XProtect Remediation
Overview
Section titled “Overview”Evidence: XProtect Remediation
Description: Filter detecting and blocking malicious software events
Category: System
Platform: macos
Short Name: xpr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”XProtect is Apple’s built-in malware detection and removal technology for macOS. The XProtect Framework logs malware detection events, remediation actions, and threat blocking activities. It provides real-time protection against known malware and suspicious files.
Data Collected
Section titled “Data Collected”This collector gathers structured data about xprotect remediation.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract XProtect Framework structured events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘XProtect Remediation’.
Forensic Value
Section titled “Forensic Value”XProtect logs are essential for identifying malware infections, tracking threat detection and remediation, and understanding the scope of compromise. They reveal what malware was detected, when, what files were affected, and what remediation actions were taken, providing crucial evidence of security incidents.