But which events?

Okay great, Apple added a cool new tool, eslogger to macOS Ventura. nubco created ESEV so that we can easily view and analyze those events…but which of the 82 events should we be capturing? Like most answers, it depends on what you’re doing.

Below are a few different sets of suggested events to capture for different purposes. This post isn’t meant to be comprehensive. There’s not a right way or one size fits all scenario either.

For example, there might be different file-related events you’d like to include for a File Monitor, like setextattr or utimes, which are not currently listed in the suggested File Monitor events. Hopefully, this is useful as a starting point and please provide suggestions for additions or subtractions.

Events lists

  • Explore ESMessage.h found in the SDK /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/EndpointSecurity/

  • Connor Morley, from WithSecure, also released a post with details on message types

  • Apple provides extremely brief descriptions in the official document


Process Monitor

File Monitor

Malware Monitor

Kernel Monitor



Process Monitor

Monitoring and exploring the life-cycle of process on your machine is a great way to explore not only what’s happening on your computer but also how your operating system works.

  • fork - Process created a copy of itself as a new process. This is frequently the start of launching another process.

  • exec - Process is executing a new program. This is frequently preceded by a fork

  • exit - This is the end of the line for the process. It has completed its lifecycle. Good to capture these for at least two reasons. First, knowing how long a process executed and that it’s finished generating events. Second, it’s good to see exits for processes you may have missed the creation.

fork exec exit

Objective-See’s thoughts on ProcessMonitor using ESAPI. For details on the fork-exec life cycle please see The Mitten Mac’s post on the subject.

Others to consider sudo, su, chroot, and get_task.

File Monitor

Monitoring files on disk can help you to understand the state of files on disk. Who created them, who modified them and who has read them. This is great for exploration, discovery and understanding alike. It can also be used for troubleshooting.

File data:

  • write - [high number of events] writing data to a file
  • read - [high number of events] reading data from a file

File life-cycle:

  • create - creating a new file
  • open - [moderate number of events] open an existing file
  • close - closing a file.
    • these events include a note as to whether or not the file was modified. monitoring this event can make it less important to monitor the more noisy write event.

File name and existence:

  • rename - changing the name/location of a file
  • link - this shows hard and soft links to a file. imagine multiple names for the same file on disk.
  • unlink - this is deleting a file

open create rename link unlink close

Objective-See’s thoughts on FileMonitor using ESAPI.

Malware Monitor

Connor Morley from WithSecure, recommends a set of events to monitor malware activity in a 2021 post about macOS ESF. Another follow-on post contains details on many of the different events that’s much more useful than Apple’s own documentation.

exec fork open create fcntl write readlink mmap mprotect iokit_open uipc_connect pty_grant dup stat rename setmode setextattr

Sonoma+

exec fork open create fcntl write readlink mmap mprotect iokit_open uipc_connect pty_grant dup stat rename setmode setextattr btm_launch_item_add su sudo od_create_user od_group_add profile_add profile_remove

Cedric Ownens’ post analyzing different malware techniques uses a modified set of events to show the techniques. Here are a few:

lookup close getattrlist

Kernel Monitor

There is less third-party kernel activity these days, but here are some events to keep an eye on as you explore software behaviors.

  • iokit_open - someone talking to an IOKit driver using IOService
  • kextload - loading kernel extension
  • kextunload - unloading kernel extension

iokit_open kextload kextunload

Other events

  • btm_launch_item_add

This might be a great addition to the malware set as it notifies of a potential persistence mechanism.

  • kextload
  • kextunload

These are becoming less useful as Apple discourages more and more 3rd parties from writing kernel extensions by moving features into userland.

  • screensharing_attach
  • screensharing_detach

These, track the screen-sharing application native to macOS. They will not show activities like FaceTime screen share or web-based Google Meet screen share.

  • setextattr

setextattr will show command line usage of xattr -w but will not show macOS, Launch Services - LSFileQuarantineEnabled, attaching com.apple.quarantine to downloads. We originally had a quarantine-and-execute annotation we had to scrap since eslogger doesn’t see the activity.

  • xp_malware_detected
  • xp_malware_remediated

Added recently, these are notifications related to XProtect detections and remediations.

Notes

Again, there are lots of other event types emitted from eslogger like authentication, SSH and XProtect to name a few. There are scores of other extremely useful events that we didn’t discuss. Please remember to use this post as a starting point for exploration but should not be considered the end.

% eslogger --list-events | wc -l
	82