Gatekeeper Approved Apps
Overview
Section titled “Overview”Evidence: Gatekeeper Approved Apps
Description: Collect Gatekeeper apps allowed to run
Category: System
Platform: macos
Short Name: gatekapp
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Gatekeeper approved apps list shows binaries allowed to run by Gatekeeper exceptions. This data is essential for understanding application allow-listing and detecting unauthorized approvals.
Data Collected
Section titled “Data Collected”This collector gathers structured data about gatekeeper approved apps.
Gatekeeper Approved Apps Data
Section titled “Gatekeeper Approved Apps Data”| Field | Description | Example |
|---|---|---|
Path | Path | Example value |
Requirement | Requirement | Example value |
CTime | C Time | 123 |
MTime | M Time | 123 |
LastChangeTime | Last Change Time | 2023-10-15 14:30:25+03:00 |
ModificationTime | Modification Time | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector queries the gatekeeper_approved_apps table via osquery and records results into gatekeeper_apps.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it highlights exceptions and approvals that may indicate policy bypass or persistence via whitelisted binaries.