Hello everyone, I would like to monitor macOS for established network connections to remote hosts. Is there an "evented" table for this use case?

The

socket_events

table should work for this - you can read about setting it up in the docs here. You might want some additional flags to only turn on this audit subsystem for network events (not process, file, and user events):

"disable_audit": false,
    "audit_allow_config": true,
    "audit_allow_sockets": true,
    "audit_allow_process_events": false,
    "audit_allow_user_events": false,
    "audit_allow_fim_events": false

That's because this "audit" system is deprecated on macOS in favor of endpoint security framework (see the

es_

tables). But for network events, osquery doesn't support them using endpoint security framework yet.

Just to be clear ES does not do network events (yet?). You would have to use a NSYSEXT IP or Content filter to emulate Audit socket events.

Oh good point, appreciate the correction! Hopefully the audit subsystem doesn't actually go away soon, making a network extension sounds like it'll be a bigger lift to add to osquery then just a new endpoint security event type

It would be much bigger

Thanks you, this is great.