integration-docs Google Santa Integration
Serverless Observability Serverless Security Stack
| Version | 3.24.0 (View all) |
| Subscription level What's this? | Basic |
| Level of support What's this? | Elastic |
| Ingestion method(s) | File |
The Google Santa integration collects and parses logs from Google Santa, a security tool for macOS that monitors process executions and can blacklist/whitelist binaries.
The Google Santa integration was tested with logs from Santa 2022.4.
Google Santa is available for MacOS only.
The integration is by default configured to read logs from /var/db/santa/santa.log.
This is the Google Santa log dataset.
Example
{ "@timestamp": "2022-05-12T11:30:05.248Z", "agent": { "ephemeral_id": "7f9603e8-5411-4ed1-acdc-d842f98e5c8b", "id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6", "name": "elastic-agent-97786", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "santa.log", "namespace": "85590", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6", "snapshot": false, "version": "8.13.0" }, "event": { "action": "link", "agent_id_status": "verified", "dataset": "santa.log", "ingested": "2024-10-01T13:57:49Z", "kind": "event" }, "file": { "path": "/private/var/db/santa/santa.log", "target_path": "/private/var/db/santa/santa.log.0" }, "group": { "id": "0", "name": "wheel" }, "host": { "architecture": "aarch64", "containerized": false, "hostname": "elastic-agent-97786", "id": "8269eab9370b4429947d2a16c3058fcb", "ip": [ "172.19.0.2", "172.18.0.4" ], "mac": [ "02-42-AC-12-00-04", "02-42-AC-13-00-02" ], "name": "elastic-agent-97786", "os": { "codename": "focal", "family": "debian", "kernel": "6.10.0-linuxkit", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { "type": "log" }, "log": { "file": { "path": "/tmp/service_logs/santa.log" }, "level": "I", "offset": 1150 }, "process": { "args": [ "/usr/sbin/newsyslog" ], "entity_id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6-71559-1096716", "executable": "/usr/sbin/newsyslog", "name": "newsyslog", "parent": { "pid": 1 }, "pid": 71559, "start": "2022-05-12T11:30:05.248Z" }, "related": { "user": [ "root" ] }, "santa": { "action": "LINK", "pidversion": 1096716 }, "tags": [ "santa-log" ], "user": { "id": "0", "name": "root" } } Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| santa.action | Action | keyword |
| santa.certificate.common_name | Common name from code signing certificate. | keyword |
| santa.certificate.sha256 | SHA256 hash of code signing certificate. | keyword |
| santa.decision | Decision that santad took. | keyword |
| santa.disk.appearance | Timestamp for volume operation. | date |
| santa.disk.bsdname | The disk BSD name. | keyword |
| santa.disk.bus | The disk bus protocol. | keyword |
| santa.disk.dmgpath | The DMG (disk image) path. | keyword |
| santa.disk.fs | The disk volume kind (filesystem type). | keyword |
| santa.disk.model | The disk model. | keyword |
| santa.disk.mount | The disk volume path. | keyword |
| santa.disk.serial | The disk serial number. | keyword |
| santa.disk.volume | The volume name. | keyword |
| santa.event.uid | Event UID. | keyword |
| santa.event.user | Event user. | keyword |
| santa.explain | Further details for the decision. | keyword |
| santa.graphical_session_id | The graphical session ID. | long |
| santa.mode | Operating mode of Santa. | keyword |
| santa.pidversion | macOS process identity version. | long |
| santa.reason | Reason for the decision. | keyword |
| santa.team_id | Team ID. | keyword |
This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 3.24.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. | 8.13.0 or higher 9.0.0 or higher |
| 3.23.0 | Enhancement (View pull request) Allow the usage of deprecated log input and support for stack 9.0 | 8.13.0 or higher |
| 3.22.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. | 8.13.0 or higher |
| 3.21.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". | 8.13.0 or higher |
| 3.20.0 | Enhancement (View pull request) Update ingest pipeline to avoid failures with unexpected log formats. | 8.13.0 or higher |
