Endpoint Security ESF
148 Endpoint Security (ESF) event types. macOS identifies endpoint telemetry by ES event type (e.g. ES_EVENT_TYPE_AUTH_EXEC), not by a numbered event log.
Grouped by functional domain. Kernel-level event types use Apple's own es_events_t documentation sections; the user-space security events Apple does not place in a documentation section are grouped by their es_event_<family>_* struct family, listed below under Catalog groupings. The AUTH/NOTIFY action and the introduced-in-macOS version are the only hard axes.
Apple documentation sections File open, close, create, write, rename, clone, copy, truncate, lookup, and access operations. Reads and changes of file metadata: mode, owner, ACLs, extended attributes, flags, timestamps, and directory listings. File Provider extension materialization and update of placeholder items. Link creation, unlink, and symbolic-link resolution. Filesystem mount, unmount, and remount. Mapping a file into memory and changing page protections (writable-to-executable transitions). Process execution, fork, exit, signalling, process inspection, and chdir/chroot. Cross-process actions: suspend/resume, ptrace-style tracing, and remote thread creation. Acquisition of another process's Mach task port (control, name, read, inspect). Real and effective user- and group-ID changes (privilege transitions). Invalidation of a running process's dynamic code signature. UNIX-domain socket bind and connect. (ESF has no IP network-connection event.) System clock changes. Kernel-extension load/unload and IOKit user-client open. PTY grant and close.File System Events 23 types
File Metadata Events 27 types
File Provider Events 4 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZEAUTH 10.15 File Provider Materialize (AUTH) N ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZENOTIFY 10.15 File Provider Materialize (NOTIFY) N ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATEAUTH 10.15 File Provider Update (AUTH) N ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_UPDATENOTIFY 10.15 File Provider Update (NOTIFY) N Symbolic Link Events 6 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_UNLINKAUTH 10.15 File Unlink (AUTH) Y ES_EVENT_TYPE_NOTIFY_LINKNOTIFY 10.15 Hard Link Create (NOTIFY) N ES_EVENT_TYPE_NOTIFY_UNLINKNOTIFY 10.15 File Unlink (NOTIFY) Y ES_EVENT_TYPE_AUTH_READLINKAUTH 10.15 Symbolic Link Read (AUTH) Y ES_EVENT_TYPE_NOTIFY_READLINKNOTIFY 10.15 Symbolic Link Read (NOTIFY) Y ES_EVENT_TYPE_AUTH_LINKAUTH 10.15 Hard Link Create (AUTH) N File System Mounting Events 5 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_MOUNTAUTH 10.15 Filesystem Mount (AUTH) Y ES_EVENT_TYPE_NOTIFY_MOUNTNOTIFY 10.15 Filesystem Mount (NOTIFY) Y ES_EVENT_TYPE_NOTIFY_UNMOUNTNOTIFY 10.15 Filesystem Unmount (NOTIFY) Y ES_EVENT_TYPE_AUTH_REMOUNTAUTH 11.0 Filesystem Remount (AUTH) N ES_EVENT_TYPE_NOTIFY_REMOUNTNOTIFY 11.0 Filesystem Remount (NOTIFY) N Memory Mapping Events 4 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_MMAPAUTH 10.15 Memory Map File (Auth) Y ES_EVENT_TYPE_AUTH_MPROTECTAUTH 10.15 Memory Protection Change (Auth) Y ES_EVENT_TYPE_NOTIFY_MMAPNOTIFY 10.15 Memory Map File (Notify) Y ES_EVENT_TYPE_NOTIFY_MPROTECTNOTIFY 10.15 Memory Protection Change (Notify) Y Process Events 12 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_EXECAUTH 10.15 Process Execution (Auth) Y ES_EVENT_TYPE_AUTH_SIGNALAUTH 10.15 Signal Delivery (Auth) Y ES_EVENT_TYPE_NOTIFY_EXECNOTIFY 10.15 Process Execution (Notify) Y ES_EVENT_TYPE_NOTIFY_FORKNOTIFY 10.15 Process Fork (Notify) Y ES_EVENT_TYPE_NOTIFY_EXITNOTIFY 10.15 Process Exit (Notify) Y ES_EVENT_TYPE_NOTIFY_SIGNALNOTIFY 10.15 Signal Delivery (Notify) Y ES_EVENT_TYPE_AUTH_PROC_CHECKAUTH 10.15.4 Process Info Access Check (Auth) Y ES_EVENT_TYPE_NOTIFY_PROC_CHECKNOTIFY 10.15.4 Process Info Access Check (Notify) Y ES_EVENT_TYPE_AUTH_CHDIRAUTH 10.15.1 Change Directory (AUTH) Y ES_EVENT_TYPE_NOTIFY_CHDIRNOTIFY 10.15.1 Change Directory (NOTIFY) Y ES_EVENT_TYPE_AUTH_CHROOTAUTH 10.15.1 Change Root Directory (AUTH) N ES_EVENT_TYPE_NOTIFY_CHROOTNOTIFY 10.15.1 Change Root Directory (NOTIFY) N Interprocess Events 4 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_PROC_SUSPEND_RESUMEAUTH 11.0 Process Suspend / Resume (Auth) Y ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUMENOTIFY 11.0 Process Suspend / Resume (Notify) Y ES_EVENT_TYPE_NOTIFY_TRACENOTIFY 11.0 Process Tracing Attach (Notify) N ES_EVENT_TYPE_NOTIFY_REMOTE_THREAD_CREATENOTIFY 11.0 Remote Thread Creation (Notify) N Task Port Events 6 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_GET_TASKNOTIFY 10.15 Task Control Port Retrieval (Notify) N ES_EVENT_TYPE_AUTH_GET_TASKAUTH 10.15.4 Task Control Port Retrieval (Auth) N ES_EVENT_TYPE_NOTIFY_GET_TASK_NAMENOTIFY 11.0 Task Name Port Retrieval (Notify) N ES_EVENT_TYPE_AUTH_GET_TASK_READAUTH 11.3 Task Read Port Retrieval (Auth) N ES_EVENT_TYPE_NOTIFY_GET_TASK_READNOTIFY 11.3 Task Read Port Retrieval (Notify) N ES_EVENT_TYPE_NOTIFY_GET_TASK_INSPECTNOTIFY 11.3 Task Inspect Port Retrieval (Notify) N User and Group ID Events 6 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_SETUIDNOTIFY 12.0 Process Set Real User ID (setuid) N ES_EVENT_TYPE_NOTIFY_SETGIDNOTIFY 12.0 Process Set Real Group ID (setgid) N ES_EVENT_TYPE_NOTIFY_SETEUIDNOTIFY 12.0 Process Set Effective User ID (seteuid) N ES_EVENT_TYPE_NOTIFY_SETEGIDNOTIFY 12.0 Process Set Effective Group ID (setegid) N ES_EVENT_TYPE_NOTIFY_SETREUIDNOTIFY 12.0 Process Set Real and Effective User IDs (setreuid) N ES_EVENT_TYPE_NOTIFY_SETREGIDNOTIFY 12.0 Process Set Real and Effective Group IDs (setregid) N Code Signing Events 1 type
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_CS_INVALIDATEDNOTIFY 11.0 Code Signature Invalidated N Socket Events 4 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_UIPC_BINDNOTIFY 10.15.1 UNIX Domain Socket Bind N ES_EVENT_TYPE_AUTH_UIPC_BINDAUTH 10.15.1 UNIX Domain Socket Bind (Authorization) N ES_EVENT_TYPE_NOTIFY_UIPC_CONNECTNOTIFY 10.15.1 UNIX Domain Socket Connect N ES_EVENT_TYPE_AUTH_UIPC_CONNECTAUTH 10.15.1 UNIX Domain Socket Connect (Authorization) N Clock Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_SETTIMEAUTH 10.15.1 Set System Time (AUTH) N ES_EVENT_TYPE_NOTIFY_SETTIMENOTIFY 10.15.1 Set System Time (NOTIFY) N Kernel Events 5 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_AUTH_KEXTLOADAUTH 10.15 Kernel Extension Load (Auth) N ES_EVENT_TYPE_NOTIFY_KEXTLOADNOTIFY 10.15 Kernel Extension Load (Notify) N ES_EVENT_TYPE_NOTIFY_KEXTUNLOADNOTIFY 10.15 Kernel Extension Unload (Notify) N ES_EVENT_TYPE_NOTIFY_IOKIT_OPENNOTIFY 10.15 IOKit User Client Opened N ES_EVENT_TYPE_AUTH_IOKIT_OPENAUTH 11.0 IOKit User Client Open (Auth) N PTY Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_PTY_GRANTNOTIFY 10.15.4 Pseudoterminal Device Granted N ES_EVENT_TYPE_NOTIFY_PTY_CLOSENOTIFY 10.15.4 Pseudoterminal Device Closed N
Catalog groupings (events Apple does not document in a section) OpenSSH (sshd) login and logout, with authentication result and source address. XPC service connection requests. Local authentication attempts and the su / sudo privilege-elevation utilities. loginwindow GUI session login, logout, lock, and unlock. Screen Sharing (VNC) session attach and detach. Console login(1) authentication login and logout. Security Authorization Services right petitions and the system's judgement. Open Directory user/group creation, deletion, membership, password, and attribute changes. XProtect malware detection and remediation. Background Task Management (BTM) launch- and login-item add/remove (persistence). Configuration-profile installation and removal. User override of a Gatekeeper block to run quarantined software. Transparency, Consent & Control (TCC) privacy-permission changes.OpenSSH Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGINNOTIFY 13.0 OpenSSH Login N ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGOUTNOTIFY 13.0 OpenSSH Logout N XPC Events 1 type
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_XPC_CONNECTNOTIFY 14.0 XPC Service Connection Y Authentication Events 3 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_AUTHENTICATIONNOTIFY 13.0 Authentication Attempt N ES_EVENT_TYPE_NOTIFY_SUNOTIFY 14.0 su Command Execution Y ES_EVENT_TYPE_NOTIFY_SUDONOTIFY 14.0 sudo Command Execution N Login Window Events 4 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGINNOTIFY 13.0 LoginWindow Session Login N ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGOUTNOTIFY 13.0 LoginWindow Session Logout N ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOCKNOTIFY 13.0 LoginWindow Session Lock N ES_EVENT_TYPE_NOTIFY_LW_SESSION_UNLOCKNOTIFY 13.0 LoginWindow Session Unlock N Screen Sharing Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_SCREENSHARING_ATTACHNOTIFY 13.0 Screen Sharing Session Attached N ES_EVENT_TYPE_NOTIFY_SCREENSHARING_DETACHNOTIFY 13.0 Screen Sharing Session Detached N Login Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_LOGIN_LOGINNOTIFY 13.0 Login Utility Authentication Attempt N ES_EVENT_TYPE_NOTIFY_LOGIN_LOGOUTNOTIFY 13.0 Login Utility Session Logout N Authorization Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_PETITIONNOTIFY 14.0 Authorization Rights Petition N ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_JUDGEMENTNOTIFY 14.0 Authorization Rights Judgement N Open Directory Events 13 types
XProtect Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_XP_MALWARE_DETECTEDNOTIFY 13.0 XProtect Malware Detected N ES_EVENT_TYPE_NOTIFY_XP_MALWARE_REMEDIATEDNOTIFY 13.0 XProtect Malware Remediated N Background Task Management Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADDNOTIFY 13.0 Background Task Management Launch Item Added N ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_REMOVENOTIFY 13.0 Background Task Management Launch Item Removed N Profile Events 2 types
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_PROFILE_ADDNOTIFY 14.0 Configuration Profile Installed N ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVENOTIFY 14.0 Configuration Profile Removed N Gatekeeper Events 1 type
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDENOTIFY 15.0 Gatekeeper User Override N TCC Events 1 type
Event type AUTH/NOTIFY Introduced Title Sample ES_EVENT_TYPE_NOTIFY_TCC_MODIFYNOTIFY 15.4 TCC Privacy Permission Modified N
ES_EVENT_TYPE_AUTH_OPEN: File Open (AUTH)
#Description
Fires before the kernel grants a process access to open a file. An active ESF client must respond with allow or deny (and optionally a narrowed flag mask via es_respond_flags_result) before the kernel proceeds. The payload carries the target file and the kernel-internal fflag mask (FREAD/FWRITE, not open(2) O_* values).
Fields #
| Name | Description |
|---|---|
fflag | Desired access flags as a kernel-internal mask (FREAD, FWRITE, etc.) applied to the open; differs from userland open(2) O_* values. |
file | Pointer to the es_file_t describing the file being opened, including path and stat metadata. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_OPEN), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"flags": 4294967295
},
"result_type": 1
}
},
"action_type": 1,
"event": {
"open": {
"fflag": 17825793,
"file": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
}
}
},
"event_type": 10,
"global_seq_num": 0,
"mach_time": 8835601011736,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3669176
},
"time": "2026-06-22T23:22:48.825298069Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_open_t https://developer.apple.com/documentation/endpointsecurity/es_event_open_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a File Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x48.html
ES_EVENT_TYPE_AUTH_RENAME: File Rename (AUTH)
#Description
Fires before the kernel renames a file or directory. An active ESF client must respond before the kernel proceeds. The payload identifies the source file and the destination, which is either an existing file or a new path in a specified directory.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the file or directory being renamed. |
destination_type | Indicates whether the destination is an existing file (ES_DESTINATION_TYPE_EXISTING_FILE) or a new path (ES_DESTINATION_TYPE_NEW_PATH). |
destination.existing_file | Pointer to the es_file_t for the existing destination file; valid when destination_type is ES_DESTINATION_TYPE_EXISTING_FILE. |
destination.new_path.dir | Pointer to the es_file_t for the directory that will contain the renamed file; valid when destination_type is ES_DESTINATION_TYPE_NEW_PATH. |
destination.new_path.filename | Token holding the new filename within the destination directory. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_RENAME), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"rename": {
"destination": {
"existing_file": {
"path": "/Users/admin/Library/Application Support/Claude/Cache/Cache_Data/index-dir/the-real-index",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:22:47.008372154Z",
"st_birthtimespec": "2026-06-22T23:22:47.008372154Z",
"st_blksize": 4096,
"st_blocks": 1904,
"st_ctimespec": "2026-06-22T23:22:47.009320104Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968312,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:22:47.008775108Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 973512,
"st_uid": 501
}
}
},
"destination_type": 0,
"source": {
"path": "/Users/admin/Library/Application Support/Claude/Cache/Cache_Data/index-dir/temp-index",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:16.989715491Z",
"st_birthtimespec": "2026-06-22T23:23:16.989715491Z",
"st_blksize": 4096,
"st_blocks": 1904,
"st_ctimespec": "2026-06-22T23:23:16.990115279Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968359,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:16.990115279Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 973512,
"st_uid": 501
}
}
}
},
"event_type": 25,
"global_seq_num": 0,
"mach_time": 8836276986391,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 91252,
"pidversion": 295038,
"rgid": 20,
"ruid": 501
},
"cdhash": "8E5D94DEC6DDDB609E2CF3C41FC526AE3674BED9",
"codesigning_flags": 570495761,
"cs_validation_category": 6,
"executable": {
"path": "/Applications/Claude.app/Contents/Frameworks/Claude Helper.app/Contents/MacOS/Claude Helper",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:36:23.015229786Z",
"st_birthtimespec": "2026-06-18T13:11:10.000000000Z",
"st_blksize": 4096,
"st_blocks": 920,
"st_ctimespec": "2026-06-19T03:56:11.018160830Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55323983,
"st_mode": 33261,
"st_mtimespec": "2026-06-18T13:11:10.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 468432,
"st_uid": 501
}
},
"group_id": 91247,
"is_es_client": false,
"is_platform_binary": false,
"original_ppid": 91247,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 91247,
"pidversion": 295029,
"rgid": 20,
"ruid": 501
},
"ppid": 91247,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 91247,
"pidversion": 295029,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.anthropic.claudefordesktop.helper",
"start_time": "2026-06-22T21:36:20.466127Z",
"team_id": "Q6L2SF6YDW",
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3594820
},
"time": "2026-06-22T23:23:16.990656815Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_rename_t https://developer.apple.com/documentation/endpointsecurity/es_event_rename_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a File Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x48.html
ES_EVENT_TYPE_NOTIFY_OPEN: File Open (NOTIFY)
#Description
Fires after the kernel grants a process access to open a file. The payload carries the target file and the kernel-internal fflag mask recording the access that was permitted.
Fields #
| Name | Description |
|---|---|
fflag | Kernel-internal flag mask (FREAD, FWRITE, etc.) representing the access granted at open time. |
file | Pointer to the es_file_t describing the file that was opened, including path and stat metadata. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"flags": 4294967295
},
"result_type": 1
}
},
"action_type": 1,
"event": {
"open": {
"fflag": 17825793,
"file": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
}
}
},
"event_type": 10,
"global_seq_num": 0,
"mach_time": 8835601011736,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3669176
},
"time": "2026-06-22T23:22:48.825298069Z",
"version": 10
}
}
Detection Patterns #
Collection: Archive Collected Data
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
file.name | eq | Cookies | 2 rules | elastic |
file.name | eq | Cookies.binarycookies | 2 rules | elastic |
file.name | eq | Login Data | 2 rules | elastic |
file.name | eq | cookies.sqlite | 2 rules | elastic |
file.name | eq | key?.db | 2 rules | elastic |
file.name | eq | logins.json | 2 rules | elastic |
process.code_signature.exists | eq | false | 2 rules | elastic |
process.code_signature.trusted | eq | false | 2 rules | elastic |
Image | is_not_null | | 1 rule | elastic, kusto |
Image | starts_with | /private/tmp/ | 1 rule | elastic, sigma |
Image | starts_with | /private/var/tmp/ | 1 rule | elastic |
Image | starts_with | /tmp/ | 1 rule | elastic, sigma |
Image | starts_with | /users/shared/ | 1 rule | elastic, sigma |
Image | starts_with | /var/tmp/ | 1 rule | elastic, sigma |
TargetFilename | wildcard | /library/fonts/* | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →Elastic #
Show 1 more (4 total)
References #
- Apple Developer Documentation: es_event_open_t https://developer.apple.com/documentation/endpointsecurity/es_event_open_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a File Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x48.html
ES_EVENT_TYPE_NOTIFY_CLOSE: File Close (NOTIFY)
#Description
Fires after a process closes a file descriptor. The payload records whether the file was modified during the descriptor's lifetime and, in message version 6 and later, whether it was ever mapped writable.
Fields #
| Name | Description |
|---|---|
modified | Boolean; true if the file was modified before the descriptor was closed. |
target | Pointer to the es_file_t for the file whose descriptor was closed. |
was_mapped_writable | Boolean indicating whether the file was mapped writable at any point during its open lifetime; available in message version 6 and later. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"close": {
"modified": false,
"target": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
},
"was_mapped_writable": false
}
},
"event_type": 12,
"global_seq_num": 0,
"mach_time": 8835736858163,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3670278
},
"time": "2026-06-22T23:22:54.485515276Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_close_t https://developer.apple.com/documentation/endpointsecurity/es_event_close_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- gomac endpointsecurity Go bindings (field reference) https://pkg.go.dev/github.com/gatkinso/gomac/endpointsecurity
ES_EVENT_TYPE_NOTIFY_CREATE: File or Directory Create (NOTIFY)
#Description
Fires after a new filesystem object (file, directory, or special file) is created. The payload distinguishes whether the new object replaced an existing file or was written to a fresh path, and carries the creation mode and any ACL.
Fields #
| Name | Description |
|---|---|
destination_type | Indicates whether the new object was created at an existing path (ES_DESTINATION_TYPE_EXISTING_FILE) or at a new path (ES_DESTINATION_TYPE_NEW_PATH). |
destination.existing_file | Pointer to the es_file_t for the object that was created when overwriting an existing entry. |
destination.new_path.dir | Pointer to the es_file_t for the directory in which the new object was created. |
destination.new_path.filename | Token holding the name of the newly created filesystem object. |
destination.new_path.mode | The file mode (permissions and type bits) of the newly created object; valid only for new_path destinations. |
acl | Pointer to the ACL applied to the new object at creation time; may be NULL if no ACL was set. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"create": {
"acl": null,
"destination": {
"existing_file": {
"path": "/private/var/folders/99/hfkwj0616gl7sllsdfzfx6b80000gn/T/TemporaryItems/ContextStoreAgent.plist.9YlpR0s",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:03.781301756Z",
"st_birthtimespec": "2026-06-22T23:23:03.781301756Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:03.781603836Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968341,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:03.781301756Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 0,
"st_uid": 501
}
}
},
"destination_type": 0
}
},
"event_type": 13,
"global_seq_num": 0,
"mach_time": 8835959975544,
"process": {
"audit_token": {
"asid": 100043,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 647,
"pidversion": 1569,
"rgid": 20,
"ruid": 501
},
"cdhash": "9D261051393D3F2144540E4E23E5B84169440DD2",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/sbin/cfprefsd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 32,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575955,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 135920,
"st_uid": 0
}
},
"group_id": 647,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100043,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 647,
"pidversion": 1569,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.cfprefsd",
"start_time": "2026-06-17T20:22:04.989806Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3670458
},
"time": "2026-06-22T23:23:03.781989666Z",
"version": 10
}
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Image | ends_with | /curl | 2 rules | sigma |
TargetFilename | ends_with | .plist | 2 rules | sigma |
TargetFilename | ends_with | .pth | 1 rule | sigma |
TargetFilename | regex_match | (?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/ | 1 rule | sigma |
TargetFilename | starts_with | /users/ | 1 rule | elastic, sigma |
file.name | eq | Cookies | 1 rule | elastic |
file.name | eq | Cookies.binarycookies | 1 rule | elastic |
file.name | eq | Login Data | 1 rule | elastic |
file.name | eq | cookies.sqlite | 1 rule | elastic |
file.name | eq | key?.db | 1 rule | elastic |
file.name | eq | logins.json | 1 rule | elastic |
file.name | in | .bash_logout | 1 rule | elastic |
file.name | in | .bash_profile | 1 rule | elastic |
file.name | in | .bashrc | 1 rule | elastic |
file.name | in | .profile | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →Sigma #
Show 2 more (5 total)
Elastic #
References #
- Apple Developer Documentation: es_event_create_t https://developer.apple.com/documentation/endpointsecurity/es_event_create_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a File Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x48.html
ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA: Atomic Data Exchange (NOTIFY)
#Description
Fires after two files atomically swap their data forks via the exchangedata(2) syscall. The operation swaps the content of both files in place while preserving each file's metadata, making it a technique used to perform atomic file updates.
