NXLog BSM macOS connector for Microsoft Sentinel
The NXLog BSM macOS data connector uses Sun's Basic Security Module (BSM) Auditing API to read events directly from the kernel for capturing audit events on the macOS platform. This REST API connector can efficiently export macOS audit events to Microsoft Sentinel in real-time.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | BSMmacOS_CL |
| Data collection rules support | Not currently supported |
| Supported by | NXLog |
Query samples
Most frequent event types
BSMmacOS_CL
| summarize EventCount = count() by EventType_s
| where strlen(EventType_s) > 1
| project Eventype = EventType_s, EventCount
| order by EventCount desc
| render barchart
Most frequent event names
BSMmacOS_CL
| summarize EventCount = count() by EventName_s
| project EventCount, EventName = EventName_s
| where strlen(EventName) > 1
| order by EventCount desc
| render barchart
Distribution of (notification) texts
BSMmacOS_CL
| summarize EventCount = count() by Text_s
| where strlen(Text_s) > 1
| order by EventCount
| render piechart
Vendor installation instructions
Follow the step-by-step instructions in the NXLog User Guide Integration Topic Microsoft Sentinel to configure this connector.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for