Update EDR_telem_mac.json - Uptycs - User & Session Activity

[joshlemon]

EDR Telemetry Pull Request

Contribution Details

This PR updates the macOS telemetry data for Uptycs covering the User & Session Activity category, including User Logon, User Logoff, Logon Failed, Screen Lock, Screen Unlock, and Privilege Escalation (sudo etc.). Results are Yes for Logon, Logoff, Logon Failed, and Privilege Escalation. Screen Lock and Screen Unlock are confirmed No.

Telemetry Validation

All sub-categories were validated by running the macOS EDR telemetry generation script and querying the relevant tables in Uptycs.

User Logon — queried via:

select ue.upt_time, ue.message, ue.pid, ue.login_name, ue.uname, ue.session_id, ue.upt_hostname
from user_events ue
where upt_asset_id='564d7bfc-4c1f-2d22-c3ab-3b1fd3e60ea3'
  and upt_day >= CAST(date_format((CURRENT_DATE - INTERVAL '1' DAY), '%Y%m%d') AS INT)
  and (message like 'user authentication:Successful:%' or message like 'OpenSSH login:Successful%')
order by upt_time DESC

User Logoff — queried via:

select ue.upt_time, ue.message, ue.pid, ue.login_name, ue.uname, ue.session_id, ue.upt_hostname
from user_events ue
where upt_asset_id='564d7bfc-4c1f-2d22-c3ab-3b1fd3e60ea3'
  and upt_day >= CAST(date_format((CURRENT_DATE - INTERVAL '100' DAY), '%Y%m%d') AS INT)
  and message like 'logout%'
order by upt_time DESC

Logon Failed — queried via:

select ue.upt_time, ue.message, ue.pid, ue.login_name, ue.uname, ue.session_id, ue.upt_hostname
from user_events ue
where upt_asset_id='564d7bfc-4c1f-2d22-c3ab-3b1fd3e60ea3'
  and upt_day >= CAST(date_format((CURRENT_DATE - INTERVAL '1' DAY), '%Y%m%d') AS INT)
  and (message like 'user authentication:Failed:%' or message like 'OpenSSH login:Failed:%')
order by upt_time DESC

Screen Lock — No. Uptycs does not surface a dedicated screen lock event on macOS at this point in time.

Screen Unlock — No. As above, there is no dedicated screen unlock event available in Uptycs on macOS at this point in time.

Privilege Escalation (sudo etc.) — queried via:

Privilege escalation is identified when login_name (the original user) differs from uname (the effective user running the process). For example, login_name = user and uname = root indicate the user escalated privileges via sudo.

select upt_time, pid, path, mode, cmdline, env, euid, egid, login_name, uname
from process_events
where upt_day >= CAST(date_format(current_date - INTERVAL '1' day, '%Y%m%d') AS INTEGER)
  and upt_asset_id='564d1969-51b0-d23e-47e0-d0658d09af0d'
order by upt_time DESC
limit 100

Documentation or Evidence:

• Official documentation (link: )
• Screenshots attached
• Sanitized logs provided
• Private documentation (will share confidentially)

Type of Contribution

• Adding telemetry information for an existing EDR product
• Adding a new EDR product that meets eligibility criteria
• Proposing new event categories/sub-categories
• Documentation improvement
• Tool enhancement

Validation Details

EDR Product Information

• EDR Product Name: Uptycs
• EDR Version: 5.19
• Operating System(s) Tested: macOS

Testing Methodology

The macOS EDR telemetry generation script was run on a managed macOS host enrolled in Uptycs. Logon, logoff, and failed logon events were captured via the user_events table by filtering on known message patterns. Privilege escalation was identified via the process_events table by comparing login_name and uname fields — a mismatch (e.g. original user vs. root) indicates a sudo-style escalation. Screen Lock and Screen Unlock were investigated, but no telemetry is currently available in tables; these are recorded as No.

Additional Notes

Screen Lock and Screen Unlock (No) are not surfaced by Uptycs on macOS in version 5.19. The user_events table is the primary data source for logon-related activity, while process_events is used for detecting privilege escalation. No configuration changes were required for any of these sub-categories.