Fields #
| Name | Description |
|---|---|
file1 | Pointer to the es_file_t for the first file participating in the data exchange. |
file2 | Pointer to the es_file_t for the second file participating in the data exchange. |
References #
- Apple Developer Documentation: es_event_exchangedata_t https://developer.apple.com/documentation/endpointsecurity/es_event_exchangedata_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_RENAME: File Rename (NOTIFY)
#Description
Fires after a file or directory is renamed. The payload identifies the source file and the destination, which is either an existing file or a new path.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the file or directory that was renamed. |
destination_type | Indicates whether the destination was an existing file or a new path. |
destination.existing_file | Pointer to the es_file_t for the existing destination file when an existing entry was replaced. |
destination.new_path.dir | Pointer to the es_file_t for the directory containing the renamed file when written to a new path. |
destination.new_path.filename | Token holding the new filename. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"rename": {
"destination": {
"existing_file": {
"path": "/Users/admin/Library/Application Support/Claude/Cache/Cache_Data/index-dir/the-real-index",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:22:47.008372154Z",
"st_birthtimespec": "2026-06-22T23:22:47.008372154Z",
"st_blksize": 4096,
"st_blocks": 1904,
"st_ctimespec": "2026-06-22T23:22:47.009320104Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968312,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:22:47.008775108Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 973512,
"st_uid": 501
}
}
},
"destination_type": 0,
"source": {
"path": "/Users/admin/Library/Application Support/Claude/Cache/Cache_Data/index-dir/temp-index",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:16.989715491Z",
"st_birthtimespec": "2026-06-22T23:23:16.989715491Z",
"st_blksize": 4096,
"st_blocks": 1904,
"st_ctimespec": "2026-06-22T23:23:16.990115279Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968359,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:16.990115279Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 973512,
"st_uid": 501
}
}
}
},
"event_type": 25,
"global_seq_num": 0,
"mach_time": 8836276986391,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 91252,
"pidversion": 295038,
"rgid": 20,
"ruid": 501
},
"cdhash": "8E5D94DEC6DDDB609E2CF3C41FC526AE3674BED9",
"codesigning_flags": 570495761,
"cs_validation_category": 6,
"executable": {
"path": "/Applications/Claude.app/Contents/Frameworks/Claude Helper.app/Contents/MacOS/Claude Helper",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:36:23.015229786Z",
"st_birthtimespec": "2026-06-18T13:11:10.000000000Z",
"st_blksize": 4096,
"st_blocks": 920,
"st_ctimespec": "2026-06-19T03:56:11.018160830Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55323983,
"st_mode": 33261,
"st_mtimespec": "2026-06-18T13:11:10.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 468432,
"st_uid": 501
}
},
"group_id": 91247,
"is_es_client": false,
"is_platform_binary": false,
"original_ppid": 91247,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 91247,
"pidversion": 295029,
"rgid": 20,
"ruid": 501
},
"ppid": 91247,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 91247,
"pidversion": 295029,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.anthropic.claudefordesktop.helper",
"start_time": "2026-06-22T21:36:20.466127Z",
"team_id": "Q6L2SF6YDW",
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3594820
},
"time": "2026-06-22T23:23:16.990656815Z",
"version": 10
}
}
Detection Patterns #
Stealth: Match Legitimate Resource Name or Location
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
http.request.method | in | GET | 1 rule | elastic |
http.request.method | in | POST | 1 rule | elastic |
http.request.method | in | PUT | 1 rule | elastic |
http.response.status_code | in | 303 | 1 rule | elastic |
References #
- Apple Developer Documentation: es_event_rename_t https://developer.apple.com/documentation/endpointsecurity/es_event_rename_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_WRITE: File Write (NOTIFY)
#Description
Fires after a process writes data to a file. The payload identifies the target file. This event fires for each write operation and can be high-volume on active systems.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file that was written to. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"write": {
"target": {
"path": "/dev/ttys000",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:10.313599000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:49.718344000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 745,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:23:49.718344000Z",
"st_nlink": 1,
"st_rdev": 268435456,
"st_size": 0,
"st_uid": 501
}
}
}
},
"event_type": 33,
"global_seq_num": 0,
"mach_time": 8837062456411,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 90398,
"pidversion": 292873,
"rgid": 20,
"ruid": 501
},
"cdhash": "CFC3F12808D14BD762D1B058535ECEB28113256E",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/bin/ssh",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1520,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312572846,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1555472,
"st_uid": 0
}
},
"group_id": 90398,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 38472,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 38472,
"pidversion": 136758,
"rgid": 20,
"ruid": 501
},
"ppid": 38472,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 965,
"pidversion": 2477,
"rgid": 20,
"ruid": 501
},
"session_id": 38471,
"signing_id": "com.apple.ssh",
"start_time": "2026-06-22T19:33:39.096397Z",
"team_id": null,
"tty": {
"path": "/dev/ttys000",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:10.313599000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:49.718344000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 745,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:23:49.718344000Z",
"st_nlink": 1,
"st_rdev": 268435456,
"st_size": 0,
"st_uid": 501
}
}
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3501634
},
"time": "2026-06-22T23:23:49.718281587Z",
"version": 10
}
}
Detection Patterns #
1 rule
Collection: Archive Collected Data
1 rule
Stealth: Match Legitimate Resource Name or Location
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetFilename | starts_with | /tmp/ | 1 rule | elastic, sigma |
TargetFilename | starts_with | /var/tmp/ | 1 rule | elastic, sigma |
TargetFilename | wildcard | /library/fonts/* | 2 rules | elastic |
TargetFilename | wildcard | /library/graphics/* | 2 rules | elastic |
TargetFilename | wildcard | /library/webserver/* | 2 rules | elastic |
TargetFilename | wildcard | /private/tmp/* | 2 rules | elastic |
TargetFilename | wildcard | /private/var/root/library/httpstorages/* | 2 rules | elastic |
TargetFilename | wildcard | /tmp/* | 2 rules | elastic |
TargetFilename | wildcard | /users/shared/* | 2 rules | elastic |
TargetFilename | wildcard | /var/tmp/* | 1 rule | elastic |
process.code_signature.exists | eq | false | 2 rules | elastic |
process.code_signature.trusted | eq | false | 2 rules | elastic |
process_name | in | cursor | 2 rules | elastic |
process_name | wildcard | osascript | 2 rules | elastic |
process_name | wildcard | python* | 2 rules | elastic |
Detection Rules #
View all rules referencing this event →Elastic #
Show 11 more (14 total)
References #
- Apple Developer Documentation: es_event_write_t https://developer.apple.com/documentation/endpointsecurity/es_event_write_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a File Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x48.html
ES_EVENT_TYPE_AUTH_TRUNCATE: File Truncate (AUTH)
#Description
Fires before the kernel truncates a file, either via truncate(2) or by opening with O_TRUNC. An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file being truncated. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_TRUNCATE), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"truncate": {
"target": {
"path": "/Users/admin/Library/Daemon Containers/A592654B-A0DB-4552-AB8F-D7244CC4BAD0/Data/Library/Saved Application State/768A2C1A-FB64-4686-842F-78D56F1E46FD.savedState/window_29.data",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:22:01.920462302Z",
"st_birthtimespec": "2026-06-22T21:22:01.920462302Z",
"st_blksize": 4096,
"st_blocks": 184,
"st_ctimespec": "2026-06-22T23:23:42.931626413Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55774432,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:42.931626413Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 92016,
"st_uid": 501
}
}
}
},
"event_type": 41,
"global_seq_num": 0,
"mach_time": 8836899579278,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"cdhash": "3D4B6EE2243C0E090963BA895DEC6AF72F52A19D",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/CoreServices/talagentd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 384,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312106201,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 508688,
"st_uid": 0
}
},
"group_id": 677,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.talagent",
"start_time": "2026-06-17T20:22:05.997116Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3670994
},
"time": "2026-06-22T23:23:42.931795079Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_truncate_t https://developer.apple.com/documentation/endpointsecurity/es_event_truncate_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_TRUNCATE: File Truncate (NOTIFY)
#Description
Fires after a file is truncated. The payload identifies the file that was truncated.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file that was truncated. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"truncate": {
"target": {
"path": "/Users/admin/Library/Daemon Containers/A592654B-A0DB-4552-AB8F-D7244CC4BAD0/Data/Library/Saved Application State/768A2C1A-FB64-4686-842F-78D56F1E46FD.savedState/window_29.data",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:22:01.920462302Z",
"st_birthtimespec": "2026-06-22T21:22:01.920462302Z",
"st_blksize": 4096,
"st_blocks": 184,
"st_ctimespec": "2026-06-22T23:23:42.931626413Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55774432,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:42.931626413Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 92016,
"st_uid": 501
}
}
}
},
"event_type": 41,
"global_seq_num": 0,
"mach_time": 8836899579278,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"cdhash": "3D4B6EE2243C0E090963BA895DEC6AF72F52A19D",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/CoreServices/talagentd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 384,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312106201,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 508688,
"st_uid": 0
}
},
"group_id": 677,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.talagent",
"start_time": "2026-06-17T20:22:05.997116Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3670994
},
"time": "2026-06-22T23:23:42.931795079Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_truncate_t https://developer.apple.com/documentation/endpointsecurity/es_event_truncate_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_LOOKUP: Path Lookup (NOTIFY)
#Description
Fires after a path component is looked up by the kernel VFS layer. This is a very high-volume event that fires for virtually every filesystem name resolution; most deployments filter heavily by process or path prefix.
Fields #
| Name | Description |
|---|---|
source_dir | Pointer to the es_file_t for the directory in which the lookup is performed. |
relative_target | Token holding the path component being looked up relative to source_dir. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"lookup": {
"relative_target": "usr/bin/eslogger",
"source_dir": {
"path": "/",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 1048576,
"st_gen": 0,
"st_gid": 0,
"st_ino": 2,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 22,
"st_rdev": 0,
"st_size": 704,
"st_uid": 0
}
}
}
},
"event_type": 43,
"global_seq_num": 0,
"mach_time": 8837909197546,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671143
},
"time": "2026-06-22T23:24:24.998846607Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_lookup_t https://developer.apple.com/documentation/endpointsecurity/es_event_lookup_t
- Apple Developer Documentation: es_event_lookup_t.relative_target https://developer.apple.com/documentation/endpointsecurity/es_event_lookup_t/relative_target
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_CREATE: File or Directory Create (AUTH)
#Description
Fires before the kernel creates a new filesystem object. An active ESF client must respond before the kernel proceeds. The payload describes the intended destination, mode, and any ACL for the new object.
Fields #
| Name | Description |
|---|---|
destination_type | Indicates whether the destination is an existing file that will be overwritten or a new path. |
destination.existing_file | Pointer to the es_file_t for the existing file at the target path when overwriting. |
destination.new_path.dir | Pointer to the es_file_t for the directory in which the new object will be created. |
destination.new_path.filename | Token holding the name of the file or directory to be created. |
destination.new_path.mode | The intended mode (permissions and type bits) of the new filesystem object. |
acl | Pointer to the ACL to be applied to the new object; may be NULL. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_CREATE), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"create": {
"acl": null,
"destination": {
"existing_file": {
"path": "/private/var/folders/99/hfkwj0616gl7sllsdfzfx6b80000gn/T/TemporaryItems/ContextStoreAgent.plist.9YlpR0s",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:03.781301756Z",
"st_birthtimespec": "2026-06-22T23:23:03.781301756Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:03.781603836Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968341,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:03.781301756Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 0,
"st_uid": 501
}
}
},
"destination_type": 0
}
},
"event_type": 13,
"global_seq_num": 0,
"mach_time": 8835959975544,
"process": {
"audit_token": {
"asid": 100043,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 647,
"pidversion": 1569,
"rgid": 20,
"ruid": 501
},
"cdhash": "9D261051393D3F2144540E4E23E5B84169440DD2",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/sbin/cfprefsd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 32,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575955,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 135920,
"st_uid": 0
}
},
"group_id": 647,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100043,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 647,
"pidversion": 1569,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.cfprefsd",
"start_time": "2026-06-17T20:22:04.989806Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3670458
},
"time": "2026-06-22T23:23:03.781989666Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_create_t https://developer.apple.com/documentation/endpointsecurity/es_event_create_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_ACCESS: Access Permission Check (NOTIFY)
#Description
Fires after a process checks file accessibility via access(2) or faccessat(2). The payload records the access mode being tested and the target file.
Fields #
| Name | Description |
|---|---|
mode | The access permission mode being tested (F_OK, R_OK, W_OK, X_OK or a combination). |
target | Pointer to the es_file_t for the file whose accessibility was checked. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"flags": 2147483647
},
"result_type": 1
}
},
"action_type": 1,
"event": {
"access": {
"mode": 4,
"target": {
"path": "/Users/admin/Library/Application Support/Firefox/Profiles/vey0ajp8.default-release/datareporting/glean/db",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:44:25.016398999Z",
"st_birthtimespec": "2024-06-05T22:26:54.432534337Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:24:13.874090112Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 275197,
"st_mode": 16877,
"st_mtimespec": "2026-06-22T23:24:13.874090112Z",
"st_nlink": 3,
"st_rdev": 0,
"st_size": 96,
"st_uid": 501
}
}
}
},
"event_type": 55,
"global_seq_num": 0,
"mach_time": 8837651690873,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 20,
"euid": 501,
"pid": 382,
"pidversion": 989,
"rgid": 20,
"ruid": 501
},
"cdhash": "5847BA08A75BDA208810BDBD55C5E5F04D7CB031",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 312,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312153078,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 398608,
"st_uid": 0
}
},
"group_id": 382,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 382,
"pidversion": 989,
"rgid": 0,
"ruid": 0
},
"session_id": 382,
"signing_id": "com.apple.fseventsd",
"start_time": "2026-06-17T20:22:01.678559Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3587485
},
"time": "2026-06-22T23:24:14.269497783Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_access_t https://developer.apple.com/documentation/endpointsecurity/es_event_access_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_CLONE: File Clone (AUTH)
#Description
Fires before the kernel creates a copy-on-write clone of a file via clonefile(2). An active ESF client must respond before the kernel proceeds. The payload identifies the source file, the destination directory, and the new filename.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the file that will be cloned. |
target_dir | Pointer to the es_file_t for the directory into which the cloned file will be created. |
target_name | Token holding the filename for the new cloned file. |
References #
- Apple Developer Documentation: es_event_clone_t https://developer.apple.com/documentation/endpointsecurity/es_event_clone_t
- Apple Developer Documentation: es_event_clone_t.target_dir https://developer.apple.com/documentation/endpointsecurity/es_event_clone_t/3395656-target_dir
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_CLONE: File Clone (NOTIFY)
#Description
Fires after a copy-on-write clone of a file is created via clonefile(2). The payload identifies the source file, the destination directory, and the new filename.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the file that was cloned. |
target_dir | Pointer to the es_file_t for the directory containing the new clone. |
target_name | Token holding the filename of the new cloned file. |
References #
- Apple Developer Documentation: es_event_clone_t https://developer.apple.com/documentation/endpointsecurity/es_event_clone_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_FCNTL: File Control Operation (NOTIFY)
#Description
Fires after a process performs a file control operation via fcntl(2). This event is particularly useful for detecting dynamic access-flag changes, such as a process upgrading a file descriptor to writable.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file on which the file control command was performed. |
cmd | The command argument passed to fcntl(2) (e.g. F_GETFL, F_SETFL, F_NOCACHE). |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"fcntl": {
"cmd": 50,
"target": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
}
}
},
"event_type": 62,
"global_seq_num": 0,
"mach_time": 8837468384228,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671143
},
"time": "2026-06-22T23:24:06.631789348Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_fcntl_t https://developer.apple.com/documentation/endpointsecurity/es_event_fcntl_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_DUP: File Descriptor Duplicate (NOTIFY)
#Description
Fires after a process duplicates a file descriptor via dup(2) or dup2(2). The payload describes the file the duplicated descriptor refers to.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file that the duplicated file descriptor points to. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"dup": {
"target": {
"path": "/Users/admin/Library/Application Support/Firefox/Profiles/vey0ajp8.default-release/extensions/uBlock0@raymondhill.net.xpi",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:22:27.990573049Z",
"st_birthtimespec": "2026-05-26T19:54:33.340689306Z",
"st_blksize": 4096,
"st_blocks": 8800,
"st_ctimespec": "2026-05-31T11:26:06.809121271Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 52208712,
"st_mode": 33188,
"st_mtimespec": "2026-05-31T11:26:06.809000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 4504632,
"st_uid": 501
}
}
}
},
"event_type": 73,
"global_seq_num": 0,
"mach_time": 8837349337902,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"cdhash": "DE8C0F5D3FBEFC963A08A83131B85E2DCBF1F221",
"codesigning_flags": 570512129,
"cs_validation_category": 6,
"executable": {
"path": "/Applications/Firefox.app/Contents/MacOS/firefox",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:09:47.904194145Z",
"st_birthtimespec": "2026-06-18T18:48:50.747285257Z",
"st_blksize": 4096,
"st_blocks": 344,
"st_ctimespec": "2026-06-21T18:31:01.870315311Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 80,
"st_ino": 55224420,
"st_mode": 33277,
"st_mtimespec": "2026-06-18T18:48:50.750202023Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 174432,
"st_uid": 501
}
},
"group_id": 83147,
"is_es_client": false,
"is_platform_binary": false,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "org.mozilla.firefox",
"start_time": "2026-06-21T18:31:02.071749Z",
"team_id": "43AQ936H96",
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671548
},
"time": "2026-06-22T23:24:01.671570131Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_dup_t https://developer.apple.com/documentation/endpointsecurity/es_event_dup_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_EXCHANGEDATA: Atomic Data Exchange (AUTH)
#Description
Fires before the kernel allows two files to atomically swap their data forks via exchangedata(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
file1 | Pointer to the es_file_t for the first file participating in the exchange. |
file2 | Pointer to the es_file_t for the second file participating in the exchange. |
References #
- Apple Developer Documentation: es_event_exchangedata_t https://developer.apple.com/documentation/endpointsecurity/es_event_exchangedata_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SEARCHFS: Filesystem Search (AUTH)
#Description
Fires before the kernel allows a process to search a volume for files matching attribute criteria via searchfs(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
attrlist | The attrlist structure specifying which attributes will be used as search criteria. |
target | Pointer to the es_file_t for the volume whose contents will be searched. |
References #
- Apple Developer Documentation: es_event_searchfs_t https://developer.apple.com/documentation/endpointsecurity/es_event_searchfs_t
- Apple Developer Documentation: es_event_searchfs_t.attrlist https://developer.apple.com/documentation/endpointsecurity/es_event_searchfs_t/3567243-attrlist
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SEARCHFS: Filesystem Search (NOTIFY)
#Description
Fires after a process searches a volume via searchfs(2). The payload identifies the attribute criteria and the volume that was searched.
Fields #
| Name | Description |
|---|---|
attrlist | The attrlist structure specifying which attributes were used as search criteria. |
target | Pointer to the es_file_t for the volume that was searched. |
References #
- Apple Developer Documentation: es_event_searchfs_t https://developer.apple.com/documentation/endpointsecurity/es_event_searchfs_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_FCNTL: File Control Operation (AUTH)
#Description
Fires before the kernel processes a file control command via fcntl(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file on which the file control command will be performed. |
cmd | The command argument passed to fcntl(2). |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_FCNTL), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"fcntl": {
"cmd": 50,
"target": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
}
}
},
"event_type": 62,
"global_seq_num": 0,
"mach_time": 8837468384228,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671143
},
"time": "2026-06-22T23:24:06.631789348Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_fcntl_t https://developer.apple.com/documentation/endpointsecurity/es_event_fcntl_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_COPYFILE: Copy File (AUTH)
#Description
Fires before the kernel performs a server-side file copy via the copyfile(3) library call or its underlying clonefile/fcopyfile mechanics. An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the file being copied. |
target_file | Pointer to the es_file_t for the existing file at the target path that will be overwritten; NULL if no file exists at the target path. |
target_dir | Pointer to the es_file_t for the directory into which the copy will be written. |
target_name | Token holding the filename for the new copy. |
mode | The mode argument from the copyfile(3) call, controlling which file attributes are copied. |
flags | The flags argument from the copyfile(3) call, such as COPYFILE_ALL or COPYFILE_CLONE. |
References #
- Apple Developer Documentation: es_event_copyfile_t https://developer.apple.com/documentation/endpointsecurity/es_event_copyfile_t
- Apple Developer Documentation: es_event_copyfile_t initializer https://developer.apple.com/documentation/endpointsecurity/es_event_copyfile_t/init(source:target_file:target_dir:target_name:mode:flags:reserved:)
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_COPYFILE: Copy File (NOTIFY)
#Description
Fires after a file is copied via the copyfile(3) library call. The payload identifies the source file, the destination directory and filename, any overwritten target, and the copy flags used.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the file that was copied. |
target_file | Pointer to the es_file_t for the pre-existing file that was overwritten at the target path; NULL if none existed. |
target_dir | Pointer to the es_file_t for the directory in which the copy was created. |
target_name | Token holding the filename of the new copy. |
mode | The mode argument from the copyfile(3) call. |
flags | The flags argument from the copyfile(3) call. |
References #
- Apple Developer Documentation: es_event_copyfile_t https://developer.apple.com/documentation/endpointsecurity/es_event_copyfile_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETATTRLIST: Set Attribute List (NOTIFY)
#Description
Fires after a process modifies a file's attributes via setattrlist(2). The payload names the attribute set being written and the target file.
