This document provides an overview of the rule sets in the macOS Threats
category, the required data sources, and configuration you can use to tune the
alerts generated by these rule sets.
Rule sets in the macOS Threats category help identify threats in macOS
environments using CrowdStrike Falcon, macOS Auditing System (AuditD), and Unix system logs.
This category includes the following rule sets:
Mandiant Intel Emerging Threats: This rule set contains rules derived from Mandiant Intelligence Campaigns and Significant Events, which cover highly impactful geopolitical and threat activity, as assessed by Mandiant. This activity may include geopolitical conflict, exploitation, phishing, malvertising, ransomware, and supply chain compromises.
Supported devices and log types
This section lists the data required by each rule set. Contact your
Google Security Operations representative if you are collecting endpoint data using different EDR software.
Mandiant Front-Line Threats and Mandiant Intel Emerging Threats rule sets
These rule sets have been tested and are supported with the following Google SecOps supported EDR data sources:
Carbon Black (CB_EDR)
SentinelOne (SENTINEL_EDR)
Crowdstrike Falcon (CS_EDR)
These rule sets are being tested and optimized for the following Google SecOps supported EDR data sources:
Tanium
Cybereason EDR (CYBEREASON_EDR)
Lima Charlie (LIMACHARLIE_EDR)
OSQuery
Zeek
Cylance (CYLANCE_PROTECT)
To ingest these logs to Google SecOps, see Ingest Google Cloud data to Google SecOps. Contact your Google SecOps representative if you need to collect these logs using a different mechanism.
You can reduce the number of detections a rule or rule set generates using
rule exclusions.
In the rule exclusion, you define the criteria of a UDM event that excludes the
event from being evaluated by the rule set.
Create one or more rule exclusions to identify criteria in a UDM event that
exclude the event from being evaluated by this rule set or by specific rules in
the rule set. See
Configure rule exclusions
for information about how to do this.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document overviews the macOS Threats rule sets in Google SecOps, designed to detect threats in macOS environments using various data sources.\u003c/p\u003e\n"],["\u003cp\u003eThe macOS Threats category utilizes CrowdStrike Falcon, macOS Auditing System (AuditD), and Unix system logs to identify potential threats.\u003c/p\u003e\n"],["\u003cp\u003eThe Mandiant Intel Emerging Threats rule set within this category is derived from Mandiant Intelligence Campaigns and covers significant geopolitical and threat activities.\u003c/p\u003e\n"],["\u003cp\u003eSupported EDR data sources for these rule sets include Carbon Black, SentinelOne, and Crowdstrike Falcon, with several others currently undergoing testing and optimization.\u003c/p\u003e\n"],["\u003cp\u003eAlerts generated by these rule sets can be tuned using rule exclusions, allowing users to define criteria in UDM events to exclude specific events from evaluation.\u003c/p\u003e\n"]]],[],null,["# Overview of macOS Threats category\n==================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document provides an overview of the rule sets in the macOS Threats\ncategory, the required data sources, and configuration you can use to tune the\nalerts generated by these rule sets.\n\nRule sets in the macOS Threats category help identify threats in macOS\nenvironments using CrowdStrike Falcon, macOS Auditing System (AuditD), and Unix system logs.\nThis category includes the following rule sets:\n\n- **Mandiant Intel Emerging Threats**: This rule set contains rules derived from Mandiant Intelligence Campaigns and Significant Events, which cover highly impactful geopolitical and threat activity, as assessed by Mandiant. This activity may include geopolitical conflict, exploitation, phishing, malvertising, ransomware, and supply chain compromises.\n\nSupported devices and log types\n-------------------------------\n\nThis section lists the data required by each rule set. Contact your\nGoogle Security Operations representative if you are collecting endpoint data using different EDR software.\n\nFor a list of all Google SecOps supported data sources, see\n[Supported default parsers](/chronicle/docs/ingestion/parser-list/supported-default-parsers).\n\n### Mandiant Front-Line Threats and Mandiant Intel Emerging Threats rule sets\n\nThese rule sets have been tested and are supported with the following Google SecOps supported EDR data sources:\n\n- Carbon Black (`CB_EDR`)\n- SentinelOne (`SENTINEL_EDR`)\n- Crowdstrike Falcon (`CS_EDR`)\n\nThese rule sets are being tested and optimized for the following Google SecOps supported EDR data sources:\n\n- Tanium\n- Cybereason EDR (`CYBEREASON_EDR`)\n- Lima Charlie (`LIMACHARLIE_EDR`)\n- OSQuery\n- Zeek\n- Cylance (`CYLANCE_PROTECT`)\n\nTo ingest these logs to Google SecOps, see [Ingest Google Cloud data to Google SecOps](/chronicle/docs/ingestion/cloud/ingest-gcp-logs). Contact your Google SecOps representative if you need to collect these logs using a different mechanism.\n\nFor a list of all Google SecOps supported data sources, see\n[Supported default parsers](/chronicle/docs/ingestion/parser-list/supported-default-parsers)\n\nTuning alerts returned by macOS Threats category\n------------------------------------------------\n\nYou can reduce the number of detections a rule or rule set generates using\n[rule exclusions](/chronicle/docs/detection/rule-exclusions).\n\nIn the rule exclusion, you define the criteria of a UDM event that excludes the\nevent from being evaluated by the rule set.\n\nCreate one or more rule exclusions to identify criteria in a UDM event that\nexclude the event from being evaluated by this rule set or by specific rules in\nthe rule set. See\n[Configure rule exclusions](/chronicle/docs/detection/rule-exclusions)\nfor information about how to do this.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