| 3.19.1 | Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. | 8.13.0 or higher |
| 3.19.0 | Enhancement (View pull request) Add support for team ID field. | 8.13.0 or higher |
| 3.18.0 | Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. | 8.13.0 or higher |
| 3.17.0 | Enhancement (View pull request) Update manifest format version to v3.0.3. | 8.7.1 or higher |
| 3.16.2 | Enhancement (View pull request) Changed owners | 8.7.1 or higher |
| 3.16.1 | Bug fix (View pull request) Fix exclude_files pattern. | 8.7.1 or higher |
| 3.16.0 | Enhancement (View pull request) ECS version updated to 8.11.0. | 8.7.1 or higher |
| 3.15.0 | Enhancement (View pull request) Improve 'event.original' check to avoid errors if set. | 8.7.1 or higher |
| 3.14.0 | Enhancement (View pull request) ECS version updated to 8.10.0. | 8.7.1 or higher |
| 3.13.0 | Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest. | 8.7.1 or higher |
| 3.12.0 | Enhancement (View pull request) Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. | 8.7.1 or higher |
| 3.11.0 | Enhancement (View pull request) Update package to ECS 8.9.0. | 8.7.1 or higher |
| 3.10.0 | Enhancement (View pull request) Convert dashboards to Lens. | 8.7.1 or higher |
| 3.9.0 | Enhancement (View pull request) Update to package-spec 2.9.0. | 8.1.0 or higher |
| 3.8.0 | Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. | 8.1.0 or higher |
| 3.7.0 | Enhancement (View pull request) Update package to ECS 8.8.0. | 8.1.0 or higher |
| 3.6.0 | Enhancement (View pull request) Update package to ECS 8.7.0. | 8.1.0 or higher |
| 3.5.1 | Enhancement (View pull request) Added categories and/or subcategories. | 8.1.0 or higher |
| 3.5.0 | Enhancement (View pull request) Update package to ECS 8.6.0. | 8.1.0 or higher |
| 3.4.1 | Enhancement (View pull request) Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load | 8.1.0 or higher |
| 3.4.0 | Enhancement (View pull request) Update package to ECS 8.5.0. | 7.17.0 or higher 8.0.0 or higher |
| 3.3.0 | Enhancement (View pull request) Update package to ECS 8.4.0 | 7.17.0 or higher 8.0.0 or higher |
| 3.2.1 | Enhancement (View pull request) Update package name and description to align with standard wording | 7.17.0 or higher 8.0.0 or higher |
| 3.2.0 | Enhancement (View pull request) Update package to ECS 8.3.0. | 7.17.0 or higher 8.0.0 or higher |
| 3.1.0 | Enhancement (View pull request) Add process.entity_id field. | 7.17.0 or higher 8.0.0 or higher |
| 3.0.0 | Enhancement (View pull request) Update log format to support the GA releases of Santa. The pre-GA Santa log format (circa 2017) is no longer accepted. | — |
| 2.1.0 | Enhancement (View pull request) Update to ECS 8.2 | 7.17.0 or higher 8.0.0 or higher |
| 2.0.1 | Enhancement (View pull request) Add documentation for multi-fields | 7.17.0 or higher 8.0.0 or higher |
| 2.0.0 | Enhancement (View pull request) Update to ECS 8.0 Enhancement (View pull request) process.ppid replaced with process.parent.pid (breaking change) | 7.17.0 or higher 8.0.0 or higher |
| 1.1.0 | Enhancement (View pull request) Add 8.0.0 version constraint | 7.16.0 or higher 8.0.0 or higher |
| 1.0.3 | Enhancement (View pull request) Uniform with guidelines | 7.16.0 or higher |
| 1.0.2 | Enhancement (View pull request) Update Title and Description. | 7.16.0 or higher |
| 1.0.1 | Bug fix (View pull request) Fix logic that checks for the 'forwarded' tag | — |
| 1.0.0 | Enhancement (View pull request) make GA | — |
| 0.4.0 | Enhancement (View pull request) Update to ECS 1.12.0 | — |
| 0.3.2 | Enhancement (View pull request) Convert to generated ECS fields | — |
| 0.3.1 | Enhancement (View pull request) update to ECS 1.11.0 | — |
| 0.3.0 | Enhancement (View pull request) Update integration description | — |
| 0.2.0 | Enhancement (View pull request) Set "event.module" and "event.dataset" | — |
| 0.1.0 | Enhancement (View pull request) update to ECS 1.10.0 and adding event.original options | — |
| 0.0.3 | Enhancement (View pull request) update to ECS 1.9.0 | — |
| 0.0.2 | Enhancement (View pull request) Fix compatibility with Kibana | — |
| 0.0.1 | Enhancement (View pull request) initial release | — |