Fields #
| Name | Description |
|---|---|
attrlist | The attrlist structure describing which attribute groups are being set (e.g. ATTR_CMN_*, ATTR_FILE_*). |
target | Pointer to the es_file_t for the file whose attributes are being modified. |
References #
- Apple Developer Documentation: es_event_setattrlist_t https://developer.apple.com/documentation/endpointsecurity/es_event_setattrlist_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETEXTATTR: Set Extended Attribute (NOTIFY)
#Description
Fires after a process writes an extended attribute to a file via setxattr(2). The payload identifies the target file and the name of the attribute being set.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file on which the extended attribute is being set. |
extattr | Token holding the name of the extended attribute being written. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"setextattr": {
"extattr": "NSImageMetadata",
"target": {
"path": "/Users/admin/Library/Daemon Containers/A592654B-A0DB-4552-AB8F-D7244CC4BAD0/Data/Library/Saved Application State/768A2C1A-FB64-4686-842F-78D56F1E46FD.savedState/window_29.data",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:22:01.920462302Z",
"st_birthtimespec": "2026-06-22T21:22:01.920462302Z",
"st_blksize": 4096,
"st_blocks": 480,
"st_ctimespec": "2026-06-22T23:25:09.015631070Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55774432,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:25:09.015631070Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 242848,
"st_uid": 501
}
}
}
},
"event_type": 27,
"global_seq_num": 0,
"mach_time": 8838965614041,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"cdhash": "3D4B6EE2243C0E090963BA895DEC6AF72F52A19D",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/CoreServices/talagentd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 384,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312106201,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 508688,
"st_uid": 0
}
},
"group_id": 677,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.talagent",
"start_time": "2026-06-17T20:22:05.997116Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671934
},
"time": "2026-06-22T23:25:09.015806902Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_setextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_setextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETFLAGS: Set File Flags (NOTIFY)
#Description
Fires after a process modifies the BSD flags of a file via chflags(2). The payload carries the new flag value and the target file.
Fields #
| Name | Description |
|---|---|
flags | The new BSD flag value to be applied to the file (e.g. UF_IMMUTABLE, UF_HIDDEN, SF_ARCHIVED). |
target | Pointer to the es_file_t for the file whose flags are being changed. |
References #
- Apple Developer Documentation: es_event_setflags_t https://developer.apple.com/documentation/endpointsecurity/es_event_setflags_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETMODE: Set File Mode (NOTIFY)
#Description
Fires after a process changes the permission mode of a file via chmod(2). The payload records the new mode and the target file.
Fields #
| Name | Description |
|---|---|
mode | The new permission mode (POSIX mode_t) to be applied to the file. |
target | Pointer to the es_file_t for the file whose mode is being changed. |
References #
- Apple Developer Documentation: es_event_setmode_t https://developer.apple.com/documentation/endpointsecurity/es_event_setmode_t
- Apple Developer Documentation: es_events_t.setmode https://developer.apple.com/documentation/endpointsecurity/es_events_t/setmode
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETOWNER: Set File Owner (NOTIFY)
#Description
Fires after a process changes the ownership of a file via chown(2). The payload records the new UID, new GID, and the target file.
Fields #
| Name | Description |
|---|---|
uid | The new owner user ID to be applied to the file. |
gid | The new owner group ID to be applied to the file. |
target | Pointer to the es_file_t for the file whose ownership is being changed. |
References #
- Apple Developer Documentation: es_event_setowner_t https://developer.apple.com/documentation/endpointsecurity/es_event_setowner_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SETATTRLIST: Set Attribute List (AUTH)
#Description
Fires before the kernel allows a process to write filesystem attributes via setattrlist(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
attrlist | The attrlist structure describing which attribute groups will be set. |
target | Pointer to the es_file_t for the file whose attributes will be modified. |
References #
- Apple Developer Documentation: es_event_setattrlist_t https://developer.apple.com/documentation/endpointsecurity/es_event_setattrlist_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SETEXTATTR: Set Extended Attribute (AUTH)
#Description
Fires before the kernel allows a process to write an extended attribute via setxattr(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file on which the extended attribute will be set. |
extattr | Token holding the name of the extended attribute to be written. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_SETEXTATTR), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"setextattr": {
"extattr": "NSImageMetadata",
"target": {
"path": "/Users/admin/Library/Daemon Containers/A592654B-A0DB-4552-AB8F-D7244CC4BAD0/Data/Library/Saved Application State/768A2C1A-FB64-4686-842F-78D56F1E46FD.savedState/window_29.data",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T21:22:01.920462302Z",
"st_birthtimespec": "2026-06-22T21:22:01.920462302Z",
"st_blksize": 4096,
"st_blocks": 480,
"st_ctimespec": "2026-06-22T23:25:09.015631070Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55774432,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:25:09.015631070Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 242848,
"st_uid": 501
}
}
}
},
"event_type": 27,
"global_seq_num": 0,
"mach_time": 8838965614041,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"cdhash": "3D4B6EE2243C0E090963BA895DEC6AF72F52A19D",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/CoreServices/talagentd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 384,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312106201,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 508688,
"st_uid": 0
}
},
"group_id": 677,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 677,
"pidversion": 1653,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.talagent",
"start_time": "2026-06-17T20:22:05.997116Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671934
},
"time": "2026-06-22T23:25:09.015806902Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_setextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_setextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SETFLAGS: Set File Flags (AUTH)
#Description
Fires before the kernel allows a process to change the BSD flags of a file via chflags(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
flags | The new BSD flag value intended for the file (e.g. UF_IMMUTABLE, UF_HIDDEN). |
target | Pointer to the es_file_t for the file whose flags will be changed. |
References #
- Apple Developer Documentation: es_event_setflags_t https://developer.apple.com/documentation/endpointsecurity/es_event_setflags_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SETMODE: Set File Mode (AUTH)
#Description
Fires before the kernel allows a process to change file permissions via chmod(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
mode | The new POSIX mode_t value intended for the file. |
target | Pointer to the es_file_t for the file whose mode will be changed. |
References #
- Apple Developer Documentation: es_event_setmode_t https://developer.apple.com/documentation/endpointsecurity/es_event_setmode_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SETOWNER: Set File Owner (AUTH)
#Description
Fires before the kernel allows a process to change file ownership via chown(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
uid | The new owner user ID intended for the file. |
gid | The new owner group ID intended for the file. |
target | Pointer to the es_file_t for the file whose ownership will be changed. |
References #
- Apple Developer Documentation: es_event_setowner_t https://developer.apple.com/documentation/endpointsecurity/es_event_setowner_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_GETATTRLIST: Get Attribute List (AUTH)
#Description
Fires before the kernel allows a process to read filesystem attributes via getattrlist(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
attrlist | The attrlist structure specifying which attribute groups will be retrieved. |
target | Pointer to the es_file_t for the file whose attributes will be read. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_GETATTRLIST), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"getattrlist": {
"attrlist": {
"bitmapcount": 5,
"commonattr": 134217728,
"dirattr": 0,
"fileattr": 0,
"forkattr": 0,
"volattr": 0
},
"target": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
}
}
},
"event_type": 53,
"global_seq_num": 0,
"mach_time": 8838376351555,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94360,
"pidversion": 301349,
"rgid": 0,
"ruid": 0
},
"cdhash": "CCE5A9291F9EDF6CF64C40599E481EE7BB5E2A38",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94360,
"pidversion": 301349,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.proxy",
"start_time": "2026-06-22T23:24:44.448971Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672361
},
"time": "2026-06-22T23:24:44.463422883Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_getattrlist_t https://developer.apple.com/documentation/endpointsecurity/es_event_getattrlist_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_GETATTRLIST: Get Attribute List (NOTIFY)
#Description
Fires after a process reads filesystem attributes via getattrlist(2). The payload names the attributes retrieved and the target file.
Fields #
| Name | Description |
|---|---|
attrlist | The attrlist structure specifying which attribute groups were retrieved. |
target | Pointer to the es_file_t for the file whose attributes were read. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"getattrlist": {
"attrlist": {
"bitmapcount": 5,
"commonattr": 134217728,
"dirattr": 0,
"fileattr": 0,
"forkattr": 0,
"volattr": 0
},
"target": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
}
}
},
"event_type": 53,
"global_seq_num": 0,
"mach_time": 8838376351555,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94360,
"pidversion": 301349,
"rgid": 0,
"ruid": 0
},
"cdhash": "CCE5A9291F9EDF6CF64C40599E481EE7BB5E2A38",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94360,
"pidversion": 301349,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.proxy",
"start_time": "2026-06-22T23:24:44.448971Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672361
},
"time": "2026-06-22T23:24:44.463422883Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_getattrlist_t https://developer.apple.com/documentation/endpointsecurity/es_event_getattrlist_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_STAT: File Stat (NOTIFY)
#Description
Fires after a process queries file metadata via stat(2) or related calls. Because stat is called by many system operations, this is a very high-volume event and most clients filter aggressively.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose metadata was queried. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"stat": {
"target": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
}
}
},
"event_type": 54,
"global_seq_num": 0,
"mach_time": 8837773020607,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671143
},
"time": "2026-06-22T23:24:19.324858315Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_stat_t https://developer.apple.com/documentation/endpointsecurity/es_event_stat_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_UTIMES: File Timestamp Modify (AUTH)
#Description
Fires before the kernel allows a process to change the access or modification timestamps of a file via utimes(2) or related calls. An active ESF client must respond before the kernel proceeds. Timestamp manipulation is a common anti-forensics technique.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose timestamps will be changed. |
atime | The new access time as a timespec value. |
mtime | The new modification time as a timespec value. |
References #
- Apple Developer Documentation: es_event_utimes_t https://developer.apple.com/documentation/endpointsecurity/es_event_utimes_t
- Apple Developer Documentation: es_event_utimes_t.atime https://developer.apple.com/documentation/endpointsecurity/es_event_utimes_t/atime
- Apple Developer Documentation: es_event_utimes_t.mtime https://developer.apple.com/documentation/endpointsecurity/es_event_utimes_t/mtime
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_UTIMES: File Timestamp Modify (NOTIFY)
#Description
Fires after the access or modification timestamps of a file are changed via utimes(2) or related calls. Timestamp modification is a common anti-forensics technique used to disguise recently dropped files.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose timestamps were changed. |
atime | The new access time as a timespec value. |
mtime | The new modification time as a timespec value. |
References #
- Apple Developer Documentation: es_event_utimes_t https://developer.apple.com/documentation/endpointsecurity/es_event_utimes_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_GETEXTATTR: Get Extended Attribute (AUTH)
#Description
Fires before the kernel allows a process to read an extended attribute via getxattr(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose extended attribute will be retrieved. |
extattr | Token holding the name of the extended attribute to be retrieved. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_GETEXTATTR), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"getextattr": {
"extattr": "com.apple.root.installed",
"target": {
"path": "/System/Library/CoreServices/WiFiAgent.app/Contents/MacOS/WiFiAgent",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 448,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312105215,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 655936,
"st_uid": 0
}
}
}
},
"event_type": 64,
"global_seq_num": 0,
"mach_time": 8857245546038,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 466,
"pidversion": 1086,
"rgid": 0,
"ruid": 0
},
"cdhash": "45457D1E1F4205D62747F50DAC3986124EC293D7",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/airportd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 2592,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312574697,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 3220640,
"st_uid": 0
}
},
"group_id": 466,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 466,
"pidversion": 1086,
"rgid": 0,
"ruid": 0
},
"session_id": 466,
"signing_id": "com.apple.airport.airportd",
"start_time": "2026-06-17T20:22:02.435512Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3687766
},
"time": "2026-06-22T23:37:49.969399850Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_getextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_getextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_GETEXTATTR: Get Extended Attribute (NOTIFY)
#Description
Fires after a process reads an extended attribute via getxattr(2). The payload names the attribute retrieved and the target file.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose extended attribute was retrieved. |
extattr | Token holding the name of the extended attribute that was retrieved. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"getextattr": {
"extattr": "com.apple.root.installed",
"target": {
"path": "/System/Library/CoreServices/WiFiAgent.app/Contents/MacOS/WiFiAgent",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 448,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312105215,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 655936,
"st_uid": 0
}
}
}
},
"event_type": 64,
"global_seq_num": 0,
"mach_time": 8857245546038,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 466,
"pidversion": 1086,
"rgid": 0,
"ruid": 0
},
"cdhash": "45457D1E1F4205D62747F50DAC3986124EC293D7",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/airportd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 2592,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312574697,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 3220640,
"st_uid": 0
}
},
"group_id": 466,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 466,
"pidversion": 1086,
"rgid": 0,
"ruid": 0
},
"session_id": 466,
"signing_id": "com.apple.airport.airportd",
"start_time": "2026-06-17T20:22:02.435512Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3687766
},
"time": "2026-06-22T23:37:49.969399850Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_getextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_getextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_LISTEXTATTR: List Extended Attributes (AUTH)
#Description
Fires before the kernel allows a process to enumerate the extended attributes of a file via listxattr(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose extended attribute names will be listed. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_LISTEXTATTR), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"listextattr": {
"target": {
"path": "/Users/admin/Library/Containers/com.apple.news.tag/Data/SystemData/com.apple.chrono/timelines/topic/systemLarge---1341790371802874391----344.00w-344.00h-27.88r-kwXjBcg0jLGkOXgfIR#vfsEQ3NEuHIIxpQplS#DfabA=.chrono-timeline",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:25:27.793989526Z",
"st_birthtimespec": "2026-06-22T23:25:27.148107512Z",
"st_blksize": 4096,
"st_blocks": 712,
"st_ctimespec": "2026-06-22T23:25:27.804667681Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968612,
"st_mode": 33206,
"st_mtimespec": "2026-06-22T23:25:27.791825712Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 364360,
"st_uid": 501
}
}
}
},
"event_type": 66,
"global_seq_num": 0,
"mach_time": 8839416570567,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 721,
"pidversion": 1804,
"rgid": 20,
"ruid": 501
},
"cdhash": "D66138B95614DDD3F43D02F3BF2B8F8A976846ED",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/PrivateFrameworks/ChronoCore.framework/Support/chronod",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312266803,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 160992,
"st_uid": 0
}
},
"group_id": 721,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 721,
"pidversion": 1804,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.chronod",
"start_time": "2026-06-17T20:22:06.330454Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671806
},
"time": "2026-06-22T23:25:27.805494132Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_listextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_listextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_LISTEXTATTR: List Extended Attributes (NOTIFY)
#Description
Fires after a process enumerates the extended attribute names of a file via listxattr(2).
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose extended attribute names were listed. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"listextattr": {
"target": {
"path": "/Users/admin/Library/Containers/com.apple.news.tag/Data/SystemData/com.apple.chrono/timelines/topic/systemLarge---1341790371802874391----344.00w-344.00h-27.88r-kwXjBcg0jLGkOXgfIR#vfsEQ3NEuHIIxpQplS#DfabA=.chrono-timeline",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:25:27.793989526Z",
"st_birthtimespec": "2026-06-22T23:25:27.148107512Z",
"st_blksize": 4096,
"st_blocks": 712,
"st_ctimespec": "2026-06-22T23:25:27.804667681Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968612,
"st_mode": 33206,
"st_mtimespec": "2026-06-22T23:25:27.791825712Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 364360,
"st_uid": 501
}
}
}
},
"event_type": 66,
"global_seq_num": 0,
"mach_time": 8839416570567,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 721,
"pidversion": 1804,
"rgid": 20,
"ruid": 501
},
"cdhash": "D66138B95614DDD3F43D02F3BF2B8F8A976846ED",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/PrivateFrameworks/ChronoCore.framework/Support/chronod",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312266803,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 160992,
"st_uid": 0
}
},
"group_id": 721,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 721,
"pidversion": 1804,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.chronod",
"start_time": "2026-06-17T20:22:06.330454Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671806
},
"time": "2026-06-22T23:25:27.805494132Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_listextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_listextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_READDIR: Read Directory (AUTH)
#Description
Fires before the kernel allows a process to read a directory's entries. An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the directory whose contents will be read. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_READDIR), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"readdir": {
"target": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
}
}
},
"event_type": 68,
"global_seq_num": 0,
"mach_time": 8838045020495,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671870
},
"time": "2026-06-22T23:24:30.658085613Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_readdir_t https://developer.apple.com/documentation/endpointsecurity/es_event_readdir_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_READDIR: Read Directory (NOTIFY)
#Description
Fires after a process reads directory entries. The payload identifies the directory that was enumerated.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the directory whose contents were read. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"readdir": {
"target": {
"path": "/usr/bin",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524288,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571579,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 926,
"st_rdev": 0,
"st_size": 29632,
"st_uid": 0
}
}
}
},
"event_type": 68,
"global_seq_num": 0,
"mach_time": 8838045020495,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3671870
},
"time": "2026-06-22T23:24:30.658085613Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_readdir_t https://developer.apple.com/documentation/endpointsecurity/es_event_readdir_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_DELETEEXTATTR: Delete Extended Attribute (AUTH)
#Description
Fires before the kernel allows a process to remove an extended attribute via removexattr(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose extended attribute will be deleted. |
extattr | Token holding the name of the extended attribute to be removed. |
References #
- Apple Developer Documentation: es_event_deleteextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_deleteextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_DELETEEXTATTR: Delete Extended Attribute (NOTIFY)
#Description
Fires after a process removes an extended attribute from a file via removexattr(2). The payload identifies the attribute that was removed and the target file.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file from which the extended attribute was removed. |
extattr | Token holding the name of the extended attribute that was removed. |
References #
- Apple Developer Documentation: es_event_deleteextattr_t https://developer.apple.com/documentation/endpointsecurity/es_event_deleteextattr_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_FSGETPATH: Filesystem Path Retrieve (AUTH)
#Description
Fires before the kernel allows a process to resolve the filesystem path of an object by inode number or file descriptor via fsgetpath(3). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the filesystem object whose path will be retrieved. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_FSGETPATH), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"fsgetpath": {
"target": {
"path": "/usr/lib/dyld",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1768,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312573277,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 2374000,
"st_uid": 0
}
}
}
},
"event_type": 72,
"global_seq_num": 0,
"mach_time": 8838186457671,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 94353,
"pidversion": 301336,
"rgid": 20,
"ruid": 501
},
"cdhash": "160AC44B1460AC5D214FE99209F7115AAC343870",
"codesigning_flags": 570495761,
"cs_validation_category": 6,
"executable": {
"path": "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:24:02.663764839Z",
"st_birthtimespec": "2026-06-18T18:48:46.181229028Z",
"st_blksize": 4096,
"st_blocks": 232,
"st_ctimespec": "2026-06-21T18:31:01.870714059Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 80,
"st_ino": 55224233,
"st_mode": 33277,
"st_mtimespec": "2026-06-18T18:48:50.506541645Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 118656,
"st_uid": 501
}
},
"group_id": 83147,
"is_es_client": false,
"is_platform_binary": false,
"original_ppid": 83147,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"ppid": 83147,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "org.mozilla.plugincontainer",
"start_time": "2026-06-22T23:24:36.550687Z",
"team_id": "43AQ936H96",
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672222
},
"time": "2026-06-22T23:24:36.551248569Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_fsgetpath_t https://developer.apple.com/documentation/endpointsecurity/es_event_fsgetpath_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_FSGETPATH: Filesystem Path Retrieve (NOTIFY)
#Description
Fires after a process resolves the filesystem path of an object via fsgetpath(3). The payload identifies the object whose path was retrieved.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the filesystem object whose path was retrieved. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"fsgetpath": {
"target": {
"path": "/usr/lib/dyld",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1768,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312573277,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 2374000,
"st_uid": 0
}
}
}
},
"event_type": 72,
"global_seq_num": 0,
"mach_time": 8838186457671,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 94353,
"pidversion": 301336,
"rgid": 20,
"ruid": 501
},
"cdhash": "160AC44B1460AC5D214FE99209F7115AAC343870",
"codesigning_flags": 570495761,
"cs_validation_category": 6,
"executable": {
"path": "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:24:02.663764839Z",
"st_birthtimespec": "2026-06-18T18:48:46.181229028Z",
"st_blksize": 4096,
"st_blocks": 232,
"st_ctimespec": "2026-06-21T18:31:01.870714059Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 80,
"st_ino": 55224233,
"st_mode": 33277,
"st_mtimespec": "2026-06-18T18:48:50.506541645Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 118656,
"st_uid": 501
}
},
"group_id": 83147,
"is_es_client": false,
"is_platform_binary": false,
"original_ppid": 83147,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"ppid": 83147,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "org.mozilla.plugincontainer",
"start_time": "2026-06-22T23:24:36.550687Z",
"team_id": "43AQ936H96",
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672222
},
"time": "2026-06-22T23:24:36.551248569Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_fsgetpath_t https://developer.apple.com/documentation/endpointsecurity/es_event_fsgetpath_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SETACL: Set File ACL (AUTH)
#Description
Fires before the kernel allows a process to set or clear the Access Control List on a file. An active ESF client must respond before the kernel proceeds. ACL modification can be used to grant or revoke access to sensitive files.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose ACL will be modified. |
set_or_clear | Indicates whether the operation sets (ES_SET) or clears (ES_CLEAR) the ACL on the target file. |
acl | Union containing the acl_t pointer for the new ACL; valid only when set_or_clear is ES_SET. |
References #
- Apple Developer Documentation: es_event_setacl_t https://developer.apple.com/documentation/endpointsecurity/es_event_setacl_t
- Apple Developer Documentation: es_event_setacl_t.acl https://developer.apple.com/documentation/endpointsecurity/es_event_setacl_t/3395688-acl
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETACL: Set File ACL (NOTIFY)
#Description
Fires after the Access Control List on a file is set or cleared. The payload records whether the operation set or cleared the ACL and, when setting, the ACL value applied.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file whose ACL was modified. |
set_or_clear | Indicates whether the ACL was set (ES_SET) or cleared (ES_CLEAR). |
acl | Union containing the acl_t pointer for the applied ACL; valid when set_or_clear is ES_SET. |
References #
- Apple Developer Documentation: es_event_setacl_t https://developer.apple.com/documentation/endpointsecurity/es_event_setacl_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE: File Provider Materialize (AUTH)
#Description
Fires before a FileProvider extension downloads and places a cloud-backed (evicted) file onto local storage. An active ESF client must respond before the kernel proceeds. The payload identifies the staged source and the local destination.
