XProtect Malware Scan Match Detected

Detects XProtect malware scan matches via the macOS Unified Logs com.apple.XProtectFramework.PluginAPI subsystem. XProtect is Apple's built-in malware detection system that scans files using YARA-based signature rules. When a scan produces a match, it indicates that a known malware signature was detected on the endpoint. While XProtect events are rare, they are extremely high-confidence indicators of malicious software presence. This rule correlates XProtect scan results with Elastic Security telemetry to provide additional context for investigation and response. This subsystem does not require debug or private data enablement.

Rule type: esql
Rule indices:

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

• https://support.apple.com/en-us/102445
• https://www.elastic.co/docs/reference/integrations/unifiedlogs

Tags:

• Domain: macOS
• Data Source: macOS Unified Logs
• Data Source: Unified Logs
• Use Case: Threat Detection
• Resources: Investigation Guide
• Tactic: Defense Evasion

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

This rule detects when Apple's XProtect framework identifies a malware signature match during a file scan. XProtect uses YARA-based rules maintained by Apple and is a strong indicator that known malware is present on the endpoint.

• Review the message field to identify the XProtect signature that matched and the scanned file details.
• Correlate with Elastic Defend telemetry to determine the full context: which process created or downloaded the flagged file, and what activity followed.
• Check if XProtect quarantined or blocked the file, or if the malware was able to execute.
• Look up the XProtect signature name against Apple's published XProtect rules or public malware databases for additional intelligence.
• Review the host for additional indicators of compromise, including persistence mechanisms, network connections, and other suspicious process activity.
• Check the file's origin — was it downloaded from the internet, received via email, or transferred from removable media?

• XProtect matches are high-confidence and rarely produce false positives.
• Security research samples or penetration testing tools may trigger legitimate detections.
• Archived or quarantined malware samples stored on disk could trigger scans.

• Immediately isolate the affected host if the malware is confirmed active.
• Verify XProtect's remediation action (quarantine, block, or allow) and take manual action if needed.
• Collect the flagged file for further analysis if not already quarantined.
• Review the infection vector and timeline to determine if other hosts may be affected.
• Check for post-compromise activity (lateral movement, data exfiltration, persistence).

FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND unified_log.subsystem == "com.apple.XProtectFramework.PluginAPI"
  AND message LIKE "*match*"
| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, message
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Defense Evasion
  • Id: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/

• Technique:

  • Name: Masquerading
  • Id: T1036
  • Reference URL: https://attack.mitre.org/techniques/T1036/