topic Re: Mac OS high sierra USB monitoring in Splunk Enterprise Security

Mac OS high sierra USB monitoring

johns0n1216 — Fri, 06 Jul 2018 21:33:42 GMT

Is there a way to Monitor USB activity for all Mac books and systems on an enterprise level? For example maybe use logs to grab the device ID of a USB and forward it to Splunk where Splunk can alert you of such activity.

Re: Mac OS high sierra USB monitoring

LukeMurphey — Sat, 07 Jul 2018 17:55:15 GMT

I know that osquery is capable of USB device monitoring and there are a couple of Splunk apps dedicated to osquery monitoring.

https://splunkbase.splunk.com/app/3902/
https://splunkbase.splunk.com/app/3278/

This would mean installing the osquery client on the endpoints but Macs are supported.

Re: Mac OS high sierra USB monitoring

johns0n1216 — Wed, 11 Jul 2018 15:47:14 GMT

Do you have any documentation for installing these add ons they don't have much info on their page.