START ESF for Detection Engineering
Getting Started with macOS Endpoint Security Framework (ESF) for Threat Detection Engineering
Apple’s Endpoint Security Framework (ESF) is a macOS API introduced in macOS Catalina (10.15) to monitor system events for signs of malicious activity. In essence, ESF provides security tools with a “one stop shop” for real-time telemetry on macOS. This framework was Apple’s answer to limitations in Mac security logging. It replaces Kernel Extensions (KEXTs) and the OpenBSM audit system with a user-space solution. Today’s endpoint security products (e.g., antivirus and EDR solutions) on macOS are built on ESF to gain visibility into system activities without needing to hook into the kernel.
Some advantages of ESF include: real-time notification of events (e.g., process executions, file access, memory mapping, etc.), the ability for security software to authorize or block certain operations, and a simpler user-space API model that avoids kernel instability. ESF supports dozens of event types (close to 90 as of recent macOS versions) covering process lifecycles, file system changes, network/IPC events, user logins, and more. This breadth of coverage means we can see an array of malicious behaviors—like process launches to file modifications—by subscribing to the relevant ESF events. For example, there are event types to notify on process execution (EXEC events), file creation or deletion, loading of libraries, mounting of disks, and even certain security subsystems like XProtect scanning results.
ESF events shown in mac monitor
So, why does ESF matter?
It delivers visibility into system actions in real time, analogous to how ETW (Event Tracing for Windows) provides telemetry on Windows. Prior to ESF, Mac defenders had to rely on OpenBSM logs or proprietary kernel extensions. OpenBSM was purely reactive (logging events after the fact) and cumbersome to use, while kernel extensions were powerful but are being phased out by Apple for security reasons. ESF fills this gap by allowing security tools to both observe and optionally prevent suspicious activities as they happen. It is the pipeline through which endpoint telemetry flows on Macs.
How ESF works (in a nutshell)
At a high level, the Endpoint Security framework runs as a system service (in user-space) that taps into macOS internals and publishes security-relevant events. To use ESF, a security client (like a monitoring or EDR tool) registers with the framework; this requires the app to be properly code-signed and given a special Apple entitlement.
Once registered, the client can subscribe to the specific event types it cares about. For example, process exec notifications, file write notifications, etc. The ESF will then deliver a continuous stream of messages (structured data) to the client for each event occurrence. Each message contains details about the event, such as the process that initiated it, file paths involved, user credentials, timestamps, and so on.
Notably, ESF events come in two flavors:
- Notification events: These inform the client that something happened (e.g. a file was opened or a process was executed). They are asynchronous and read-only; your client can log or react to them, but cannot stop the action. Notification events are used purely for observation and detection logic.
- Authorization events: These are synchronous hooks that occur before an action completes (e.g., before a process executes or before a file is deleted). Your security client can decide to allow or block the action. By responding with an “allow” or “deny” verdict, an authorized ESF client can prevent malicious actions in real time. For instance, an EDR could block an unknown binary from executing by denying an
AUTH_EXECevent. (If the client doesn’t respond, the action is allowed by default after a short timeout.)
