› ›

Google Santa Integration

Version	3.22.0 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Elastic

The Google Santa integration collects and parses logs from Google Santa, a security tool for macOS that monitors process executions and can blacklist/whitelist binaries.

Compatibility

edit

The Google Santa integration was tested with logs from Santa 2022.4.

Google Santa is available for MacOS only.

The integration is by default configured to read logs from /var/db/santa/santa.log.

Logs

edit

Google Santa log

edit

This is the Google Santa log dataset.

Example

An example event for log looks as following:

{
    "@timestamp": "2022-05-12T11:30:05.248Z",
    "agent": {
        "ephemeral_id": "7f9603e8-5411-4ed1-acdc-d842f98e5c8b",
        "id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6",
        "name": "elastic-agent-97786",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "santa.log",
        "namespace": "85590",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "link",
        "agent_id_status": "verified",
        "dataset": "santa.log",
        "ingested": "2024-10-01T13:57:49Z",
        "kind": "event"
    },
    "file": {
        "path": "/private/var/db/santa/santa.log",
        "target_path": "/private/var/db/santa/santa.log.0"
    },
    "group": {
        "id": "0",
        "name": "wheel"
    },
    "host": {
        "architecture": "aarch64",
        "containerized": false,
        "hostname": "elastic-agent-97786",
        "id": "8269eab9370b4429947d2a16c3058fcb",
        "ip": [
            "172.19.0.2",
            "172.18.0.4"
        ],
        "mac": [
            "02-42-AC-12-00-04",
            "02-42-AC-13-00-02"
        ],
        "name": "elastic-agent-97786",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "6.10.0-linuxkit",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.6 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "log"
    },
    "log": {
        "file": {
            "path": "/tmp/service_logs/santa.log"
        },
        "level": "I",
        "offset": 1150
    },
    "process": {
        "args": [
            "/usr/sbin/newsyslog"
        ],
        "entity_id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6-71559-1096716",
        "executable": "/usr/sbin/newsyslog",
        "name": "newsyslog",
        "parent": {
            "pid": 1
        },
        "pid": 71559,
        "start": "2022-05-12T11:30:05.248Z"
    },
    "related": {
        "user": [
            "root"
        ]
    },
    "santa": {
        "action": "LINK",
        "pidversion": 1096716
    },
    "tags": [
        "santa-log"
    ],
    "user": {
        "id": "0",
        "name": "root"
    }
}

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Input type	keyword
log.offset	Log offset	long
santa.action	Action	keyword
santa.certificate.common_name	Common name from code signing certificate.	keyword
santa.certificate.sha256	SHA256 hash of code signing certificate.	keyword
santa.decision	Decision that santad took.	keyword
santa.disk.appearance	Timestamp for volume operation.	date
santa.disk.bsdname	The disk BSD name.	keyword
santa.disk.bus	The disk bus protocol.	keyword
santa.disk.dmgpath	The DMG (disk image) path.	keyword
santa.disk.fs	The disk volume kind (filesystem type).	keyword
santa.disk.model	The disk model.	keyword
santa.disk.mount	The disk volume path.	keyword
santa.disk.serial	The disk serial number.	keyword
santa.disk.volume	The volume name.	keyword
santa.event.uid	Event UID.	keyword
santa.event.user	Event user.	keyword
santa.explain	Further details for the decision.	keyword
santa.graphical_session_id	The graphical session ID.	long
santa.mode	Operating mode of Santa.	keyword
santa.pidversion	macOS process identity version.	long
santa.reason	Reason for the decision.	keyword
santa.team_id	Team ID.	keyword

