Hi guys! Have some problems with MacOS Sonoma and Endpoint Security. We have a table "process_events" which receives events from OpenBSM. As you known at MacOS Sonoma(14.x) OpenBSM is deprecated and isn't running, but we have a "es_process_events" which receives events from EndpointSecurity and everything is fine. But we have a table "socket_events" and on the MacOS Sonoma we don't have any events obviously. What can we use another table that receives network events from EndpointSecurity?

Hello @Denis, although OpenBSM is deprecated (since a while) it still works on Sonoma, and for socket_events there's no substitute currently. Apple has only exposed unix domain socket events (so IPC only)

Okey, we'll try to run openbsm... Thanks Stefano!

@Denis is correct. openbsm on Sonoma is disabled on Sonoma, you have manually re-enable it on every machine — see

man 8 audit

. And ES currently does not provide socket events; a Network Extension would be required.

Guys, if I understand correctly the OpenBSM turns on just after full reboot macos pc? I didn't receive events from openbsm just after

sudo cp /etc/security/audit_control.example /etc/security/audit_control

and

sudo /bin/launchctl enable system/com.apple.auditd

and

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

ONLY after full reboot macos...

Yes, man page says reboot is required

Ohh...ok.