Fields #
| Name | Description |
|---|---|
instigator | Pointer to the es_process_t for the process that triggered the materialization. |
source | Pointer to the es_file_t for the staged (temporary) file being materialized. |
target | Pointer to the es_file_t for the local destination where the materialized file will be placed. |
References #
- Apple Developer Documentation: es_event_file_provider_materialize_t https://developer.apple.com/documentation/endpointsecurity/es_event_file_provider_materialize_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE: File Provider Materialize (NOTIFY)
#Description
Fires after a FileProvider extension places a cloud-backed file on local storage. The payload identifies the staged source and the local destination where the file now resides.
Fields #
| Name | Description |
|---|---|
instigator | Pointer to the es_process_t for the process that triggered the materialization. |
source | Pointer to the es_file_t for the staged file that was materialized. |
target | Pointer to the es_file_t for the local destination of the materialized file. |
References #
- Apple Developer Documentation: es_event_file_provider_materialize_t https://developer.apple.com/documentation/endpointsecurity/es_event_file_provider_materialize_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE: File Provider Update (AUTH)
#Description
Fires before a FileProvider extension updates the local copy of a cloud-backed file. An active ESF client must respond before the kernel proceeds. The payload identifies the staged source and the destination path.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the staged file whose updated contents will be applied. |
target_path | Token holding the local path to which the staged source will be moved after the update. |
References #
- Apple Developer Documentation: es_event_file_provider_update_t https://developer.apple.com/documentation/endpointsecurity/es_event_file_provider_update_t
- Apple Developer Documentation: es_event_file_provider_update_t.target_path https://developer.apple.com/documentation/endpointsecurity/es_event_file_provider_update_t/target_path
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_UPDATE: File Provider Update (NOTIFY)
#Description
Fires after a FileProvider extension updates the local copy of a cloud-backed file. The payload identifies the staged source and the local path to which it was moved.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the staged file whose contents were applied. |
target_path | Token holding the local path to which the staged source was moved. |
References #
- Apple Developer Documentation: es_event_file_provider_update_t https://developer.apple.com/documentation/endpointsecurity/es_event_file_provider_update_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_UNLINK: File Unlink (AUTH)
#Description
Fires before the kernel removes a file's directory entry. An active ESF client must respond before the kernel proceeds. The payload identifies the target file and the directory that contains it.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file being removed. |
parent_dir | Pointer to the es_file_t for the directory containing the file being removed. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_UNLINK), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"unlink": {
"parent_dir": {
"path": "/Users/admin/Library/Biome/tmp",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T13:45:52.510341701Z",
"st_birthtimespec": "2024-06-18T05:34:41.441027928Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:12.676799775Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 420563,
"st_mode": 16877,
"st_mtimespec": "2026-06-22T23:23:12.676799775Z",
"st_nlink": 4,
"st_rdev": 0,
"st_size": 128,
"st_uid": 501
}
},
"target": {
"path": "/Users/admin/Library/Biome/tmp/.tmp.fvWu6acU",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:12.676792816Z",
"st_birthtimespec": "2026-06-22T23:23:12.676792816Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:12.676792816Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968347,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:12.676792816Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 0,
"st_uid": 501
}
}
}
},
"event_type": 32,
"global_seq_num": 1,
"mach_time": 8836173454811,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 662,
"pidversion": 1610,
"rgid": 20,
"ruid": 501
},
"cdhash": "9451A9652A07F204DB51ED84649612650A3613E7",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/PrivateFrameworks/BiomeStreams.framework/Support/BiomeAgent",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312263000,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 176320,
"st_uid": 0
}
},
"group_id": 662,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 662,
"pidversion": 1610,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.BiomeAgent",
"start_time": "2026-06-17T20:22:05.540323Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 1,
"thread": {
"thread_id": 3670689
},
"time": "2026-06-22T23:23:12.676879607Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_unlink_t https://developer.apple.com/documentation/endpointsecurity/es_event_unlink_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_LINK: Hard Link Create (NOTIFY)
#Description
Fires after a new hard link to an existing file is created. The payload identifies the source file and the directory and filename of the new link.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the existing file to which a new hard link is being created. |
target_dir | Pointer to the es_file_t for the directory in which the new hard link will be created. |
target_filename | Token holding the filename for the new hard link. |
References #
- Apple Developer Documentation: es_event_link_t https://developer.apple.com/documentation/endpointsecurity/es_event_link_t
- Apple Developer Documentation: es_event_link_t.target_dir https://developer.apple.com/documentation/endpointsecurity/es_event_link_t/target_dir
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_UNLINK: File Unlink (NOTIFY)
#Description
Fires after a file's directory entry is removed. The payload identifies the removed file and the directory that contained it.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the file that was removed. |
parent_dir | Pointer to the es_file_t for the directory that contained the removed file. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"unlink": {
"parent_dir": {
"path": "/Users/admin/Library/Biome/tmp",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T13:45:52.510341701Z",
"st_birthtimespec": "2024-06-18T05:34:41.441027928Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:12.676799775Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 420563,
"st_mode": 16877,
"st_mtimespec": "2026-06-22T23:23:12.676799775Z",
"st_nlink": 4,
"st_rdev": 0,
"st_size": 128,
"st_uid": 501
}
},
"target": {
"path": "/Users/admin/Library/Biome/tmp/.tmp.fvWu6acU",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:23:12.676792816Z",
"st_birthtimespec": "2026-06-22T23:23:12.676792816Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:23:12.676792816Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 55968347,
"st_mode": 33152,
"st_mtimespec": "2026-06-22T23:23:12.676792816Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 0,
"st_uid": 501
}
}
}
},
"event_type": 32,
"global_seq_num": 1,
"mach_time": 8836173454811,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 662,
"pidversion": 1610,
"rgid": 20,
"ruid": 501
},
"cdhash": "9451A9652A07F204DB51ED84649612650A3613E7",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/PrivateFrameworks/BiomeStreams.framework/Support/BiomeAgent",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312263000,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 176320,
"st_uid": 0
}
},
"group_id": 662,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 662,
"pidversion": 1610,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.BiomeAgent",
"start_time": "2026-06-17T20:22:05.540323Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 1,
"thread": {
"thread_id": 3670689
},
"time": "2026-06-22T23:23:12.676879607Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_unlink_t https://developer.apple.com/documentation/endpointsecurity/es_event_unlink_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_READLINK: Symbolic Link Read (AUTH)
#Description
Fires before the kernel resolves a symbolic link, including path lookups that traverse a symlink, not only explicit readlink(2) calls. An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the symbolic link being resolved. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_READLINK), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"readlink": {
"source": {
"path": "/etc",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 557056,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571453,
"st_mode": 41453,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 11,
"st_uid": 0
}
}
}
},
"event_type": 39,
"global_seq_num": 0,
"mach_time": 8838798335149,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 383,
"pidversion": 1036,
"rgid": 0,
"ruid": 0
},
"cdhash": "0346AF4D0187B9FAD1FCB82CE74248416C953A33",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 8688,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312331519,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 10397072,
"st_uid": 0
}
},
"group_id": 383,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 383,
"pidversion": 1036,
"rgid": 0,
"ruid": 0
},
"session_id": 383,
"signing_id": "com.apple.mediaremoted",
"start_time": "2026-06-17T20:22:01.678803Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672178
},
"time": "2026-06-22T23:25:02.045915327Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_readlink_t https://developer.apple.com/documentation/endpointsecurity/es_event_readlink_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_READLINK: Symbolic Link Read (NOTIFY)
#Description
Fires after the kernel resolves a symbolic link. This event covers any path lookup that traverses a symlink, not only explicit readlink(2) calls, so volume can be high on busy systems.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the symbolic link that was resolved. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"readlink": {
"source": {
"path": "/etc",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 557056,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571453,
"st_mode": 41453,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 11,
"st_uid": 0
}
}
}
},
"event_type": 39,
"global_seq_num": 0,
"mach_time": 8838798335149,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 383,
"pidversion": 1036,
"rgid": 0,
"ruid": 0
},
"cdhash": "0346AF4D0187B9FAD1FCB82CE74248416C953A33",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 8688,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312331519,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 10397072,
"st_uid": 0
}
},
"group_id": 383,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 383,
"pidversion": 1036,
"rgid": 0,
"ruid": 0
},
"session_id": 383,
"signing_id": "com.apple.mediaremoted",
"start_time": "2026-06-17T20:22:01.678803Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672178
},
"time": "2026-06-22T23:25:02.045915327Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_readlink_t https://developer.apple.com/documentation/endpointsecurity/es_event_readlink_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_LINK: Hard Link Create (AUTH)
#Description
Fires before the kernel creates a new hard link to an existing file. An active ESF client must respond before the kernel proceeds. The payload identifies the source file and the target directory and filename.
Fields #
| Name | Description |
|---|---|
source | Pointer to the es_file_t for the existing file to which a hard link will be created. |
target_dir | Pointer to the es_file_t for the directory in which the new hard link will be created. |
target_filename | Token holding the filename for the new hard link. |
References #
- Apple Developer Documentation: es_event_link_t https://developer.apple.com/documentation/endpointsecurity/es_event_link_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_MOUNT: Filesystem Mount (AUTH)
#Description
Fires before the kernel allows a filesystem to be mounted. An active ESF client must respond before the kernel proceeds. The payload contains the statfs structure for the filesystem being mounted.
Fields #
| Name | Description |
|---|---|
statfs | Pointer to the statfs structure describing the filesystem being mounted, including mount point, filesystem type (f_fstypename), and device name (f_mntfromname). |
disposition | The device disposition of the mounted filesystem (es_mount_disposition_t -- external, internal, network, virtual, nullfs, or unknown); eslogger serializes it as the raw enum integer, e.g. 3 = virtual/dmg-backed (message version 8+, macOS 15+). |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_MOUNT), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"mount": {
"disposition": 3,
"statfs": {
"f_bavail": 1178,
"f_bfree": 1178,
"f_blocks": 1270,
"f_bsize": 4096,
"f_ffree": 47120,
"f_files": 47120,
"f_flags": 77632024,
"f_flags_ext": 0,
"f_fsid": [
16777239,
26
],
"f_fssubtype": 0,
"f_fstypename": "apfs",
"f_iosize": 1048576,
"f_mntfromname": "/dev/disk5s1",
"f_mntonname": "/Volumes/DWM",
"f_owner": 0,
"f_type": 26
}
}
},
"event_type": 22,
"global_seq_num": 0,
"mach_time": 8840980752572,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94566,
"pidversion": 301743,
"rgid": 0,
"ruid": 0
},
"cdhash": "033D8813676B5B0FCC450F44C0190C61DC3E499A",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/Filesystems/apfs.fs/Contents/Resources/mount_apfs",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312141477,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 140048,
"st_uid": 0
}
},
"group_id": 410,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 94565,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94565,
"pidversion": 301741,
"rgid": 0,
"ruid": 0
},
"ppid": 94565,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 410,
"pidversion": 997,
"rgid": 0,
"ruid": 0
},
"session_id": 410,
"signing_id": "com.apple.mount_apfs",
"start_time": "2026-06-22T23:26:32.255503Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3674014
},
"time": "2026-06-22T23:26:32.275733421Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_mount_t https://developer.apple.com/documentation/endpointsecurity/es_event_mount_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_MOUNT: Filesystem Mount (NOTIFY)
#Description
Fires after a filesystem is successfully mounted. The payload contains the statfs structure for the mounted filesystem, and in message version 8 and later, a disposition flag for the device.
Fields #
| Name | Description |
|---|---|
statfs | Pointer to the statfs structure for the mounted filesystem, including mount point (f_mntonname), device (f_mntfromname), and filesystem type (f_fstypename). |
disposition | The device disposition of the mounted filesystem (es_mount_disposition_t -- external, internal, network, virtual, nullfs, or unknown); eslogger serializes it as the raw enum integer, e.g. 3 = virtual/dmg-backed (message version 8+, macOS 15+). |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"mount": {
"disposition": 3,
"statfs": {
"f_bavail": 1178,
"f_bfree": 1178,
"f_blocks": 1270,
"f_bsize": 4096,
"f_ffree": 47120,
"f_files": 47120,
"f_flags": 77632024,
"f_flags_ext": 0,
"f_fsid": [
16777239,
26
],
"f_fssubtype": 0,
"f_fstypename": "apfs",
"f_iosize": 1048576,
"f_mntfromname": "/dev/disk5s1",
"f_mntonname": "/Volumes/DWM",
"f_owner": 0,
"f_type": 26
}
}
},
"event_type": 22,
"global_seq_num": 0,
"mach_time": 8840980752572,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94566,
"pidversion": 301743,
"rgid": 0,
"ruid": 0
},
"cdhash": "033D8813676B5B0FCC450F44C0190C61DC3E499A",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/Filesystems/apfs.fs/Contents/Resources/mount_apfs",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312141477,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 140048,
"st_uid": 0
}
},
"group_id": 410,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 94565,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94565,
"pidversion": 301741,
"rgid": 0,
"ruid": 0
},
"ppid": 94565,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 410,
"pidversion": 997,
"rgid": 0,
"ruid": 0
},
"session_id": 410,
"signing_id": "com.apple.mount_apfs",
"start_time": "2026-06-22T23:26:32.255503Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3674014
},
"time": "2026-06-22T23:26:32.275733421Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_mount_t https://developer.apple.com/documentation/endpointsecurity/es_event_mount_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_UNMOUNT: Filesystem Unmount (NOTIFY)
#Description
Fires after a filesystem is unmounted. The payload contains the statfs structure describing the filesystem that was detached.
Fields #
| Name | Description |
|---|---|
statfs | Pointer to the statfs structure for the filesystem that was unmounted, including the former mount point and device name. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"unmount": {
"statfs": {
"f_bavail": 1176,
"f_bfree": 1176,
"f_blocks": 1270,
"f_bsize": 4096,
"f_ffree": 47040,
"f_files": 47042,
"f_flags": 77632024,
"f_flags_ext": 0,
"f_fsid": [
16777239,
26
],
"f_fssubtype": 1,
"f_fstypename": "apfs",
"f_iosize": 2097152,
"f_mntfromname": "/dev/disk5s1",
"f_mntonname": "/Volumes/DWU",
"f_owner": 0,
"f_type": 26
}
}
},
"event_type": 23,
"global_seq_num": 0,
"mach_time": 8841191003152,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 410,
"pidversion": 997,
"rgid": 0,
"ruid": 0
},
"cdhash": "4EB168D4A4FF05762D84BF9988F5949E63D62ED8",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/diskarbitrationd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 400,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575092,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 496080,
"st_uid": 0
}
},
"group_id": 410,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 410,
"pidversion": 997,
"rgid": 0,
"ruid": 0
},
"session_id": 410,
"signing_id": "com.apple.diskarbitrationd",
"start_time": "2026-06-17T20:22:01.684772Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3674330
},
"time": "2026-06-22T23:26:41.036095486Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_unmount_t https://developer.apple.com/documentation/endpointsecurity/es_event_unmount_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_REMOUNT: Filesystem Remount (AUTH)
#Description
Fires before the kernel allows a filesystem to be remounted with changed options (for example, upgrading from read-only to read-write). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
statfs | Pointer to the statfs structure for the filesystem being remounted, including the current mount point and device name. |
References #
- Apple Developer Documentation: es_event_remount_t https://developer.apple.com/documentation/endpointsecurity/es_event_remount_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_REMOUNT: Filesystem Remount (NOTIFY)
#Description
Fires after a filesystem is remounted with changed options. Remounting a read-only filesystem as read-write is a classic persistence or privilege-escalation step.
Fields #
| Name | Description |
|---|---|
statfs | Pointer to the statfs structure for the filesystem that was remounted, including the mount point and device name. |
References #
- Apple Developer Documentation: es_event_remount_t https://developer.apple.com/documentation/endpointsecurity/es_event_remount_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_MMAP: Memory Map File (Auth)
#Description
Fires before the kernel maps a file into a process's address space and requires an active ESF client to respond before the mmap(2) call completes. The payload identifies the file being mapped and the requested memory protection flags, enabling detection of attempts to create executable or writable memory-mapped regions.
Fields #
| Name | Description |
|---|---|
source | The es_file_t for the file system object being mapped into memory. |
protection | The protection value (PROT_READ, PROT_WRITE, PROT_EXEC) requested for the mapped region. |
max_protection | The maximum protection value the operating system will allow for this mapping. |
flags | The mmap(2) flags describing the type and attributes of the mapping (e.g. MAP_PRIVATE, MAP_SHARED). |
file_pos | The byte offset into the source file at which mapping begins. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_MMAP), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"mmap": {
"file_pos": 0,
"flags": 262145,
"max_protection": 1,
"protection": 1,
"source": {
"path": "/Users/admin/Library/Biome/streams/restricted/App.Intent/local/799521575748394",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:36:59.432460306Z",
"st_birthtimespec": "2026-05-03T17:19:35.748925253Z",
"st_blksize": 4096,
"st_blocks": 2048,
"st_ctimespec": "2026-06-22T23:32:00.944504500Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 49502158,
"st_mode": 33152,
"st_mtimespec": "2026-05-03T17:19:35.749242251Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1048576,
"st_uid": 501
}
}
}
},
"event_type": 20,
"global_seq_num": 0,
"mach_time": 8856032652556,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 827,
"pidversion": 2091,
"rgid": 20,
"ruid": 501
},
"cdhash": "2C8D40BF9E4A968649770AA591E953D497415693",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/duetexpertd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575125,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 176016,
"st_uid": 0
}
},
"group_id": 827,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 827,
"pidversion": 2091,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.duetexpertd",
"start_time": "2026-06-17T20:22:07.969631Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3686812
},
"time": "2026-06-22T23:36:59.432623388Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_mmap_t https://developer.apple.com/documentation/endpointsecurity/es_event_mmap_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- mac-monitor: Understanding Endpoint Security Framework Events on macOS https://sebastiangogola.me/mac-monitor-understanding-endpoint-security-framework-events-on-macos/
ES_EVENT_TYPE_AUTH_MPROTECT: Memory Protection Change (Auth)
#Description
Fires before the kernel applies a mprotect(2) call and requires an active ESF client to respond before the protection change takes effect. The payload carries the desired protection flags, base address, and region size, which allows detection of pages being made executable after being written (a common shellcode staging pattern).
Fields #
| Name | Description |
|---|---|
protection | The desired new protection value (e.g. PROT_READ | PROT_EXEC) that the process is requesting. |
address | The base address of the memory region to which the new protection will apply. |
size | The size in bytes of the memory region to which the new protection will apply. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_MPROTECT), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"mprotect": {
"address": 4858068992,
"protection": 3,
"size": 16384
}
},
"event_type": 21,
"global_seq_num": 0,
"mach_time": 8835485357972,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92909,
"pidversion": 298530,
"rgid": 20,
"ruid": 501
},
"cdhash": "160AC44B1460AC5D214FE99209F7115AAC343870",
"codesigning_flags": 570495761,
"cs_validation_category": 6,
"executable": {
"path": "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:22:28.730755763Z",
"st_birthtimespec": "2026-06-18T18:48:46.181229028Z",
"st_blksize": 4096,
"st_blocks": 232,
"st_ctimespec": "2026-06-21T18:31:01.870714059Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 80,
"st_ino": 55224233,
"st_mode": 33277,
"st_mtimespec": "2026-06-18T18:48:50.506541645Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 118656,
"st_uid": 501
}
},
"group_id": 83147,
"is_es_client": false,
"is_platform_binary": false,
"original_ppid": 83147,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"ppid": 83147,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "org.mozilla.plugincontainer",
"start_time": "2026-06-22T23:03:23.065175Z",
"team_id": "43AQ936H96",
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3654551
},
"time": "2026-06-22T23:22:44.006434380Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_mprotect_t https://developer.apple.com/documentation/endpointsecurity/es_event_mprotect_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- mac-monitor: Understanding Endpoint Security Framework Events on macOS https://sebastiangogola.me/mac-monitor-understanding-endpoint-security-framework-events-on-macos/
ES_EVENT_TYPE_NOTIFY_MMAP: Memory Map File (Notify)
#Description
Fires after a file is successfully mapped into a process's address space via mmap(2). The payload is identical to the AUTH variant and carries the source file, protection flags, and mapping attributes, which are useful for identifying dylib loading and executable memory creation.
Fields #
| Name | Description |
|---|---|
source | The es_file_t for the file system object that was mapped. |
protection | The protection value applied to the mapped region. |
max_protection | The maximum protection value the OS will respect for this mapping. |
flags | The mmap(2) flags describing the mapping type and attributes. |
file_pos | The byte offset into the source file at which mapping begins. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"mmap": {
"file_pos": 0,
"flags": 262145,
"max_protection": 1,
"protection": 1,
"source": {
"path": "/Users/admin/Library/Biome/streams/restricted/App.Intent/local/799521575748394",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:36:59.432460306Z",
"st_birthtimespec": "2026-05-03T17:19:35.748925253Z",
"st_blksize": 4096,
"st_blocks": 2048,
"st_ctimespec": "2026-06-22T23:32:00.944504500Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 20,
"st_ino": 49502158,
"st_mode": 33152,
"st_mtimespec": "2026-05-03T17:19:35.749242251Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1048576,
"st_uid": 501
}
}
}
},
"event_type": 20,
"global_seq_num": 0,
"mach_time": 8856032652556,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 827,
"pidversion": 2091,
"rgid": 20,
"ruid": 501
},
"cdhash": "2C8D40BF9E4A968649770AA591E953D497415693",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/duetexpertd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575125,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 176016,
"st_uid": 0
}
},
"group_id": 827,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 827,
"pidversion": 2091,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "com.apple.duetexpertd",
"start_time": "2026-06-17T20:22:07.969631Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3686812
},
"time": "2026-06-22T23:36:59.432623388Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_mmap_t https://developer.apple.com/documentation/endpointsecurity/es_event_mmap_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Cedric Owens: Taking ESF For A(nother) Spin https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
ES_EVENT_TYPE_NOTIFY_MPROTECT: Memory Protection Change (Notify)
#Description
Fires after mprotect(2) changes the protection on a memory region. The payload is identical to the AUTH variant and carries the new protection value, base address, and region size, useful for detecting shellcode staging where a written region is subsequently made executable.