Changelog

edit

Changelog

Version	Details	Kibana version(s)
3.22.0	Enhancement (View pull request) Do not remove `event.original` in main ingest pipeline.	8.13.0 or higher
3.21.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".	8.13.0 or higher
3.20.0	Enhancement (View pull request) Update ingest pipeline to avoid failures with unexpected log formats.	8.13.0 or higher
3.19.1	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	8.13.0 or higher
3.19.0	Enhancement (View pull request) Add support for team ID field.	8.13.0 or higher
3.18.0	Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
3.17.0	Enhancement (View pull request) Update manifest format version to v3.0.3.	8.7.1 or higher
3.16.2	Enhancement (View pull request) Changed owners	8.7.1 or higher
3.16.1	Bug fix (View pull request) Fix exclude_files pattern.	8.7.1 or higher
3.16.0	Enhancement (View pull request) ECS version updated to 8.11.0.	8.7.1 or higher
3.15.0	Enhancement (View pull request) Improve event.original check to avoid errors if set.	8.7.1 or higher
3.14.0	Enhancement (View pull request) ECS version updated to 8.10.0.	8.7.1 or higher
3.13.0	Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.	8.7.1 or higher
3.12.0	Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.7.1 or higher
3.11.0	Enhancement (View pull request) Update package to ECS 8.9.0.	8.7.1 or higher
3.10.0	Enhancement (View pull request) Convert dashboards to Lens.	8.7.1 or higher
3.9.0	Enhancement (View pull request) Update to package-spec 2.9.0.	8.1.0 or higher
3.8.0	Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors.	8.1.0 or higher
3.7.0	Enhancement (View pull request) Update package to ECS 8.8.0.	8.1.0 or higher
3.6.0	Enhancement (View pull request) Update package to ECS 8.7.0.	8.1.0 or higher
3.5.1	Enhancement (View pull request) Added categories and/or subcategories.	8.1.0 or higher
3.5.0	Enhancement (View pull request) Update package to ECS 8.6.0.	8.1.0 or higher
3.4.1	Enhancement (View pull request) Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load	8.1.0 or higher
3.4.0	Enhancement (View pull request) Update package to ECS 8.5.0.	7.17.0 or higher 8.0.0 or higher
3.3.0	Enhancement (View pull request) Update package to ECS 8.4.0	7.17.0 or higher 8.0.0 or higher
3.2.1	Enhancement (View pull request) Update package name and description to align with standard wording	7.17.0 or higher 8.0.0 or higher
3.2.0	Enhancement (View pull request) Update package to ECS 8.3.0.	7.17.0 or higher 8.0.0 or higher
3.1.0	Enhancement (View pull request) Add `process.entity_id` field.	7.17.0 or higher 8.0.0 or higher
3.0.0	Enhancement (View pull request) Update log format to support the GA releases of Santa. The pre-GA Santa log format (circa 2017) is no longer accepted.	—
2.1.0	Enhancement (View pull request) Update to ECS 8.2	7.17.0 or higher 8.0.0 or higher
2.0.1	Enhancement (View pull request) Add documentation for multi-fields	7.17.0 or higher 8.0.0 or higher
2.0.0	Enhancement (View pull request) Update to ECS 8.0 Enhancement (View pull request) process.ppid replaced with process.parent.pid (breaking change)	7.17.0 or higher 8.0.0 or higher
1.1.0	Enhancement (View pull request) Add 8.0.0 version constraint	7.16.0 or higher 8.0.0 or higher
1.0.3	Enhancement (View pull request) Uniform with guidelines	7.16.0 or higher
1.0.2	Enhancement (View pull request) Update Title and Description.	7.16.0 or higher
1.0.1	Bug fix (View pull request) Fix logic that checks for the forwarded tag	—
1.0.0	Enhancement (View pull request) make GA	—
0.4.0	Enhancement (View pull request) Update to ECS 1.12.0	—
0.3.2	Enhancement (View pull request) Convert to generated ECS fields	—
0.3.1	Enhancement (View pull request) update to ECS 1.11.0	—
0.3.0	Enhancement (View pull request) Update integration description	—
0.2.0	Enhancement (View pull request) Set "event.module" and "event.dataset"	—
0.1.0	Enhancement (View pull request) update to ECS 1.10.0 and adding event.original options	—
0.0.3	Enhancement (View pull request) update to ECS 1.9.0	—
0.0.2	Enhancement (View pull request) Fix compatibility with Kibana	—
0.0.1	Enhancement (View pull request) initial release	—

« Google Google Workspace Integration »