From 14beb2f37844f90f96c6fa17d7085c88ab91ec70 Mon Sep 17 00:00:00 2001 From: Matthew Ward Date: Fri, 22 Sep 2023 13:32:52 -0500 Subject: [PATCH 1/3] Add files via upload initial upload --- .../jamf_connect/jc_priviledge_escalation_events.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml diff --git a/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml b/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml new file mode 100644 index 0000000..fff3c2d --- /dev/null +++ b/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml @@ -0,0 +1,9 @@ +name: "Jamf Connect Privilege Escalation Events" +description: "This Unified Log filter may be used to audit macOS account elevation requests, time frames, and reasoning. This filter functions by monitoring logging from the Jamf Connect daemon where the event message contains a known string indicating the behaviour." +predicate: "process == 'com.jamf.connect.daemon' && eventMessage CONTAINS 'grantAdminPrivilegesToUserForTime'" +# predicate: "process == "com.jamf.connect.daemon" && eventMessage CONTAINS "grantAdminPrivilegesToUserForTime"" +tags: + - visibility + - connect + - privileges +enabled: true \ No newline at end of file From 433154d108ba50093f64ed350347c54c95039089 Mon Sep 17 00:00:00 2001 From: Matthew Ward Date: Fri, 22 Sep 2023 13:46:40 -0500 Subject: [PATCH 2/3] Update jc_priviledge_escalation_events.yaml --- .../jamf_connect/jc_priviledge_escalation_events.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml b/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml index fff3c2d..7e70362 100644 --- a/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml +++ b/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml @@ -1,9 +1,8 @@ name: "Jamf Connect Privilege Escalation Events" description: "This Unified Log filter may be used to audit macOS account elevation requests, time frames, and reasoning. This filter functions by monitoring logging from the Jamf Connect daemon where the event message contains a known string indicating the behaviour." -predicate: "process == 'com.jamf.connect.daemon' && eventMessage CONTAINS 'grantAdminPrivilegesToUserForTime'" -# predicate: "process == "com.jamf.connect.daemon" && eventMessage CONTAINS "grantAdminPrivilegesToUserForTime"" +predicate: "process == "com.jamf.connect.daemon" && eventMessage CONTAINS "grantAdminPrivilegesToUserForTime"" tags: - visibility - connect - privileges -enabled: true \ No newline at end of file +enabled: true From 5f1bba83ac54a8b74ea332312aac8e8630a37d07 Mon Sep 17 00:00:00 2001 From: Matthew Ward Date: Mon, 5 May 2025 14:30:43 -0500 Subject: [PATCH 3/3] Update jc_privilege_elevation_events.yaml accounts for `com.jamf.connect.daemon.ssp:PrivilegeElevation` --- .../jamf_connect/jc_priviledge_escalation_events.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml b/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml index 7e70362..c5937d9 100644 --- a/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml +++ b/unified_log_filters/jamf_connect/jc_priviledge_escalation_events.yaml @@ -1,6 +1,6 @@ -name: "Jamf Connect Privilege Escalation Events" +name: "Jamf Connect Privilege Elevation Events" description: "This Unified Log filter may be used to audit macOS account elevation requests, time frames, and reasoning. This filter functions by monitoring logging from the Jamf Connect daemon where the event message contains a known string indicating the behaviour." -predicate: "process == "com.jamf.connect.daemon" && eventMessage CONTAINS "grantAdminPrivilegesToUserForTime"" +predicate: "subsystem == BEGINSWITH[c] "com.jamf.connect.daemon" AND category == "PrivilegeElevation"" tags: - visibility - connect