Fields #
| Name | Description |
|---|---|
protection | The new protection value applied to the memory region. |
address | The base address of the memory region that received the new protection. |
size | The size in bytes of the memory region that received the new protection. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"mprotect": {
"address": 4858068992,
"protection": 3,
"size": 16384
}
},
"event_type": 21,
"global_seq_num": 0,
"mach_time": 8835485357972,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92909,
"pidversion": 298530,
"rgid": 20,
"ruid": 501
},
"cdhash": "160AC44B1460AC5D214FE99209F7115AAC343870",
"codesigning_flags": 570495761,
"cs_validation_category": 6,
"executable": {
"path": "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:22:28.730755763Z",
"st_birthtimespec": "2026-06-18T18:48:46.181229028Z",
"st_blksize": 4096,
"st_blocks": 232,
"st_ctimespec": "2026-06-21T18:31:01.870714059Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 80,
"st_ino": 55224233,
"st_mode": 33277,
"st_mtimespec": "2026-06-18T18:48:50.506541645Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 118656,
"st_uid": 501
}
},
"group_id": 83147,
"is_es_client": false,
"is_platform_binary": false,
"original_ppid": 83147,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"ppid": 83147,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 83147,
"pidversion": 271876,
"rgid": 20,
"ruid": 501
},
"session_id": 1,
"signing_id": "org.mozilla.plugincontainer",
"start_time": "2026-06-22T23:03:23.065175Z",
"team_id": "43AQ936H96",
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3654551
},
"time": "2026-06-22T23:22:44.006434380Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_mprotect_t https://developer.apple.com/documentation/endpointsecurity/es_event_mprotect_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_EXEC: Process Execution (Auth)
#Description
Fires before the kernel commits an execve(2) or posix_spawn(2) call and allows an active ESF client to allow or deny the execution before it proceeds. The payload carries the fully-resolved target process, its arguments and environment, the interpreter script (if any), the working directory, and code-signing metadata.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the new process being executed, carrying executable.path, audit_token, ppid, signing_id, team_id, cdhash, codesigning_flags, and is_platform_binary. |
script | The es_file_t for the script being executed by an interpreter (valid when a script is invoked directly, e.g. ./foo.sh; available at message version 2+). |
cwd | The es_file_t representing the working directory at exec time (message version 3+). |
last_fd | The highest open file descriptor number after exec completed; may exceed the count returned by es_exec_fd_count when ESF caps the fd list (message version 4+). |
dyld_exec_path | The exec path passed to dyld before symlink resolution; the literal path from execve(2)/posix_spawn(2) or the shebang interpreter line (message version 7+, macOS 13.3+). |
image_cputype | The CPU type (cpu_type_t) of the executable image being loaded (message version 6+). |
image_cpusubtype | The CPU subtype (cpu_subtype_t) of the executable image being loaded; the companion to image_cputype (message version 6+). |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_EXEC), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"exec": {
"args": [
"xpcproxy",
"com.apple.WorkflowKit.BackgroundShortcutRunner.D9274865-BE5E-4A84-B081-772EF7335057",
"827"
],
"cwd": {
"path": "/",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 1048576,
"st_gen": 0,
"st_gid": 0,
"st_ino": 2,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 22,
"st_rdev": 0,
"st_size": 704,
"st_uid": 0
}
},
"dyld_exec_path": "/usr/libexec/xpcproxy",
"env": [
"XPC_FLAGS=0x100"
],
"fds": [
{
"fd": 0,
"fdtype": 1
},
{
"fd": 1,
"fdtype": 1
},
{
"fd": 2,
"fdtype": 1
}
],
"image_cpusubtype": -2147483646,
"image_cputype": 16777228,
"last_fd": 2,
"script": null,
"target": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300768,
"rgid": 0,
"ruid": 0
},
"cdhash": "CCE5A9291F9EDF6CF64C40599E481EE7BB5E2A38",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300768,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.proxy",
"start_time": "2026-06-22T23:21:32.842747Z",
"team_id": null,
"tty": null
}
}
},
"event_type": 9,
"global_seq_num": 0,
"mach_time": 8833777452940,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300767,
"rgid": 0,
"ruid": 0
},
"cdhash": "D0795D8BCA8F0892188E582BC30A4361228FED4F",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/sbin/launchd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1096,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571497,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1239616,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300767,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.launchd",
"start_time": "2026-06-22T23:21:32.842747Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3668926
},
"time": "2026-06-22T23:21:32.844361216Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_exec_t https://developer.apple.com/documentation/endpointsecurity/es_event_exec_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a Process Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x47.html
- Red Canary mac-monitor wiki: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_AUTH_SIGNAL: Signal Delivery (Auth)
#Description
Fires before a signal is delivered to a process and requires an active ESF client to respond before the kernel sends it. The payload identifies the signal number and the target process, enabling a client to block signals such as SIGKILL used in process-termination attacks.
Fields #
| Name | Description |
|---|---|
sig | The signal number to be delivered (e.g. SIGKILL, SIGTERM, SIGSTOP). |
target | The es_process_t for the process that will receive the signal. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_SIGNAL), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"signal": {
"instigator": null,
"sig": 28,
"target": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 92127,
"pidversion": 296965,
"rgid": 0,
"ruid": 0
},
"cdhash": "3109741DA6031130F46B8481F48B2E877DE291CC",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/bin/su",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 48,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312572873,
"st_mode": 35309,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 121904,
"st_uid": 0
}
},
"group_id": 92127,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 92126,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 92126,
"pidversion": 296963,
"rgid": 0,
"ruid": 501
},
"ppid": 92126,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 92126,
"signing_id": "com.apple.su",
"start_time": "2026-06-22T22:35:16.129389Z",
"team_id": null,
"tty": {
"path": "/dev/ttys004",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:36:04.975739000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:36:49.937900000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 905,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:36:49.937900000Z",
"st_nlink": 1,
"st_rdev": 268435460,
"st_size": 0,
"st_uid": 0
}
}
}
}
},
"event_type": 31,
"global_seq_num": 0,
"mach_time": 8855821773392,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 92125,
"pidversion": 296962,
"rgid": 0,
"ruid": 501
},
"cdhash": "38D069EDFD9BB51CCD15082DBD35F870A3885D20",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/bin/sudo",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1472,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312572875,
"st_mode": 35145,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1580368,
"st_uid": 0
}
},
"group_id": 92125,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 92093,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92093,
"pidversion": 296900,
"rgid": 20,
"ruid": 501
},
"ppid": 92093,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 92092,
"signing_id": "com.apple.sudo",
"start_time": "2026-06-22T22:35:16.091839Z",
"team_id": null,
"tty": {
"path": "/dev/ttys003",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:36:04.989333000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:36:49.937920000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 901,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:36:49.937920000Z",
"st_nlink": 1,
"st_rdev": 268435459,
"st_size": 0,
"st_uid": 501
}
}
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3637822
},
"time": "2026-06-22T23:36:50.646070224Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_signal_t https://developer.apple.com/documentation/endpointsecurity/es_event_signal_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_EXEC: Process Execution (Notify)
#Description
Fires after execve(2) or posix_spawn(2) succeeds, delivering a post-fact record of the new process. The payload is identical to the AUTH variant and carries the target process, arguments, environment, interpreter script, working directory, and code-signing metadata.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the newly executing process, including executable.path, audit_token, ppid, signing_id, team_id, cdhash, codesigning_flags, and is_platform_binary. |
script | The es_file_t for the script invoked directly by an interpreter (available at message version 2+). |
cwd | The es_file_t representing the working directory at exec time (message version 3+). |
last_fd | The highest open file descriptor number after exec completed (message version 4+). |
dyld_exec_path | The exec path passed to dyld before symlink resolution (message version 7+, macOS 13.3+). |
image_cputype | The CPU type of the executable image being loaded (message version 6+). |
image_cpusubtype | The CPU subtype of the executable image being loaded, paired with image_cputype (message version 6+). |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"exec": {
"args": [
"xpcproxy",
"com.apple.WorkflowKit.BackgroundShortcutRunner.D9274865-BE5E-4A84-B081-772EF7335057",
"827"
],
"cwd": {
"path": "/",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 1048576,
"st_gen": 0,
"st_gid": 0,
"st_ino": 2,
"st_mode": 16877,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 22,
"st_rdev": 0,
"st_size": 704,
"st_uid": 0
}
},
"dyld_exec_path": "/usr/libexec/xpcproxy",
"env": [
"XPC_FLAGS=0x100"
],
"fds": [
{
"fd": 0,
"fdtype": 1
},
{
"fd": 1,
"fdtype": 1
},
{
"fd": 2,
"fdtype": 1
}
],
"image_cpusubtype": -2147483646,
"image_cputype": 16777228,
"last_fd": 2,
"script": null,
"target": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300768,
"rgid": 0,
"ruid": 0
},
"cdhash": "CCE5A9291F9EDF6CF64C40599E481EE7BB5E2A38",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300768,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.proxy",
"start_time": "2026-06-22T23:21:32.842747Z",
"team_id": null,
"tty": null
}
}
},
"event_type": 9,
"global_seq_num": 0,
"mach_time": 8833777452940,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300767,
"rgid": 0,
"ruid": 0
},
"cdhash": "D0795D8BCA8F0892188E582BC30A4361228FED4F",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/sbin/launchd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1096,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571497,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1239616,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94047,
"pidversion": 300767,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.launchd",
"start_time": "2026-06-22T23:21:32.842747Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3668926
},
"time": "2026-06-22T23:21:32.844361216Z",
"version": 10
}
}
Detection Patterns #
1 rule
Command & Control: Ingress Tool Transfer
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
process_name | in | bash | 9 rules | elastic, splunk |
process_name | in | sh | 9 rules | elastic, splunk |
process_name | in | zsh | 8 rules | elastic, splunk |
process_name | in | curl | 6 rules | elastic, splunk |
process_name | in | dash | 5 rules | elastic, splunk |
Image | ends_with | /osascript | 7 rules | sigma |
Image | ends_with | /bash | 6 rules | sigma |
Image | ends_with | /curl | 6 rules | sigma |
Image | ends_with | /sh | 6 rules | sigma |
Image | ends_with | /dscl | 5 rules | sigma |
parent_process_name | in | bash | 6 rules | elastic |
parent_process_name | in | sh | 6 rules | elastic |
parent_process_name | in | zsh | 5 rules | elastic |
CommandLine | contains | -e | 4 rules | sigma |
CommandLine | contains | -d | 4 rules | sigma, splunk |
Detection Rules #
View all rules referencing this event →Sigma #
Show 17 more (71 total)
Elastic #
Show 17 more (45 total)
SendCommand API with the either AWS-RunShellScript or AWS-RunPowerShellScript parameters. The SendCommand API call allows users to execute commands on EC2 instances using the SSM service. Adversaries may use this technique to execute commands on EC2 instances without the need for SSH or RDP access. This behavior may indicate an adversary attempting to execute commands on an EC2 instance for malicious purposes. This is a New Terms rule that only flags when this behavior is observed for the first time on a host in the last 7 days.
References #
- Apple Developer Documentation: es_event_exec_t https://developer.apple.com/documentation/endpointsecurity/es_event_exec_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a Process Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x47.html
- Red Canary mac-monitor wiki: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_NOTIFY_FORK: Process Fork (Notify)
#Description
Fires after fork(2) or vfork(2) creates a child process. The payload carries the child es_process_t, which includes the new PID and inherited code-signing context. This event is notify-only and does not support caching.
Fields #
| Name | Description |
|---|---|
child | The es_process_t for the child process that was created, including audit_token, ppid, executable.path, and code-signing fields. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"fork": {
"child": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94059,
"pidversion": 300790,
"rgid": 0,
"ruid": 0
},
"cdhash": "D0795D8BCA8F0892188E582BC30A4361228FED4F",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/sbin/launchd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1096,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571497,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1239616,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 94059,
"pidversion": 300790,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.launchd",
"start_time": "2026-06-22T23:21:42.414524Z",
"team_id": null,
"tty": null
}
}
},
"event_type": 11,
"global_seq_num": 0,
"mach_time": 8834007140912,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"cdhash": "D0795D8BCA8F0892188E582BC30A4361228FED4F",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/sbin/launchd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1096,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312571497,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1239616,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 0,
"parent_audit_token": {
"asid": 0,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 0,
"pidversion": 0,
"rgid": 0,
"ruid": 0
},
"ppid": 0,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.launchd",
"start_time": "2026-06-17T20:19:43.602844Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3669186
},
"time": "2026-06-22T23:21:42.414607824Z",
"version": 10
}
}
Detection Patterns #
Command & Control: Ingress Tool Transfer
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
process_name | eq | brave.exe | 1 rule | elastic |
process_name | eq | browser.exe | 1 rule | elastic |
process_name | eq | chrome.exe | 1 rule | elastic, splunk |
process_name | eq | curl | 1 rule | elastic, splunk |
process_name | eq | curl.exe | 1 rule | elastic, splunk |
process_name | eq | dragon.exe | 1 rule | elastic |
process_name | eq | firefox.exe | 1 rule | elastic |
process_name | eq | msedge.exe | 1 rule | elastic |
process_name | eq | vivaldi.exe | 1 rule | elastic |
process_name | eq | wget | 1 rule | elastic, splunk |
process_name | eq | wget.exe | 1 rule | elastic |
process_name | eq | whale.exe | 1 rule | elastic |
References #
- Apple Developer Documentation: es_event_fork_t https://developer.apple.com/documentation/endpointsecurity/es_event_fork_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a Process Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x47.html
ES_EVENT_TYPE_NOTIFY_EXIT: Process Exit (Notify)
#Description
Fires after a process terminates. The payload carries the exit status in the same format as wait(2), allowing subscribers to distinguish clean exits, signal-induced terminations, and abnormal terminations. This event is notify-only and does not support caching.
Fields #
| Name | Description |
|---|---|
stat | The exit status of the process in wait(2) format; use WIFEXITED, WIFSIGNALED, and related macros to decode exit code versus terminating signal. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"exit": {
"stat": 19968
}
},
"event_type": 15,
"global_seq_num": 13,
"mach_time": 8854990725493,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 95196,
"pidversion": 302953,
"rgid": 0,
"ruid": 0
},
"cdhash": "CCE5A9291F9EDF6CF64C40599E481EE7BB5E2A38",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 95196,
"pidversion": 302953,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.proxy",
"start_time": "2026-06-22T23:36:15.999883Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 13,
"thread": {
"thread_id": 3686432
},
"time": "2026-06-22T23:36:16.019384006Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_exit_t https://developer.apple.com/documentation/endpointsecurity/es_event_exit_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SIGNAL: Signal Delivery (Notify)
#Description
Fires after a signal is delivered to a process. The payload carries the signal number and the target process, providing a post-fact record of inter-process signalling that can reveal process-tampering or kill-chain activity.
Fields #
| Name | Description |
|---|---|
sig | The signal number that was delivered (e.g. SIGKILL, SIGTERM, SIGSTOP). |
target | The es_process_t for the process that received the signal. |
instigator | The es_process_t for the process that sent the signal, if applicable (available at message version 9+, macOS 15.4+). |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"signal": {
"instigator": null,
"sig": 28,
"target": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 92127,
"pidversion": 296965,
"rgid": 0,
"ruid": 0
},
"cdhash": "3109741DA6031130F46B8481F48B2E877DE291CC",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/bin/su",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 48,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312572873,
"st_mode": 35309,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 121904,
"st_uid": 0
}
},
"group_id": 92127,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 92126,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 92126,
"pidversion": 296963,
"rgid": 0,
"ruid": 501
},
"ppid": 92126,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 92126,
"signing_id": "com.apple.su",
"start_time": "2026-06-22T22:35:16.129389Z",
"team_id": null,
"tty": {
"path": "/dev/ttys004",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:36:04.975739000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:36:49.937900000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 905,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:36:49.937900000Z",
"st_nlink": 1,
"st_rdev": 268435460,
"st_size": 0,
"st_uid": 0
}
}
}
}
},
"event_type": 31,
"global_seq_num": 0,
"mach_time": 8855821773392,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 92125,
"pidversion": 296962,
"rgid": 0,
"ruid": 501
},
"cdhash": "38D069EDFD9BB51CCD15082DBD35F870A3885D20",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/bin/sudo",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1472,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312572875,
"st_mode": 35145,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 1580368,
"st_uid": 0
}
},
"group_id": 92125,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 92093,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92093,
"pidversion": 296900,
"rgid": 20,
"ruid": 501
},
"ppid": 92093,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 92092,
"signing_id": "com.apple.sudo",
"start_time": "2026-06-22T22:35:16.091839Z",
"team_id": null,
"tty": {
"path": "/dev/ttys003",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:36:04.989333000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:36:49.937920000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 901,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:36:49.937920000Z",
"st_nlink": 1,
"st_rdev": 268435459,
"st_size": 0,
"st_uid": 501
}
}
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3637822
},
"time": "2026-06-22T23:36:50.646070224Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_signal_t https://developer.apple.com/documentation/endpointsecurity/es_event_signal_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_PROC_CHECK: Process Info Access Check (Auth)
#Description
Fires before a process retrieves information about another process via proc_info(2) or related calls, and requires an active ESF client to respond before the kernel proceeds. The payload identifies the target process and the specific call type and flavor, enabling policy enforcement on process enumeration.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose information is being queried. |
type | An es_proc_check_type_t value identifying the call used to check access (e.g. PROC_CHECK_TYPE_PIDINFO, PROC_CHECK_TYPE_PIDFDINFO). |
flavor | The flavor argument passed to the proc_info call, specifying which subset of process information is requested. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_PROC_CHECK), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"proc_check": {
"flavor": 2,
"target": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"type": 8
}
},
"event_type": 86,
"global_seq_num": 0,
"mach_time": 8834785148317,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3669176
},
"time": "2026-06-22T23:22:14.831293042Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_proc_check_t https://developer.apple.com/documentation/endpointsecurity/es_event_proc_check_t
- Apple Developer Documentation: es_proc_check_type_t https://developer.apple.com/documentation/endpointsecurity/es_proc_check_type_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_PROC_CHECK: Process Info Access Check (Notify)
#Description
Fires after a process info access check completes. The payload is identical to the AUTH variant and carries the target process, call type, and flavor, providing a post-fact record of process enumeration or interrogation activity.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose information was queried. |
type | An es_proc_check_type_t value identifying the call type used. |
flavor | The flavor argument specifying which subset of process information was requested. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"proc_check": {
"flavor": 2,
"target": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"type": 8
}
},
"event_type": 86,
"global_seq_num": 0,
"mach_time": 8834785148317,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"cdhash": "FA63DE333AA28550138FB1ADAA1178B79503E032",
"codesigning_flags": 637631233,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/endpointsecurityd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 168,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575149,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 264384,
"st_uid": 0
}
},
"group_id": 391,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 391,
"pidversion": 1021,
"rgid": 0,
"ruid": 0
},
"session_id": 391,
"signing_id": "com.apple.endpointsecurityd",
"start_time": "2026-06-17T20:22:01.680633Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3669176
},
"time": "2026-06-22T23:22:14.831293042Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_proc_check_t https://developer.apple.com/documentation/endpointsecurity/es_event_proc_check_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_CHDIR: Change Directory (AUTH)
#Description
Fires before the kernel allows a process to change its working directory via chdir(2) or fchdir(2). An active ESF client must respond before the kernel proceeds.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the directory that the process intends to make its new working directory. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_CHDIR), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"chdir": {
"target": {
"path": "/System/Volumes/Data/.Spotlight-V100/Store-V2/AC773A71-1C76-4BD0-B095-18E94FEA572A",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T19:42:42.683554174Z",
"st_birthtimespec": "2026-05-12T02:23:32.825214800Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:13:39.475851120Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 308,
"st_ino": 50519419,
"st_mode": 16888,
"st_mtimespec": "2026-06-22T23:13:39.475851120Z",
"st_nlink": 572,
"st_rdev": 0,
"st_size": 18304,
"st_uid": 0
}
}
}
},
"event_type": 51,
"global_seq_num": 0,
"mach_time": 8838569374357,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 308,
"euid": 308,
"pid": 619,
"pidversion": 1496,
"rgid": 308,
"ruid": 308
},
"cdhash": "5C2FC71535C9CED26F9E312FA5AC0C119840E1DE",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 648,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312153710,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 837488,
"st_uid": 0
}
},
"group_id": 619,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 308,
"euid": 308,
"pid": 619,
"pidversion": 1496,
"rgid": 308,
"ruid": 308
},
"session_id": 619,
"signing_id": "com.apple.mds_stores",
"start_time": "2026-06-17T20:22:03.847334Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672437
},
"time": "2026-06-22T23:24:52.505967739Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_chdir_t https://developer.apple.com/documentation/endpointsecurity/es_event_chdir_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_CHDIR: Change Directory (NOTIFY)
#Description
Fires after a process successfully changes its working directory. The payload identifies the new working directory.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the directory that became the new working directory. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"chdir": {
"target": {
"path": "/System/Volumes/Data/.Spotlight-V100/Store-V2/AC773A71-1C76-4BD0-B095-18E94FEA572A",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T19:42:42.683554174Z",
"st_birthtimespec": "2026-05-12T02:23:32.825214800Z",
"st_blksize": 4096,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:13:39.475851120Z",
"st_dev": 16777232,
"st_flags": 0,
"st_gen": 0,
"st_gid": 308,
"st_ino": 50519419,
"st_mode": 16888,
"st_mtimespec": "2026-06-22T23:13:39.475851120Z",
"st_nlink": 572,
"st_rdev": 0,
"st_size": 18304,
"st_uid": 0
}
}
}
},
"event_type": 51,
"global_seq_num": 0,
"mach_time": 8838569374357,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 308,
"euid": 308,
"pid": 619,
"pidversion": 1496,
"rgid": 308,
"ruid": 308
},
"cdhash": "5C2FC71535C9CED26F9E312FA5AC0C119840E1DE",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 648,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312153710,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 837488,
"st_uid": 0
}
},
"group_id": 619,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 308,
"euid": 308,
"pid": 619,
"pidversion": 1496,
"rgid": 308,
"ruid": 308
},
"session_id": 619,
"signing_id": "com.apple.mds_stores",
"start_time": "2026-06-17T20:22:03.847334Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3672437
},
"time": "2026-06-22T23:24:52.505967739Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_chdir_t https://developer.apple.com/documentation/endpointsecurity/es_event_chdir_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_CHROOT: Change Root Directory (AUTH)
#Description
Fires before the kernel allows a process to change its root directory via chroot(2). An active ESF client must respond before the kernel proceeds. Attackers use chroot escapes to break out of jailed environments.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the directory that will become the new root. |
References #
- Apple Developer Documentation: es_event_chroot_t https://developer.apple.com/documentation/endpointsecurity/es_event_chroot_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_CHROOT: Change Root Directory (NOTIFY)
#Description
Fires after a process changes its root directory via chroot(2). The payload identifies the directory that became the new root.
