← Back to Explore
jamf_protectinformationalTTP
Brew Activity
This detection functions by monitoring and report on any activity involving the use of brew with additional arguments, although this one is looking for brew being installed on the default location.
Detection Query
$event.type == 1 AND $event.process.path.lastPathComponent == "bash" AND $event.process.parent.isShell == 1 AND $event.process.args.@count > 4 AND (ANY $event.process.args == "/opt/homebrew/bin/brew")Author
Jamf
Data Sources
Process EventsmacOS Endpoint Security
Platforms
macos
Tags
VisibilityThird Party
Raw Content
---
name: BrewActivity
uuid: b81eaa0f-9daf-49e6-894f-3cc0fbedb5d0
longDescription: This detection functions by monitoring and report on any activity involving the use of brew with additional arguments, although this one is looking for brew being installed on the default location.
level: 0
inputType: GPProcessEvent
tags: null
snapshotFiles: []
filter: $event.type == 1 AND
$event.process.path.lastPathComponent == "bash" AND
$event.process.parent.isShell == 1 AND
$event.process.args.@count > 4 AND
(ANY $event.process.args == "/opt/homebrew/bin/brew")
actions:
- name: Log
context: []
categories:
- Visibility
- Third Party
version: 1
severity: Informational
shortDescription: The package manager brew has been invoked.
label: Brew Activity
remediation: null
MitreCategories: null