Structure

es_message_t

A message from the Endpoint Security subsystem that describes a security event.

Declaration

typedef struct {
    ...
} es_message_t;

Overview

A message contains an event monitored by Endpoint Security and an action to perform. The event is a union of types specific to each kind of event. For example, a file-renaming event provides the source and destination paths as the union member rename. Similarly, a process fork event provides the process identifier of the new child process as the union member fork. Inspect the event_type to determine which member of the union to access.

A message can be an authorization request, or a notification of an event that has already taken place, as indicated by the action_type field. For authorization messages, your client handler calls es_respond_auth_result or es_respond_flags_result to authorize, deny, or pass behavior flags back to Endpoint Security.

Topics

Inspecting Message Properties

action

The action monitored by Endpoint Security.

action_type

The type of action: authentication or notification.

es_action_type_t

The type of the message’s action.

es_event_id_t

An opaque identifier for events.

es_result_t

The result of the Endpoint Security subsystem authorization process.

version

The version of the Endpoint Security message.

Identifying the Matched Event

event

The event that triggered this message.

es_events_t

A C union of event-specific types.

event_type

The type of the message’s event.

es_event_type_t

A type used to identify a message’s event type, and to subscribe to events of that type.

Inspecting Timing Properties

time

The time the event occurred, expressed as a Darwin time value.

mach_time

The time the event occurred, as a Mach time value.

deadline

The deadline by which your app must respond to the event.

Identifying the Source Process

process

The process that performed the action defined in a message.

es_process_t

A type that describes a process, as delivered by an Endpoint Security message.

Reserved Properties

opaque

An opaque storage field.

reserved

An unused field reserved for future use.