Fields #
| Name | Description |
|---|---|
target | Pointer to the es_file_t for the directory that became the new root. |
References #
- Apple Developer Documentation: es_event_chroot_t https://developer.apple.com/documentation/endpointsecurity/es_event_chroot_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_PROC_SUSPEND_RESUME: Process Suspend / Resume (Auth)
#Description
Fires before pid_suspend(3), pid_resume(3), or pid_shutdown_sockets(3) is applied to a target process and requires an active ESF client to respond before the kernel proceeds. Blocking these calls can prevent attackers from suspending security tooling or shutting down network connections of targeted processes.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process being suspended, resumed, or having its sockets shut down. |
type | An es_proc_suspend_resume_type_t value indicating the specific operation: suspend, resume, or pid_shutdown_sockets. |
Example Event #
Captured live on macOS build 25F80. eslogger records only NOTIFY messages, so this AUTH event shows the payload of its NOTIFY sibling (ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME), which carries the same event struct.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"proc_suspend_resume": {
"target": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 863,
"pidversion": 2226,
"rgid": 20,
"ruid": 501
},
"cdhash": "E9D05C9400F1B8879E57B640B614CE918EF2627C",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/CoreServices/Batteries.app/Contents/PlugIns/BatteriesAvocadoWidgetExtension.appex/Contents/MacOS/BatteriesAvocadoWidgetExtension",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 80,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312080087,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 178496,
"st_uid": 0
}
},
"group_id": 863,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 863,
"pidversion": 2226,
"rgid": 20,
"ruid": 501
},
"session_id": 863,
"signing_id": "com.apple.Batteries.BatteriesAvocadoWidgetExtension",
"start_time": "2026-06-17T20:22:08.952396Z",
"team_id": null,
"tty": null
},
"type": 1
}
},
"event_type": 93,
"global_seq_num": 0,
"mach_time": 8855770055153,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 465,
"pidversion": 1077,
"rgid": 0,
"ruid": 0
},
"cdhash": "BB1B177A5814927F34A8239ABE35A03E395CE26C",
"codesigning_flags": 2785106705,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/runningboardd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 32,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575590,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 139952,
"st_uid": 0
}
},
"group_id": 465,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 465,
"pidversion": 1077,
"rgid": 0,
"ruid": 0
},
"session_id": 465,
"signing_id": "com.apple.runningboardd",
"start_time": "2026-06-17T20:22:02.418356Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3686804
},
"time": "2026-06-22T23:36:48.491162831Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_proc_suspend_resume_t https://developer.apple.com/documentation/endpointsecurity/es_event_proc_suspend_resume_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME: Process Suspend / Resume (Notify)
#Description
Fires after pid_suspend(3), pid_resume(3), or pid_shutdown_sockets(3) completes on a target process. The payload is identical to the AUTH variant and records which process was affected and which operation was called.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process that was suspended, resumed, or had its sockets shut down. |
type | An es_proc_suspend_resume_type_t value identifying the operation that was performed. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"proc_suspend_resume": {
"target": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 863,
"pidversion": 2226,
"rgid": 20,
"ruid": 501
},
"cdhash": "E9D05C9400F1B8879E57B640B614CE918EF2627C",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/System/Library/CoreServices/Batteries.app/Contents/PlugIns/BatteriesAvocadoWidgetExtension.appex/Contents/MacOS/BatteriesAvocadoWidgetExtension",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 80,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312080087,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 178496,
"st_uid": 0
}
},
"group_id": 863,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 863,
"pidversion": 2226,
"rgid": 20,
"ruid": 501
},
"session_id": 863,
"signing_id": "com.apple.Batteries.BatteriesAvocadoWidgetExtension",
"start_time": "2026-06-17T20:22:08.952396Z",
"team_id": null,
"tty": null
},
"type": 1
}
},
"event_type": 93,
"global_seq_num": 0,
"mach_time": 8855770055153,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 465,
"pidversion": 1077,
"rgid": 0,
"ruid": 0
},
"cdhash": "BB1B177A5814927F34A8239ABE35A03E395CE26C",
"codesigning_flags": 2785106705,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/runningboardd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 32,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575590,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 139952,
"st_uid": 0
}
},
"group_id": 465,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 465,
"pidversion": 1077,
"rgid": 0,
"ruid": 0
},
"session_id": 465,
"signing_id": "com.apple.runningboardd",
"start_time": "2026-06-17T20:22:02.418356Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3686804
},
"time": "2026-06-22T23:36:48.491162831Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_proc_suspend_resume_t https://developer.apple.com/documentation/endpointsecurity/es_event_proc_suspend_resume_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_TRACE: Process Tracing Attach (Notify)
#Description
Fires when a process requests to attach to another process via ptrace(2) or a similar tracing mechanism. The payload identifies the process that will be traced. This event may fire multiple times for a single trace attempt and does not support caching.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process that will be attached to (traced) by the initiating process. |
References #
- Apple Developer Documentation: es_event_trace_t https://developer.apple.com/documentation/endpointsecurity/es_event_trace_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_REMOTE_THREAD_CREATE: Remote Thread Creation (Notify)
#Description
Fires when a process creates a thread inside another process's task via thread_create(2) or thread_create_running(2). The payload identifies the target process and, when the thread starts immediately, the initial thread state. This event does not support caching.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process in which the new thread is being created. |
thread_state | The es_thread_state_t carrying the initial register state for the new thread, present when the thread is created via thread_create_running; NULL when created via thread_create. |
References #
- Apple Developer Documentation: es_event_remote_thread_create_t https://developer.apple.com/documentation/endpointsecurity/es_event_remote_thread_create_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- mac-monitor: Understanding Endpoint Security Framework Events on macOS https://sebastiangogola.me/mac-monitor-understanding-endpoint-security-framework-events-on-macos/
ES_EVENT_TYPE_NOTIFY_GET_TASK: Task Control Port Retrieval (Notify)
#Description
Fires after a process obtains another process's Mach task control port, typically via task_for_pid(2) or a host-special-port lookup. The task control port grants full read/write access to the target process's address space, making this event a key indicator of process injection. This event is notify-only.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose task control port is being retrieved. |
type | An es_get_task_type_t value indicating how the port was obtained (e.g. task_for_pid, expose_task_port); available at message version 5+. |
References #
- Apple Developer Documentation: es_event_get_task_t https://developer.apple.com/documentation/endpointsecurity/es_event_get_task_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Writing a Process Monitor with Apple's Endpoint Security Framework https://objective-see.org/blog/blog_0x47.html
ES_EVENT_TYPE_AUTH_GET_TASK: Task Control Port Retrieval (Auth)
#Description
Fires before a process obtains another process's Mach task control port and requires an active ESF client to respond before the kernel grants access. A task control port gives the requesting process full read/write capability over the target's address space, making this a critical gate for blocking process injection.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose task control port is being requested. |
type | An es_get_task_type_t value indicating the mechanism used to obtain the port (e.g. task_for_pid, expose_task_port); available at message version 5+. |
References #
- Apple Developer Documentation: es_event_get_task_t https://developer.apple.com/documentation/endpointsecurity/es_event_get_task_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_GET_TASK_NAME: Task Name Port Retrieval (Notify)
#Description
Fires after a process obtains another process's Mach task name port. The task name port allows the holder to query the target's port namespace and basic task information without granting write access, and its retrieval can indicate reconnaissance activity.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose task name port was retrieved. |
type | An es_get_task_type_t value indicating the mechanism used to obtain the task name port (available at message version 5+). |
References #
- Apple Developer Documentation: es_event_get_task_name_t https://developer.apple.com/documentation/endpointsecurity/es_event_get_task_name_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_GET_TASK_READ: Task Read Port Retrieval (Auth)
#Description
Fires before a process obtains another process's Mach task read port and requires an active ESF client to respond before the kernel grants access. The task read port allows read-only inspection of the target's address space, and blocking it prevents memory-scraping attacks.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose task read port is being requested. |
type | An es_get_task_type_t value indicating how the port is being obtained (available at message version 5+). |
References #
- Apple Developer Documentation: es_event_get_task_read_t https://developer.apple.com/documentation/endpointsecurity/es_event_get_task_read_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_GET_TASK_READ: Task Read Port Retrieval (Notify)
#Description
Fires after a process obtains another process's Mach task read port. The payload is identical to the AUTH variant and records the target process and acquisition method, providing a post-fact record of read-only process memory access.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose task read port was retrieved. |
type | An es_get_task_type_t value indicating how the port was obtained (available at message version 5+). |
References #
- Apple Developer Documentation: es_event_get_task_read_t https://developer.apple.com/documentation/endpointsecurity/es_event_get_task_read_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_GET_TASK_INSPECT: Task Inspect Port Retrieval (Notify)
#Description
Fires after a process obtains another process's Mach task inspect port. The inspect port grants read-only, non-privileged introspection of a task and cannot be used to modify memory, making it lower-risk than the control or read ports but still a signal of process enumeration.
Fields #
| Name | Description |
|---|---|
target | The es_process_t for the process whose task inspect port was retrieved. |
type | An es_get_task_type_t value indicating how the port was obtained (available at message version 5+). |
References #
- Apple Developer Documentation: es_event_get_task_inspect_t https://developer.apple.com/documentation/endpointsecurity/es_event_get_task_inspect_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETUID: Process Set Real User ID (setuid)
#Description
Fires after a process calls setuid(2) to change its real user ID. The event carries the uid argument passed to the syscall. This is a notify-only event and does not support caching.
Fields #
| Name | Description |
|---|---|
uid | The uid argument passed to the setuid() syscall. |
References #
- Apple Developer Documentation: es_event_setuid_t https://developer.apple.com/documentation/endpointsecurity/es_event_setuid_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_setuid_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_setuid_t.html
ES_EVENT_TYPE_NOTIFY_SETGID: Process Set Real Group ID (setgid)
#Description
Fires after a process calls setgid(2) to change its real group ID. The event carries the gid argument passed to the syscall. This is a notify-only event and does not support caching.
Fields #
| Name | Description |
|---|---|
gid | The gid argument passed to the setgid() syscall. |
References #
- Apple Developer Documentation: es_event_setgid_t https://developer.apple.com/documentation/endpointsecurity/es_event_setgid_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_setgid_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_setgid_t.html
ES_EVENT_TYPE_NOTIFY_SETEUID: Process Set Effective User ID (seteuid)
#Description
Fires after a process calls seteuid(2) to change its effective user ID. The event carries the euid argument passed to the syscall. This is a notify-only event and does not support caching.
Fields #
| Name | Description |
|---|---|
euid | The euid argument passed to the seteuid() syscall. |
References #
- Apple Developer Documentation: es_event_seteuid_t https://developer.apple.com/documentation/endpointsecurity/es_event_seteuid_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_seteuid_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_seteuid_t.html
ES_EVENT_TYPE_NOTIFY_SETEGID: Process Set Effective Group ID (setegid)
#Description
Fires after a process calls setegid(2) to change its effective group ID. The event carries the egid argument passed to the syscall. This is a notify-only event and does not support caching.
Fields #
| Name | Description |
|---|---|
egid | The egid argument passed to the setegid() syscall. |
References #
- Apple Developer Documentation: es_event_setegid_t https://developer.apple.com/documentation/endpointsecurity/es_event_setegid_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_setegid_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_setegid_t.html
ES_EVENT_TYPE_NOTIFY_SETREUID: Process Set Real and Effective User IDs (setreuid)
#Description
Fires after a process calls setreuid(2), which atomically sets both the real and effective user IDs. The event carries both the ruid and euid arguments. This is a notify-only event and does not support caching.
Fields #
| Name | Description |
|---|---|
ruid | The ruid argument (target real user ID) passed to the setreuid() syscall. |
euid | The euid argument (target effective user ID) passed to the setreuid() syscall. |
References #
- Apple Developer Documentation: es_event_setreuid_t https://developer.apple.com/documentation/endpointsecurity/es_event_setreuid_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_setreuid_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_setreuid_t.html
ES_EVENT_TYPE_NOTIFY_SETREGID: Process Set Real and Effective Group IDs (setregid)
#Description
Fires after a process calls setregid(2), which atomically sets both the real and effective group IDs. The event carries both the rgid and egid arguments. This is a notify-only event and does not support caching.
Fields #
| Name | Description |
|---|---|
rgid | The rgid argument (target real group ID) passed to the setregid() syscall. |
egid | The egid argument (target effective group ID) passed to the setregid() syscall. |
References #
- Apple Developer Documentation: es_event_setregid_t https://developer.apple.com/documentation/endpointsecurity/es_event_setregid_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_setregid_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_setregid_t.html
ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED: Code Signature Invalidated
#Description
Fires when the CS_VALID flag is cleared from a process, which happens when the first invalid page is paged in for a process with an otherwise valid code signature or when a process is explicitly invalidated via the csops(CS_OPS_MARKINVALID) syscall. This event does not fire if CS_HARD was set, because CS_HARD prevents the process from going invalid. The struct carries no payload fields beyond the standard message context.
References #
- Apple Developer Documentation: es_event_cs_invalidated_t https://developer.apple.com/documentation/endpointsecurity/es_event_cs_invalidated_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_NOTIFY_UIPC_BIND: UNIX Domain Socket Bind
#Description
Fires after a process binds a UNIX-domain socket to a filesystem path, creating the socket file. The payload identifies the target directory, the socket filename, and the file-creation mode.
Fields #
| Name | Description |
|---|---|
dir | The directory in which the socket file is created (es_file_t). |
filename | The name of the socket file being created (es_string_token_t). |
mode | The mode bits applied to the new socket file (mode_t). |
References #
- Apple Developer Documentation: es_event_uipc_bind_t https://developer.apple.com/documentation/endpointsecurity/es_event_uipc_bind_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys: es_event_uipc_bind_t field listing https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_uipc_bind_t.html
ES_EVENT_TYPE_AUTH_UIPC_BIND: UNIX Domain Socket Bind (Authorization)
#Description
Fires before a process binds a UNIX-domain socket to a filesystem path, giving an active ESF client the opportunity to allow or deny the operation before the kernel creates the socket file. The payload carries the same directory, filename, and mode fields as the NOTIFY variant.
Fields #
| Name | Description |
|---|---|
dir | The directory in which the socket file would be created (es_file_t). |
filename | The name of the socket file to be created (es_string_token_t). |
mode | The mode bits that would be applied to the socket file (mode_t). |
References #
- Apple Developer Documentation: es_event_uipc_bind_t https://developer.apple.com/documentation/endpointsecurity/es_event_uipc_bind_t
- Apple Developer Documentation: ES_EVENT_TYPE_AUTH_UIPC_BIND https://developer.apple.com/documentation/endpointsecurity/es_event_type_auth_uipc_bind
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_UIPC_CONNECT: UNIX Domain Socket Connect
#Description
Fires after a process connects to a UNIX-domain socket. The payload identifies the socket file being connected to along with the socket's communications domain, type, and protocol.
Fields #
| Name | Description |
|---|---|
file | The socket file that the socket is bound to (es_file_t). |
domain | The communications domain of the socket, corresponding to the first argument of socket(2) (e.g. AF_UNIX). |
type_ | The type of the socket, corresponding to the second argument of socket(2) (e.g. SOCK_STREAM or SOCK_DGRAM). |
protocol | The protocol of the socket, corresponding to the third argument of socket(2). |
References #
- Apple Developer Documentation: es_event_uipc_connect_t https://developer.apple.com/documentation/endpointsecurity/es_event_uipc_connect_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys: es_event_uipc_connect_t field listing https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_uipc_connect_t.html
ES_EVENT_TYPE_AUTH_UIPC_CONNECT: UNIX Domain Socket Connect (Authorization)
#Description
Fires before a process connects to a UNIX-domain socket, allowing an active ESF client to allow or deny the connection before the kernel proceeds. The payload carries the socket file, domain, type, and protocol fields identical to the NOTIFY variant.
Fields #
| Name | Description |
|---|---|
file | The socket file the process is attempting to connect to (es_file_t). |
domain | The communications domain of the socket, corresponding to the first argument of socket(2). |
type_ | The type of the socket, corresponding to the second argument of socket(2). |
protocol | The protocol of the socket, corresponding to the third argument of socket(2). |
References #
- Apple Developer Documentation: es_event_uipc_connect_t https://developer.apple.com/documentation/endpointsecurity/es_event_uipc_connect_t
- Apple Developer Documentation: ES_EVENT_TYPE_AUTH_UIPC_CONNECT https://developer.apple.com/documentation/endpointsecurity/es_event_type_auth_uipc_connect
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_SETTIME: Set System Time (AUTH)
#Description
Fires before the kernel allows a process to modify the system clock. An active ESF client must respond before the kernel proceeds. This event is not emitted for processes holding the com.apple.private.settime entitlement.
References #
- Apple Developer Documentation: es_event_settime_t https://developer.apple.com/documentation/endpointsecurity/es_event_settime_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_SETTIME: Set System Time (NOTIFY)
#Description
Fires after a process modifies the system clock. This event is not emitted for processes holding the com.apple.private.settime entitlement. System time changes can be used to manipulate log timestamps.
References #
- Apple Developer Documentation: es_event_settime_t https://developer.apple.com/documentation/endpointsecurity/es_event_settime_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_KEXTLOAD: Kernel Extension Load (Auth)
#Description
Fires before the kernel loads a kernel extension (kext), giving an active ESF client the opportunity to allow or deny the operation before the kernel proceeds. The event carries the signing identifier of the kext being loaded. Because kexts run in kernel space, this authorization point is a critical control surface for preventing unsigned or malicious kernel modules from loading.
Fields #
| Name | Description |
|---|---|
identifier | The signing identifier (bundle identifier) of the kernel extension being loaded. |
References #
- Apple Developer Documentation: es_event_kextload_t https://developer.apple.com/documentation/endpointsecurity/es_event_kextload_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_NOTIFY_KEXTLOAD: Kernel Extension Load (Notify)
#Description
Fires after the kernel successfully loads a kernel extension. The event carries the signing identifier of the loaded kext. Subscribers receive this notification after the load has completed and cannot block the operation.
Fields #
| Name | Description |
|---|---|
identifier | The signing identifier (bundle identifier) of the kernel extension that was loaded. |
References #
- Apple Developer Documentation: es_event_kextload_t https://developer.apple.com/documentation/endpointsecurity/es_event_kextload_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD: Kernel Extension Unload (Notify)
#Description
Fires after a kernel extension is successfully unloaded from the kernel. The event carries the signing identifier of the kext that was removed. Monitoring this event alongside kextload provides a complete lifecycle view of kernel module presence.
Fields #
| Name | Description |
|---|---|
identifier | The signing identifier (bundle identifier) of the kernel extension that was unloaded. |
References #
- Apple Developer Documentation: es_event_kextunload_t https://developer.apple.com/documentation/endpointsecurity/es_event_kextunload_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_NOTIFY_IOKIT_OPEN: IOKit User Client Opened
#Description
Fires after a process calls IOServiceOpen() to open a communications channel with an I/O Kit driver. The event carries the user client class name and connection type but does not expose the underlying physical device name or vendor.
Fields #
| Name | Description |
|---|---|
user_client_type | A uint32 constant specifying the type of connection to create, passed directly to IOServiceOpen() and interpreted only by the target IOService family. |
user_client_class | es_string_token_t holding the Objective-C meta class name of the user client instance being opened (e.g. IOHIDUserClient). |
parent_registry_id | uint64 IOKit registry entry ID of the parent service in the I/O Registry. Present only when message version is 10 or higher. |
parent_path | es_string_token_t path to the parent class in the IOKit device tree (e.g. IOService:/AppleACPIPlatformExpert/...). Present only when message version is 10 or higher. |
References #
- Apple Developer Documentation: es_event_iokit_open_t https://developer.apple.com/documentation/endpointsecurity/es_event_iokit_open_t
- Apple Developer Documentation: ES_EVENT_TYPE_NOTIFY_IOKIT_OPEN https://developer.apple.com/documentation/endpointsecurity/es_event_type_t/es_event_type_notify_iokit_open
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_AUTH_IOKIT_OPEN: IOKit User Client Open (Auth)
#Description
Fires before a process opens a communications channel with an I/O Kit driver via IOServiceOpen(). An active ESF client must respond with ES_AUTH_RESULT_ALLOW or ES_AUTH_RESULT_DENY before the kernel proceeds; denying blocks the channel from opening and is the primary mechanism for preventing unauthorized hardware access (for example, blocking keylogger drivers).
