlesnitch5/adv-commandline or objective-see tools https://github.com/objective-see/ProcessMonitor
What is the current alternative solution?
https://help.obdev.at/littlesnitch5/adv-commandline
https://github.com/objective-see/ProcessMonitor
Anything else?
Streaming network events that also contain process information is a real pain on MacOS. It would be nice to have the telemetry stream provided by EDR without the EDR.
At a high level -- can you summarize your request?
It would be nice to filter events based on userID.
What is the current alternative solution?
Export all events and filter them.
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
Not really, but the main idea is to monitor processes run as root to catch processes running elevated.
Anything else?
NA
At a high level -- can you summarize your request?
@Brandon7CC - a kind request you to consider publishing the source code of your software along with the documentation. Many understand that your software is the product of your hard work and intellectual property. However, many believe that releasing the source code will be beneficial to the community, especially when you present your tool here on GitHub.
Your work has likely been inspired by other tools available in the community, such as https://github.com/objective-see and https://github.com/SuprHackerSteve/Crescendo. The community and stargazers already appreciate the effort you have put into developing your tool and encourages you to share the code along with the documentation.
In the #macadmins and security-conscious community, such transparency is highly valued, and having access to source code provides an opportunity to learn, collaborate, and improve for everyone.
At a high level -- can you summarize your request?
The app should have a light mode for the UI, and should have an option to honor the user's system preference for Light/Dark mode.
What is the current alternative solution?
There does not appear to be a way to change the appearance of the app to anything but dark mode.
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
N/A
Anything else?
Nope! ๐
I want to learn more from it, and see how can i help to add more features
At a high level -- can you summarize your request?
I am used to double clicking right hand border of a col and having it auto expand to the size of the largest text in that col and I think this would be a nice feature here as well. See Google Sheets / Excel / etc
Describe the bug
Not all events should be listed when the "target path" muting option is selected. Just a UI thing.
Expected behavior
Only events which support target path muting should be displayed.
Additional context
ES docs
/**
* EXEC: The file being executed
* OPEN: The file being opened
* MMAP: The file being memeory mapped
* RENAME: Both the source and destination path.
* SIGNAL: The path of the process being signalled
* UNLINK: The file being unlinked
* CLOSE: The file being closed
* CREATE: The path to the file that will be created or replaced
* GET_TASK: The path of the process for which the task port is being retrieved
* LINK: Both the source and desintation path
* SETATTRLIST: The file for which the attributes are being set
* SETEXTATTR: The file for which the extended attributes are being set
* SETFLAGS: The file for which flags are being set
* SETMODE: The file for which the mode is being set
* SETOWNER: The file for which the owner is being set
* WRITE: The file being written to
* READLINK: The symbolic link being resolved
* TRUNCATE: The file being truncated
* CHDIR: The new working directory
* GETATTRLIST: The file for which the attribute list is being retrieved
* STAT: The file for which the stat is being retrieved
* ACCESS: The file for which access is being tested
* CHROOT: The file which will become the new root
* UTIMES: The file for which times are being set
* CLONE: Both the source file and target path
* FCNTL: The file under file control
* GETEXTATTR The file for which extended attributes are being retrieved
* LISTEXTATTR The file for which extended attributes are being listed
* READDIR The directory for whose contents will be read
* DELETEEXTATTR The file for which extended attribtes will be deleted
* DUP: The file being duplicated
* UIPC_BIND: The path to the unix socket that will be created
* UIPC_CONNECT: The file that the unix socket being connected is bound to
* EXCHANGEDATA: The path of both file1 and file2
* SETACL: The file for which ACLs are being set
* PROC_CHECK: The path of the process against which access is beign checked
* SEARCHFS: The path of the volume which will be searched
* PROC_SUSPEND_RESUME: The path of the process being suspended or resumed
* GET_TASK_NAME: The path of the process for which the task name port will be retrieved
* TRACE: The path of the process that will be attached to
* REMOTE_THREAD_CREATE: The path of the process in which the new thread is created
* GET_TASK_READ: The path of the process for which the task read port will be retrieved
* GET_TASK_INSPECT: The path of the process for which the task inspect port will be retrieved
* COPYFILE: The path to the source file and the path to either the new file to be created or the existing file to be overwritten
*/At a high level -- can you summarize your request?
I realize the primary purpose of the project is to provide a means to analyze, correlate, and debug efficiently through the GUI, however, has it been considered to add the option to write to a log by default when a trace is running, or non-interactively stream events to an external destination so that further analysis can be performed with the data using another platform? I know it's not intended not to simply be a tail command for ESF, but it might be useful if the log may contain some correlational data.
What is the current alternative solution?
Perform ad-hoc exporting of telemetry, then copy to another platform for ingestion and processing.
At a high level -- can you summarize your request?
What is the current alternative solution?
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
Anything else?
N/A
At a high level -- can you summarize your request?
If I come across an event such as a bash being called from a process I'd like to be able to filter to find all other forks that the parent process executed. Alternatively if I have the event parent process in event viewer, I'd like to be able to see the children of that event.
Example: here I have sentineld_updater calling two bash scripts:
I'd like an easy way to be able to view all subprocesses from this parent/initiating process. Here is the event metadata I can view as well as then the initiating process:
What is the current alternative solution?
Identify the event as well as its parent and then use the search to try and narrow down events containing that name
At a high level -- can you summarize your request?
It would be good to be able to mute paths from the event screen, not just filtering.
What is the current alternative solution?
Go into settings and manually add muted path.
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
NA
Anything else?
NA
At a high level -- can you summarize your request?
Quickly filter the events provided in the main screen by double clicking the event of interest from the mini-chart.
What is the current alternative solution?
Not entirely sure, if I "right click" on an event in the Event Type column for example ES_EVENT_TYPE_NOTIFY_MMAP, I can filter this event type out using "filter event", however this removes this event. What I want to do is match only this event type.
Anything else?
The Mini Chart that I am most interested in being able to double click to show all those events is this:
Describe the bug
If I am exploring an event with a subtree when I traverse up the subtree by click on the parent event the child trees disappear without a way to get them back.
Expected behavior
Clicking on the parent does not remove the subtree or there is a way for me to get it back without re-opening the event view
To Reproduce
Steps to reproduce the behavior:
Screenshots
N/A
At a high level -- can you summarize your request?
The ability to add custom filters against Columns that can match against a value. This could be for any column including Process Name, Command Line, Effective user, Source process, etc.
What is the current alternative solution?
There does not appear to be a way to create custom filters for values of interest. Currently, you can filter by finding a value and right clicking to then add a filter.
Anything else?
It would be awesome to have different operators for these values that could be used to match. For example: CONTAINS, BEGINS WITH, MATCHES (regex), DOES NOT CONTAIN.
At a high level -- can you summarize your request?
I occasionally accidentally hit clear and lose all my captured data. It would be nice if this had a "Are you sure?" dialog
What is the current alternative solution?
Avoid clicking Clear!
Are there "In-the-Wild" threats or corresponding ATT&CK techniques that exist for which this telemetry would be helpful?
N/A
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.