feat: Add macOS Endpoint Security Framework (ESF) logsource and fields#204
Open
eric-nebulock wants to merge 1 commit into
Open
feat: Add macOS Endpoint Security Framework (ESF) logsource and fields#204eric-nebulock wants to merge 1 commit into
eric-nebulock wants to merge 1 commit into
Conversation
Add documentation for macOS ESF events: - New service: endpointsecurity under macOS Folder - Supported categories: process_creation, file_event, file_create, file_delete, file_rename, authentication, process_injection, process_access, driver_load - New fields section documenting Unix user/group, code signature, and process injection fields specific to ESF - ESF event type reference table This complements pySigma-backend-elasticsearch PR SigmaHQ#171 which adds the ecs_macos_esf pipeline. References: - Apple ESF: https://developer.apple.com/documentation/endpointsecurity - eslogger: https://keith.github.io/xcode-man-pages/eslogger.1.html
eric-nebulock
added a commit
to eric-nebulock/pySigma-backend-elasticsearch
that referenced
this pull request
Jan 21, 2026
Add processing pipeline for macOS Endpoint Security Framework (ESF) events that maps Sigma taxonomy fields to ECS (Elastic Common Schema) fields. Features: - Maps Sigma taxonomy fields to ECS fields (process.executable, process.pid, etc.) - Supports 16 logsource categories (process_creation, file_event, authentication, etc.) - Includes macOS-specific field mappings (SigningID, TeamID, SignalNumber, etc.) - Includes Unix user/group field mappings (UserId, RealUserId, GroupId, etc.) - 8 unit tests with 100% coverage on macos.py Logsource: product: macos, service: endpointsecurity Related: SigmaHQ/sigma-specification#204
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR: Add macOS Endpoint Security Framework (ESF) Logsource and Fields
Summary
This PR adds documentation for macOS Endpoint Security Framework (ESF) events to the Sigma Taxonomy, as requested in pySigma-backend-elasticsearch PR #171.
Changes
1. New Logsource (macOS Folder Section)
Added
service: endpointsecurityunder the macOS Folder with supported categories:product: macosservice: endpointsecuritySupported Categories:
process_creation- ESF exec events (type 9)file_event- General file eventsfile_create- File creation (type 13)file_delete- File deletion (type 19)file_rename- File rename (type 21)authentication- Authentication events (type 111)process_injection/process_access- Ptrace events (type 64)driver_load- Kernel extension events (types 17, 18)2. Added to Specific Section
Added macOS to the Specific section alongside Windows and Linux:
3. New Fields Section
Added comprehensive field documentation for macOS ESF events:
Why These Changes?
The macOS Endpoint Security Framework is Apple's modern security telemetry API. The
service: endpointsecurityattribute is necessary because:Related
ecs_macos_esfpipelineChecklist