Fields #
| Name | Description |
|---|---|
user_client_type | A uint32 constant specifying the type of connection to create, passed directly to IOServiceOpen() and interpreted only by the target IOService family. |
user_client_class | es_string_token_t holding the Objective-C meta class name of the user client instance to be opened (e.g. IOHIDUserClient). |
parent_registry_id | uint64 IOKit registry entry ID of the parent service in the I/O Registry. Present only when message version is 10 or higher. |
parent_path | es_string_token_t path to the parent class in the IOKit device tree. Present only when message version is 10 or higher. |
References #
- Apple Developer Documentation: es_event_iokit_open_t https://developer.apple.com/documentation/endpointsecurity/es_event_iokit_open_t
- Apple Developer Documentation: ES_EVENT_TYPE_AUTH_IOKIT_OPEN https://developer.apple.com/documentation/endpointsecurity/es_event_type_auth_iokit_open
- Apple Developer Forums: AUTH_IOKIT_OPEN limitations and IOKit registry workarounds https://developer.apple.com/forums/thread/671193
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
ES_EVENT_TYPE_NOTIFY_PTY_GRANT: Pseudoterminal Device Granted
#Description
Fires when the kernel grants a pseudoterminal (PTY) control device to a process, which occurs at the start of every local terminal session, SSH connection, or remote shell spawned by post-exploitation tooling. The event carries the device number of the granted PTY master device.
Fields #
| Name | Description |
|---|---|
dev | dev_t encoding the major and minor device numbers that identify the pseudoterminal master device being granted. |
References #
- Apple Developer Documentation: es_event_pty_grant_t https://developer.apple.com/documentation/endpointsecurity/es_event_pty_grant_t
- Apple Developer Documentation: ES_EVENT_TYPE_NOTIFY_PTY_GRANT https://developer.apple.com/documentation/endpointsecurity/es_event_type_notify_pty_grant
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_NOTIFY_PTY_CLOSE: Pseudoterminal Device Closed
#Description
Fires when a pseudoterminal control device is closed, marking the end of a terminal session or remote shell. Pairing this event with the corresponding PTY_GRANT event via the device number lets a client track the full lifetime of each PTY session.
Fields #
| Name | Description |
|---|---|
dev | dev_t encoding the major and minor device numbers of the pseudoterminal master device being closed. Matches the dev value from the corresponding PTY_GRANT event. |
References #
- Apple Developer Documentation: es_event_pty_close_t https://developer.apple.com/documentation/endpointsecurity/es_event_pty_close_t
- Apple Developer Documentation: ES_EVENT_TYPE_NOTIFY_PTY_CLOSE https://developer.apple.com/documentation/endpointsecurity/es_event_type_notify_pty_close
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: Endpoint Security Overview https://github.com/redcanaryco/mac-monitor/wiki/5.-Endpoint-Security-Overview
ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGIN: OpenSSH Login
#Description
Fires when an SSH connection is authenticated via OpenSSH, reporting whether the login succeeded and the reason if it did not. A single SSH connection that hosts multiple sessions emits only one event. This event does not support caching and cannot be used for authorization.
Fields #
| Name | Description |
|---|---|
success | True if the login attempt was successful, false otherwise. |
result_type | The specific result type for the login attempt (es_openssh_login_result_type_t), distinguishing reasons for success or failure. |
source_address_type | The address family of the source address (es_address_type_t), indicating whether the address is IPv4 or IPv6. |
source_address | The source IP address of the incoming SSH connection (es_string_token_t). |
username | The username supplied during the login attempt (es_string_token_t). |
has_uid | True when the uid field contains a valid value; false if the user does not exist locally or the uid could not be resolved. |
uid | The uid of the user that logged in, valid only when has_uid is true (anonymous union member, uid_t). |
References #
- Apple Developer Documentation: es_event_openssh_login_t https://developer.apple.com/documentation/endpointsecurity/es_event_openssh_login_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys: es_event_openssh_login_t field listing https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_openssh_login_t.html
ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGOUT: OpenSSH Logout
#Description
Fires when an SSH session terminates via OpenSSH, reporting the user and source address of the connection that ended. This event does not support caching and cannot be used for authorization.
Fields #
| Name | Description |
|---|---|
source_address_type | The address family of the source address (es_address_type_t), indicating whether the address is IPv4 or IPv6. |
source_address | The source IP address of the SSH connection that terminated (es_string_token_t). |
username | The username of the user who logged out (es_string_token_t). |
uid | The uid of the user who was logged out (uid_t). |
References #
- Apple Developer Documentation: es_event_openssh_logout_t https://developer.apple.com/documentation/endpointsecurity/es_event_openssh_logout_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys: Endpoint Security raw Rust bindings https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/
ES_EVENT_TYPE_NOTIFY_XPC_CONNECT: XPC Service Connection
#Description
Fires when a process establishes a connection to a named XPC service, reporting the service name and the domain type in which that service resides. This event generates high volume and does not support caching.
Fields #
| Name | Description |
|---|---|
service_name | The name of the XPC service being connected to (es_string_token_t). |
service_domain_type | The type of XPC domain in which the service resides (es_xpc_domain_type_t). Values include ES_XPC_DOMAIN_TYPE_SYSTEM, ES_XPC_DOMAIN_TYPE_USER, ES_XPC_DOMAIN_TYPE_USER_LOGIN, ES_XPC_DOMAIN_TYPE_SESSION, ES_XPC_DOMAIN_TYPE_PID, ES_XPC_DOMAIN_TYPE_MANAGER, ES_XPC_DOMAIN_TYPE_PORT, and ES_XPC_DOMAIN_TYPE_GUI. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"xpc_connect": {
"service_domain_type": 1,
"service_name": "com.apple.system.opendirectoryd.libinfo"
}
},
"event_type": 145,
"global_seq_num": 0,
"mach_time": 8860281854848,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 95793,
"pidversion": 304080,
"rgid": 0,
"ruid": 0
},
"cdhash": "CCE5A9291F9EDF6CF64C40599E481EE7BB5E2A38",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/xpcproxy",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 128,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575884,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 233312,
"st_uid": 0
}
},
"group_id": 1,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 95793,
"pidversion": 304080,
"rgid": 0,
"ruid": 0
},
"session_id": 1,
"signing_id": "com.apple.xpc.proxy",
"start_time": "2026-06-22T23:39:54.308117Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3689432
},
"time": "2026-06-22T23:39:54.320888339Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_xpc_connect_t https://developer.apple.com/documentation/endpointsecurity/es_event_xpc_connect_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys: es_xpc_domain_type_t constants https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_xpc_domain_type_t.html
- mac-wheres-my-bootstrap: XPC exploit detection using ES_EVENT_TYPE_NOTIFY_XPC_CONNECT https://github.com/Brandon7CC/mac-wheres-my-bootstrap
ES_EVENT_TYPE_NOTIFY_AUTHENTICATION: Authentication Attempt
#Description
Fires when an authentication attempt is made via OpenDirectory, TouchID, token, or Auto Unlock (Apple Watch). The event records whether the attempt succeeded and carries type-specific data in a union describing the authenticating party and credentials used.
Fields #
| Name | Description |
|---|---|
success | True if authentication was successful. |
type | The authentication mechanism: one of od (OpenDirectory), touchid, token, or auto_unlock. |
data.od.instigator | For od type: pointer to the process that initiated the OD authentication (XPC caller). |
data.od.record_type | For od type: OD record type being authenticated against, typically 'Users'. |
data.od.record_name | For od type: OD record name, which is the username when record_type is 'Users'. |
data.od.node_name | For od type: OD node path, typically '/Local/Default', '/LDAPv3/<server>', or '/Active Directory/<domain>'. |
data.touchid.instigator | For touchid type: the XPC caller requesting TouchID authentication. |
data.touchid.touchid_mode | For touchid type: the TouchID authentication mode (e.g., verification or identification). |
References #
- Apple Developer Documentation: es_event_authentication_t https://developer.apple.com/documentation/endpointsecurity/es_event_authentication_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor wiki: Endpoint Security System DYLIB https://github.com/Brandon7CC/mac-monitor/wiki/7.-Endpoint-Security-System-DYLIB
ES_EVENT_TYPE_NOTIFY_SU: su Command Execution
#Description
Fires when the su(1) command makes a policy decision. The event records the outcome, the initiating user and their UID, the target username and optional UID on success, and the shell and arguments that su would invoke. Because su is a user-space binary, an attacker could substitute a different binary to evade this event.
Fields #
| Name | Description |
|---|---|
success | True if su succeeded in switching the user context. |
failure_message | Optional string describing the reason su was rejected; present when success is false. |
from_uid | UID of the user who invoked su. |
from_username | Username of the user who invoked su. |
has_to_uid | True if the to_uid field is populated (set on success). |
to_uid | UID of the target user context; valid only when has_to_uid is true. |
to_username | Username of the target account su is switching to. |
shell | Path to the shell that su will execute on success. |
argc | The number of argument tokens in the argv array. |
argv | Arguments passed to the shell; argc holds the element count. |
env_count | The number of environment-variable tokens in the env array. |
env | The environment variables su passes to the invoked shell on success; env_count holds the element count. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"su": {
"argc": 3,
"argv": [
"zsh",
"-c",
"true"
],
"env": [
"SHELL=/bin/zsh",
"COLORTERM=truecolor",
"SUDO_GID=0",
"HVPOST=0.6",
"SSH_AUTH_SOCK=/var/run/com.apple.launchd.9d7dSGoiJl/Listeners",
"SUDO_COMMAND=./run_capture.sh",
"SUDO_USER=admin",
"PRE=5",
"SUDO_TTY=/dev/ttys004",
"PWD=/Users/admin/Claude Code/macos_validation",
"LOGNAME=root",
"_=/usr/bin/su",
"SUDO_HOME=/var/root",
"HOME=/Users/admin",
"LANG=en_US.UTF-8",
"TERM=xterm-256color",
"USER=admin",
"POST=2",
"SHLVL=2",
"PATH=/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/pkg/env/global/bin:/Applications/VMware Fusion.app/Contents/Public:/Users/admin/.local/bin:/Users/admin/.cache/lm-studio/bin:/Applications/010 Editor.app/Contents/CmdLine:/Users/admin/.local/bin",
"SUDO_UID=0",
"MAIL=/var/mail/root",
"__CF_USER_TEXT_ENCODING=0x0:0:0"
],
"env_count": 23,
"failure_message": null,
"from_uid": 0,
"from_username": "root",
"shell": "/bin/zsh",
"success": true,
"to_uid": 501,
"to_username": "admin"
}
},
"event_type": 128,
"global_seq_num": 0,
"mach_time": 8844244256372,
"process": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 94798,
"pidversion": 302183,
"rgid": 20,
"ruid": 501
},
"cdhash": "3109741DA6031130F46B8481F48B2E877DE291CC",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/bin/su",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 48,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312572873,
"st_mode": 35309,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 121904,
"st_uid": 0
}
},
"group_id": 94798,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 94797,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 0,
"pid": 94797,
"pidversion": 302182,
"rgid": 0,
"ruid": 0
},
"ppid": 94797,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 94036,
"signing_id": "com.apple.su",
"start_time": "2026-06-22T23:28:48.250668Z",
"team_id": null,
"tty": {
"path": "/dev/ttys005",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:21:30.000000000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:28:43.168698000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 1053,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:28:43.168698000Z",
"st_nlink": 1,
"st_rdev": 268435461,
"st_size": 0,
"st_uid": 0
}
}
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3676186
},
"time": "2026-06-22T23:28:48.253842202Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_su_t https://developer.apple.com/documentation/endpointsecurity/es_event_su_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_su_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_su_t.html
- Red Canary mac-monitor wiki: ES User Space Eventing https://github.com/Brandon7CC/mac-monitor/wiki/9.-ES-User-Space-Eventing
ES_EVENT_TYPE_NOTIFY_SUDO: sudo Command Execution
#Description
Fires when sudo(8) makes a policy decision to allow or deny privilege elevation. The event records the outcome, optional rejection information on failure, the initiating user, the target user context, and the command to be executed. Because sudo is a user-space binary, an attacker could substitute it to evade this event.
Fields #
| Name | Description |
|---|---|
success | True if sudo granted the elevation request. |
reject_info | Optional pointer to rejection detail (plugin, reason, and URL); present when success is false. |
from_username | Username of the user who invoked sudo. |
has_from_uid | True if the from_uid field is populated. |
to_username | Username of the target account sudo will run the command as. |
has_to_uid | True if the to_uid field is populated. |
command | The command string sudo will execute on success. |
References #
- Apple Developer Documentation: es_event_sudo_t https://developer.apple.com/documentation/endpointsecurity/es_event_sudo_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_sudo_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_sudo_t.html
- Red Canary mac-monitor wiki: ES User Space Eventing https://github.com/Brandon7CC/mac-monitor/wiki/9.-ES-User-Space-Eventing
ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN: LoginWindow Session Login
#Description
Fires when the LoginWindow daemon logs a user into a graphical session. The event carries the short username and a graphical session identifier that correlates subsequent session events.
Fields #
| Name | Description |
|---|---|
username | Short username of the user who logged in. |
graphical_session_id | Opaque integer identifying the graphical session; use it to correlate login, logout, lock, and unlock events for the same session. |
References #
- Apple Developer Documentation: es_event_lw_session_login_t https://developer.apple.com/documentation/endpointsecurity/es_event_lw_session_login_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor wiki: Endpoint Security System DYLIB https://github.com/Brandon7CC/mac-monitor/wiki/7.-Endpoint-Security-System-DYLIB
ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGOUT: LoginWindow Session Logout
#Description
Fires when the LoginWindow daemon logs a user out of a graphical session. The event carries the short username and the graphical session identifier matching the corresponding login event.
Fields #
| Name | Description |
|---|---|
username | Short username of the user who logged out. |
graphical_session_id | Opaque integer identifying the graphical session being terminated. |
References #
- Apple Developer Documentation: es_event_lw_session_logout_t https://developer.apple.com/documentation/endpointsecurity/es_event_lw_session_logout_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor wiki: Endpoint Security System DYLIB https://github.com/Brandon7CC/mac-monitor/wiki/7.-Endpoint-Security-System-DYLIB
ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOCK: LoginWindow Session Lock
#Description
Fires when the LoginWindow daemon locks a graphical session (screen lock). The event carries the short username and graphical session identifier for the session being locked.
Fields #
| Name | Description |
|---|---|
username | Short username of the user whose session is being locked. |
graphical_session_id | Opaque integer identifying the graphical session being locked. |
References #
- Apple Developer Documentation: es_event_lw_session_lock_t https://developer.apple.com/documentation/endpointsecurity/es_event_lw_session_lock_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor wiki: Endpoint Security System DYLIB https://github.com/Brandon7CC/mac-monitor/wiki/7.-Endpoint-Security-System-DYLIB
ES_EVENT_TYPE_NOTIFY_LW_SESSION_UNLOCK: LoginWindow Session Unlock
#Description
Fires when the LoginWindow daemon unlocks a graphical session. The event carries the short username and graphical session identifier for the session being unlocked.
Fields #
| Name | Description |
|---|---|
username | Short username of the user whose session is being unlocked. |
graphical_session_id | Opaque integer identifying the graphical session being unlocked. |
References #
- Apple Developer Documentation: es_event_lw_session_unlock_t https://developer.apple.com/documentation/endpointsecurity/es_event_lw_session_unlock_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor wiki: Endpoint Security System DYLIB https://github.com/Brandon7CC/mac-monitor/wiki/7.-Endpoint-Security-System-DYLIB
ES_EVENT_TYPE_NOTIFY_SCREENSHARING_ATTACH: Screen Sharing Session Attached
#Description
Fires when the screensharingd daemon attaches a remote viewer to a graphical session. The event records whether the attach succeeded, the source address and type, the authentication method and username, and whether a user session was already active on the target.
Fields #
| Name | Description |
|---|---|
success | True if Screen Sharing successfully attached to the session. |
source_address_type | Address family of the incoming connection (e.g., IPv4, IPv6). |
source_address | Optional source address of the connection; may be NULL if the transport does not expose it. |
viewer_appleid | Optional Apple ID of the viewer when the session was initiated via Messages or FaceTime; NULL otherwise. |
authentication_type | Authentication method used to connect (e.g., 'Password', 'Apple ID'). |
authentication_username | Optional username supplied during authentication; NULL when the method does not use a username. |
session_username | Optional username of the LoginWindow session being shared; NULL when unavailable. |
existing_session | True if a user session already existed on the target machine when the viewer attached. |
graphical_session_id | Opaque identifier for the graphical session being shared. |
References #
- Apple Developer Documentation: es_event_screensharing_attach_t https://developer.apple.com/documentation/endpointsecurity/es_event_screensharing_attach_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_screensharing_attach_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_screensharing_attach_t.html
ES_EVENT_TYPE_NOTIFY_SCREENSHARING_DETACH: Screen Sharing Session Detached
#Description
Fires when the screensharingd daemon terminates a remote viewer connection. The event records the source address, optional Apple ID of the viewer, and the graphical session identifier matching the earlier attach event.
Fields #
| Name | Description |
|---|---|
source_address_type | Address family of the disconnected connection. |
source_address | Optional source address of the disconnected connection; may be NULL. |
viewer_appleid | Optional Apple ID of the viewer if the session was Apple-ID-initiated; NULL otherwise. |
graphical_session_id | Opaque identifier for the graphical session that was shared. |
References #
- Apple Developer Documentation: es_event_screensharing_detach_t https://developer.apple.com/documentation/endpointsecurity/es_event_screensharing_detach_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_screensharing_detach_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_screensharing_detach_t.html
ES_EVENT_TYPE_NOTIFY_LOGIN_LOGIN: Login Utility Authentication Attempt
#Description
Fires when /usr/bin/login completes an authentication attempt. The event records whether the login succeeded, a failure message on failure, the username, and the UID of the user on success.
Fields #
| Name | Description |
|---|---|
success | True if the login attempt succeeded. |
failure_message | Optional string describing the reason for failure; present only when success is false. |
username | The username supplied during the login attempt. |
has_uid | True if the uid field is populated (set on successful logins). |
uid | UID of the user who logged in; valid only when has_uid is true. |
References #
- Apple Developer Documentation: es_event_login_login_t https://developer.apple.com/documentation/endpointsecurity/es_event_login_login_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_login_login_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_login_login_t.html
ES_EVENT_TYPE_NOTIFY_LOGIN_LOGOUT: Login Utility Session Logout
#Description
Fires when /usr/bin/login logs a user out. The event carries the username and UID of the user whose session ended.
Fields #
| Name | Description |
|---|---|
username | Username of the user who logged out. |
uid | UID of the user who logged out. |
References #
- Apple Developer Documentation: es_event_login_logout_t https://developer.apple.com/documentation/endpointsecurity/es_event_login_logout_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_login_logout_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_login_logout_t.html
ES_EVENT_TYPE_NOTIFY_OD_GROUP_ADD: OpenDirectory Group Member Added
#Description
Fires after a member is added to an OpenDirectory group. The event identifies the instigating process, the group receiving the new member, the member identity, the OD node, and the result code of the operation.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure (see odconstants.h). |
group_name | Name of the group receiving the new member. |
member | Identity of the member being added (es_od_member_id_t, which may be a UUID or name). |
node_name | OD node being modified, typically '/Local/Default', '/LDAPv3/<server>', or '/Active Directory/<domain>'. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_group_add_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_group_add_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_group_add_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_group_add_t.html
ES_EVENT_TYPE_NOTIFY_OD_GROUP_REMOVE: OpenDirectory Group Member Removed
#Description
Fires after a member is removed from an OpenDirectory group. The event identifies the instigating process, the affected group, the removed member's identity, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
group_name | Name of the group from which the member was removed. |
member | Identity of the member being removed (es_od_member_id_t). |
node_name | OD node being modified. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_group_remove_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_group_remove_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_group_remove_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_group_remove_t.html
ES_EVENT_TYPE_NOTIFY_OD_GROUP_SET: OpenDirectory Group Membership Replaced
#Description
Fires after the full membership list of an OpenDirectory group is initialised or replaced atomically. The event carries the group name, an array of all new member identities, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
group_name | Name of the group whose membership was replaced. |
members | Array of all member identities after the replacement (es_od_member_id_array_t). |
node_name | OD node being modified. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_group_set_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_group_set_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_group_set_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_group_set_t.html
ES_EVENT_TYPE_NOTIFY_OD_MODIFY_PASSWORD: OpenDirectory Password Modified
#Description
Fires after a password is changed for a user or computer account in OpenDirectory. The event identifies the instigating process, the account type and name, the OD node, and the result code of the change.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the password change via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
account_type | Type of the account whose password was modified (es_od_account_type_t, e.g., user or computer). |
account_name | Name of the account whose password was changed. |
node_name | OD node being modified, typically '/Local/Default', '/LDAPv3/<server>', or '/Active Directory/<domain>'. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_modify_password_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_modify_password_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_modify_password_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_modify_password_t.html
ES_EVENT_TYPE_NOTIFY_OD_DISABLE_USER: OpenDirectory User Account Disabled
#Description
Fires after a user account is disabled in OpenDirectory. The event identifies the instigating process, the account name, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
user_name | Name of the user account that was disabled. |
node_name | OD node being modified. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_disable_user_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_disable_user_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_disable_user_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_disable_user_t.html
ES_EVENT_TYPE_NOTIFY_OD_ENABLE_USER: OpenDirectory User Account Enabled
#Description
Fires after a previously disabled user account is re-enabled in OpenDirectory. The event identifies the instigating process, the account name, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
user_name | Name of the user account that was enabled. |
node_name | OD node being modified. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_enable_user_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_enable_user_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_enable_user_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_enable_user_t.html
ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_ADD: OpenDirectory Attribute Value Added
#Description
Fires after a single value is appended to an attribute on an OpenDirectory record. The event identifies the instigating process, the record type and name, the attribute name, the new value, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
record_type | OD record type being modified (es_od_record_type_t, e.g., 'Users' or 'Groups'). |
record_name | Name of the OD record receiving the attribute value. |
attribute_name | Name of the attribute receiving the new value. |
attribute_value | The value being added to the attribute. |
node_name | OD node being modified. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_attribute_value_add_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_attribute_value_add_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_attribute_value_add_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_attribute_value_add_t.html
ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_REMOVE: OpenDirectory Attribute Value Removed
#Description
Fires after a single value is removed from an attribute on an OpenDirectory record. The event identifies the instigating process, the record type and name, the attribute name, the removed value, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
record_type | OD record type being modified. |
record_name | Name of the OD record from which the value was removed. |
attribute_name | Name of the attribute from which the value was removed. |
attribute_value | The value that was removed. |
node_name | OD node being modified. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_attribute_value_remove_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_attribute_value_remove_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_attribute_value_remove_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_attribute_value_remove_t.html
ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_SET: OpenDirectory Attribute Set (Replaced)
#Description
Fires after all values of an attribute on an OpenDirectory record are replaced atomically. The event carries the record type and name, the attribute name, the full new value array, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the operation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
record_type | OD record type being modified. |
record_name | Name of the OD record whose attribute was replaced. |
attribute_name | Name of the attribute whose values were replaced. |
attribute_value_count | Number of entries in attribute_value_array. |
attribute_value_array | Array of all new attribute values after the replacement. |
node_name | OD node being modified. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
References #
- Apple Developer Documentation: es_event_od_attribute_set_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_attribute_set_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_attribute_set_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_attribute_set_t.html
ES_EVENT_TYPE_NOTIFY_OD_CREATE_USER: OpenDirectory User Account Created
#Description
Fires after a new user account is created in OpenDirectory. The event identifies the instigating process, the new account name, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the account creation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
user_name | Name of the user account that was created. |
node_name | OD node where the account was created, typically '/Local/Default', '/LDAPv3/<server>', or '/Active Directory/<domain>'. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"od_create_user": {
"db_path": "/var/db/dslocal/nodes/Default",
"error_code": 0,
"instigator": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 94961,
"pidversion": 302493,
"rgid": 0,
"ruid": 0
},
"cdhash": "2AC2392B8C46355FFAB5C14D2103DA3EFF5C2ACC",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/sbin/sysadminctl",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 104,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312576273,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 207808,
"st_uid": 0
}
},
"group_id": 94037,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 94960,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 94960,
"pidversion": 302491,
"rgid": 0,
"ruid": 0
},
"ppid": 94960,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 94036,
"signing_id": "com.apple.sysadminctl",
"start_time": "2026-06-22T23:30:48.157971Z",
"team_id": null,
"tty": {
"path": "/dev/ttys005",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:21:30.000000000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:30:43.115608000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 1053,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:30:43.115608000Z",
"st_nlink": 1,
"st_rdev": 268435461,
"st_size": 0,
"st_uid": 0
}
}
},
"instigator_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 94961,
"pidversion": 302493,
"rgid": 0,
"ruid": 0
},
"node_name": "/Local/Default",
"user_name": "dwtmp"
}
},
"event_type": 141,
"global_seq_num": 0,
"mach_time": 8847126652509,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"cdhash": "85D20BDB864F0C3913ED5363D1796EE9562ADBE8",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/opendirectoryd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1520,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575412,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 2185152,
"st_uid": 0
}
},
"group_id": 419,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"session_id": 419,
"signing_id": "com.apple.opendirectoryd",
"start_time": "2026-06-17T20:22:01.686647Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3677737
},
"time": "2026-06-22T23:30:48.352607090Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_od_create_user_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_create_user_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_create_user_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_create_user_t.html
ES_EVENT_TYPE_NOTIFY_OD_CREATE_GROUP: OpenDirectory Group Created
#Description
Fires after a new group is created in OpenDirectory. The event identifies the instigating process, the new group name, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the group creation via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
group_name | Name of the group account that was created. |
node_name | OD node where the group was created. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"od_create_group": {
"db_path": "/var/db/dslocal/nodes/Default",
"error_code": 0,
"group_name": "dwtmpgrp",
"instigator": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 95032,
"pidversion": 302635,
"rgid": 0,
"ruid": 0
},
"cdhash": "B3555330E75F3D1D825CDBBB64FF6B02F5F12C4B",
"codesigning_flags": 637606673,
"cs_validation_category": 1,
"executable": {
"path": "/usr/sbin/dseditgroup",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312576013,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 156320,
"st_uid": 0
}
},
"group_id": 94037,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 95031,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 95031,
"pidversion": 302633,
"rgid": 0,
"ruid": 0
},
"ppid": 95031,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 94036,
"signing_id": "com.apple.dseditgroup",
"start_time": "2026-06-22T23:31:25.769190Z",
"team_id": null,
"tty": {
"path": "/dev/ttys005",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:21:30.000000000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:31:20.736689000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 1053,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:31:20.736689000Z",
"st_nlink": 1,
"st_rdev": 268435461,
"st_size": 0,
"st_uid": 0
}
}
},
"instigator_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 95032,
"pidversion": 302635,
"rgid": 0,
"ruid": 0
},
"node_name": "/Local/Default"
}
},
"event_type": 142,
"global_seq_num": 0,
"mach_time": 8848024882907,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"cdhash": "85D20BDB864F0C3913ED5363D1796EE9562ADBE8",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/opendirectoryd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1520,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575412,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 2185152,
"st_uid": 0
}
},
"group_id": 419,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"session_id": 419,
"signing_id": "com.apple.opendirectoryd",
"start_time": "2026-06-17T20:22:01.686647Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3678406
},
"time": "2026-06-22T23:31:25.778538980Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_od_create_group_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_create_group_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_create_group_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_create_group_t.html
ES_EVENT_TYPE_NOTIFY_OD_DELETE_USER: OpenDirectory User Account Deleted
#Description
Fires after a user account is deleted from OpenDirectory. The event identifies the instigating process, the deleted account name, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the account deletion via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
user_name | Name of the user account that was deleted. |
node_name | OD node from which the account was deleted. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"od_delete_user": {
"db_path": "/var/db/dslocal/nodes/Default",
"error_code": 0,
"instigator": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 94984,
"pidversion": 302544,
"rgid": 0,
"ruid": 0
},
"cdhash": "2AC2392B8C46355FFAB5C14D2103DA3EFF5C2ACC",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/sbin/sysadminctl",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 104,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312576273,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 207808,
"st_uid": 0
}
},
"group_id": 94037,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 94983,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 94983,
"pidversion": 302542,
"rgid": 0,
"ruid": 0
},
"ppid": 94983,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 94036,
"signing_id": "com.apple.sysadminctl",
"start_time": "2026-06-22T23:30:57.249972Z",
"team_id": null,
"tty": {
"path": "/dev/ttys005",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:21:30.000000000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:30:52.212693000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 1053,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:30:52.212693000Z",
"st_nlink": 1,
"st_rdev": 268435461,
"st_size": 0,
"st_uid": 0
}
}
},
"instigator_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 94984,
"pidversion": 302544,
"rgid": 0,
"ruid": 0
},
"node_name": "/Local/Default",
"user_name": "dwtmp"
}
},
"event_type": 143,
"global_seq_num": 0,
"mach_time": 8847344864339,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"cdhash": "85D20BDB864F0C3913ED5363D1796EE9562ADBE8",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/opendirectoryd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1520,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575412,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 2185152,
"st_uid": 0
}
},
"group_id": 419,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"session_id": 419,
"signing_id": "com.apple.opendirectoryd",
"start_time": "2026-06-17T20:22:01.686647Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3677886
},
"time": "2026-06-22T23:30:57.444685396Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_od_delete_user_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_delete_user_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_delete_user_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_delete_user_t.html
ES_EVENT_TYPE_NOTIFY_OD_DELETE_GROUP: OpenDirectory Group Deleted
#Description
Fires after a group account is deleted from OpenDirectory. The event identifies the instigating process, the deleted group name, the OD node, and the result code.
Fields #
| Name | Description |
|---|---|
instigator | Process that instigated the group deletion via XPC. |
instigator_token | Audit token of the process that instigated the operation (the XPC caller); the audit-token companion to instigator (message version 8+, macOS 15+). |
error_code | Result code for the operation; non-zero values indicate failure. |
group_name | Name of the group account that was deleted. |
node_name | OD node from which the group was deleted. |
db_path | Optional path to the local database when node_name is '/Local/Default'. |
Example Event #
Captured live on macOS build 25F80.
{
"message": {
"action": {
"result": {
"result": {
"auth": 0
},
"result_type": 0
}
},
"action_type": 1,
"event": {
"od_delete_group": {
"db_path": "/var/db/dslocal/nodes/Default",
"error_code": 0,
"group_name": "dwtmpgrp",
"instigator": {
"audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 95043,
"pidversion": 302657,
"rgid": 0,
"ruid": 0
},
"cdhash": "B3555330E75F3D1D825CDBBB64FF6B02F5F12C4B",
"codesigning_flags": 637606673,
"cs_validation_category": 1,
"executable": {
"path": "/usr/sbin/dseditgroup",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 64,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312576013,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 156320,
"st_uid": 0
}
},
"group_id": 94037,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 95042,
"parent_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 95042,
"pidversion": 302655,
"rgid": 0,
"ruid": 0
},
"ppid": 95042,
"responsible_audit_token": {
"asid": 100026,
"auid": 501,
"egid": 20,
"euid": 501,
"pid": 92091,
"pidversion": 296896,
"rgid": 20,
"ruid": 501
},
"session_id": 94036,
"signing_id": "com.apple.dseditgroup",
"start_time": "2026-06-22T23:31:32.820605Z",
"team_id": null,
"tty": {
"path": "/dev/ttys005",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-06-22T23:21:30.000000000Z",
"st_birthtimespec": "1970-01-01T00:00:00.000000000Z",
"st_blksize": 65536,
"st_blocks": 0,
"st_ctimespec": "2026-06-22T23:31:27.800605000Z",
"st_dev": -1278915369,
"st_flags": 0,
"st_gen": 0,
"st_gid": 4,
"st_ino": 1053,
"st_mode": 8592,
"st_mtimespec": "2026-06-22T23:31:27.800605000Z",
"st_nlink": 1,
"st_rdev": 268435461,
"st_size": 0,
"st_uid": 0
}
}
},
"instigator_token": {
"asid": 100026,
"auid": 501,
"egid": 0,
"euid": 0,
"pid": 95043,
"pidversion": 302657,
"rgid": 0,
"ruid": 0
},
"node_name": "/Local/Default"
}
},
"event_type": 144,
"global_seq_num": 0,
"mach_time": 8848194214163,
"process": {
"audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"cdhash": "85D20BDB864F0C3913ED5363D1796EE9562ADBE8",
"codesigning_flags": 637623057,
"cs_validation_category": 1,
"executable": {
"path": "/usr/libexec/opendirectoryd",
"path_truncated": false,
"stat": {
"st_atimespec": "2026-05-21T08:57:02.000000000Z",
"st_birthtimespec": "2026-05-21T08:57:02.000000000Z",
"st_blksize": 4096,
"st_blocks": 1520,
"st_ctimespec": "2026-05-21T08:57:02.000000000Z",
"st_dev": 16777232,
"st_flags": 524320,
"st_gen": 0,
"st_gid": 0,
"st_ino": 1152921500312575412,
"st_mode": 33261,
"st_mtimespec": "2026-05-21T08:57:02.000000000Z",
"st_nlink": 1,
"st_rdev": 0,
"st_size": 2185152,
"st_uid": 0
}
},
"group_id": 419,
"is_es_client": false,
"is_platform_binary": true,
"original_ppid": 1,
"parent_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 1,
"pidversion": 721,
"rgid": 0,
"ruid": 0
},
"ppid": 1,
"responsible_audit_token": {
"asid": 100025,
"auid": 4294967295,
"egid": 0,
"euid": 0,
"pid": 419,
"pidversion": 985,
"rgid": 0,
"ruid": 0
},
"session_id": 419,
"signing_id": "com.apple.opendirectoryd",
"start_time": "2026-06-17T20:22:01.686647Z",
"team_id": null,
"tty": null
},
"schema_version": 1,
"seq_num": 0,
"thread": {
"thread_id": 3678586
},
"time": "2026-06-22T23:31:32.833944878Z",
"version": 10
}
}
References #
- Apple Developer Documentation: es_event_od_delete_group_t https://developer.apple.com/documentation/endpointsecurity/es_event_od_delete_group_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- endpoint-sec-sys Rust bindings: es_event_od_delete_group_t https://docs.rs/endpoint-sec-sys/latest/endpoint_sec_sys/struct.es_event_od_delete_group_t.html
ES_EVENT_TYPE_NOTIFY_XP_MALWARE_DETECTED: XProtect Malware Detected
#Description
Fires when XProtect Remediator or XprotectService detects a known malware signature on the system. The event reports the malware identifier and the path where the threat was found. Only processes holding the com.apple.private.endpoint-security.submit.xp entitlement (namely XProtect daemons) can emit this event.
Fields #
| Name | Description |
|---|---|
signature_version | The version string of the XProtect signature set that made the detection. |
malware_identifier | A string identifying the specific malware variant detected (for example, the XProtect rule or threat name). |
incident_identifier | A unique identifier for this detection incident, used to correlate detection and remediation events for the same threat. |
detected_path | The file system path of the malicious file or artifact that triggered the detection. |
References #
- Apple Developer Documentation: es_event_xp_malware_detected_t https://developer.apple.com/documentation/endpointsecurity/es_event_xp_malware_detected_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: ES User Space Eventing https://github.com/redcanaryco/mac-monitor/wiki/9.-ES-User-Space-Eventing
ES_EVENT_TYPE_NOTIFY_XP_MALWARE_REMEDIATED: XProtect Malware Remediated
#Description
Fires when XProtect Remediator or XprotectService completes a remediation action against previously detected malware. The event records the action taken, whether it succeeded, and optionally the path or process that was remediated. Correlate with xp_malware_detected via incident_identifier.
Fields #
| Name | Description |
|---|---|
signature_version | The version string of the XProtect signature set that identified the threat being remediated. |
malware_identifier | A string identifying the specific malware variant that was remediated. |
incident_identifier | The unique incident identifier shared with the corresponding xp_malware_detected event. |
action_type | A string describing the type of remediation action taken (for example, quarantine or deletion). |
success | Boolean indicating whether the remediation action completed successfully. |
result_description | A human-readable description of the remediation outcome or any error encountered. |
remediated_path | Optional file system path of the artifact that was remediated. Present when the remediated entity was a file. |
remediated_process_audit_token | Optional audit token of the process that was remediated. Present when the remediated entity was a running process. |
References #
- Apple Developer Documentation: es_event_xp_malware_remediated_t https://developer.apple.com/documentation/endpointsecurity/es_event_xp_malware_remediated_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: ES User Space Eventing https://github.com/redcanaryco/mac-monitor/wiki/9.-ES-User-Space-Eventing
ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD: Background Task Management Launch Item Added
#Description
Fires when backgroundtaskmanagementd registers a new launch item, including launch agents, launch daemons, and login items added by the user, by MDM, or by an app. The event identifies the instigating process, the app that owns the item, and the item itself including its type and URL.
Fields #
| Name | Description |
|---|---|
instigator | Optional process that initiated the BTM operation (the XPC caller that requested the item be added). |
app | Optional process representing the app that registered the launch item. |
item.item_type | The type of launch item (for example: launch agent, launch daemon, or login item). |
item.legacy | Boolean indicating whether this is a legacy plist-based launch item. |
item.managed | Boolean indicating whether the item is managed (for example, installed via MDM). |
item.uid | The UID of the user account the launch item is associated with. |
item.item_url | URL for the launch item. If this is a relative file URL, it is relative to item.app_url. |
item.app_url | Optional URL for the app the item is attributed to. Present when the item URL is relative to an app bundle. |
executable_path | Optional POSIX path of the executable from the launchd plist. If relative, it is relative to item.app_url. |
References #
- Apple Developer Documentation: es_event_btm_launch_item_add_t https://developer.apple.com/documentation/endpointsecurity/es_event_btm_launch_item_add_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Patrick Wardle: Demystifying and Bypassing macOS Background Task Management https://speakerdeck.com/patrickwardle/demystifying-and-bypassing-macoss-background-task-management
ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_REMOVE: Background Task Management Launch Item Removed
#Description
Fires when backgroundtaskmanagementd removes a launch item from its registry. The event identifies the instigating process, the owning app, and the item being removed. Correlate with btm_launch_item_add to track the full lifecycle of persistent launch items.
Fields #
| Name | Description |
|---|---|
instigator | Optional process that initiated the BTM operation (the XPC caller that requested the item be removed). |
app | Optional process representing the app that owned the launch item. |
item.item_type | The type of launch item being removed (for example: launch agent, launch daemon, or login item). |
item.legacy | Boolean indicating whether the removed item was a legacy plist-based launch item. |
item.uid | The UID of the user account the launch item was associated with. |
item.item_url | URL identifying the launch item that was removed. |
References #
- Apple Developer Documentation: es_event_btm_launch_item_remove_t https://developer.apple.com/documentation/endpointsecurity/es_event_btm_launch_item_remove_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Patrick Wardle: Demystifying and Bypassing macOS Background Task Management https://speakerdeck.com/patrickwardle/demystifying-and-bypassing-macoss-background-task-management
ES_EVENT_TYPE_NOTIFY_PROFILE_ADD: Configuration Profile Installed
#Description
Fires when mdmclient installs a configuration profile on the system. The event reports the instigating process, whether this is an update to an existing profile, and profile metadata including its identifier, UUID, display name, organization, scope, and install source.
Fields #
| Name | Description |
|---|---|
instigator | The process that triggered the profile installation (typically mdmclient or System Preferences/Settings). |
is_update | Boolean indicating whether this installation is an update to an already-installed profile. |
profile.identifier | The PayloadIdentifier string from the profile, typically a reverse-DNS name. |
profile.uuid | The PayloadUUID string uniquely identifying this profile. |
profile.install_source | The source of the installation (for example: MDM, manual, or app). |
profile.organization | The PayloadOrganization string identifying the entity that created the profile. |
profile.display_name | The PayloadDisplayName string shown to the user in System Settings. |
profile.scope | The scope of the profile (for example: system or user). |
References #
- Apple Developer Documentation: es_event_profile_add_t https://developer.apple.com/documentation/endpointsecurity/es_event_profile_add_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: ES User Space Eventing https://github.com/redcanaryco/mac-monitor/wiki/9.-ES-User-Space-Eventing
ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE: Configuration Profile Removed
#Description
Fires when mdmclient removes a configuration profile from the system. The event reports the instigating process and the metadata of the profile that was removed, allowing defenders to detect unauthorized removal of MDM enrollment or security policy profiles.
Fields #
| Name | Description |
|---|---|
instigator | The process that triggered the profile removal (typically mdmclient or System Preferences/Settings). |
profile.identifier | The PayloadIdentifier string of the removed profile. |
profile.uuid | The PayloadUUID string of the removed profile. |
profile.install_source | The source from which the removed profile was originally installed. |
profile.organization | The PayloadOrganization string of the removed profile. |
profile.display_name | The PayloadDisplayName of the removed profile. |
profile.scope | The scope of the removed profile (for example: system or user). |
References #
- Apple Developer Documentation: es_event_profile_remove_t https://developer.apple.com/documentation/endpointsecurity/es_event_profile_remove_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Red Canary mac-monitor: ES User Space Eventing https://github.com/redcanaryco/mac-monitor/wiki/9.-ES-User-Space-Eventing
ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDE: Gatekeeper User Override
#Description
Fires when a user explicitly overrides a Gatekeeper block to run an app or file that macOS would otherwise refuse to open. The event identifies the target file or path and, where available, its SHA-256 hash and code signing information.
Fields #
| Name | Description |
|---|---|
file_type | Discriminator indicating whether the file field contains a resolved es_file_t (ES_GATEKEEPER_USER_OVERRIDE_FILE_TYPE_FILE) or only a path string (ES_GATEKEEPER_USER_OVERRIDE_FILE_TYPE_PATH). |
file_path | Path string describing the target file when Endpoint Security could not resolve a full es_file_t at event submission time. |
file | Resolved file descriptor for the target when the system was able to look up the file at event submission time. |
sha256 | SHA-256 hash of the target file. Populated when the file size is below 100 MB. |
signing_info | Code signing information for the target file, if the file has been signed. |
References #
- Apple Developer Documentation: es_event_gatekeeper_user_override_t https://developer.apple.com/documentation/endpointsecurity/es_event_gatekeeper_user_override_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- gomac endpointsecurity Go package (struct field reference) https://pkg.go.dev/github.com/gatkinso/gomac/endpointsecurity
ES_EVENT_TYPE_NOTIFY_TCC_MODIFY: TCC Privacy Permission Modified
#Description
Fires when a Transparency, Consent, and Control (TCC) privacy permission is granted or revoked for an application. The event identifies the protected service, the application whose access changed, the type of change, the resulting permission right, and the reason for the update. Added in macOS 15.4 as the first native ESF hook for TCC database modifications.
Fields #
| Name | Description |
|---|---|
service | The TCC service whose permission was modified (for example: kTCCServiceCamera, kTCCServiceMicrophone). |
identity | The identity string of the application subject to the permission change (bundle ID, executable path, or policy identifier, depending on identity_type). |
identity_type | The format of the identity field: bundle ID, executable path, policy ID, or file provider domain ID. |
update_type | The kind of TCC modification: create, modify, or delete. |
instigator | Optional process information for the entity that initiated the TCC permission change. |
right | The resulting TCC authorization right after the modification (for example: allowed, denied, limited). |
reason | The reason the permission was updated (for example: user consent, MDM policy, service policy, or app entitlement). |
References #
- Apple Developer Documentation: es_event_tcc_modify_t https://developer.apple.com/documentation/endpointsecurity/es_event_tcc_modify_t
- Apple Developer Documentation: es_event_type_t https://developer.apple.com/documentation/endpointsecurity/es_event_type_t
- Objective-See: Apple finally adds TCC events to Endpoint Security https://objective-see.org/blog/blog_0x7F.html