howdy, anyone tackled monitoring ssh-based activity with osquery on macos? in particular i'm looking to identify sftp/scp/smb activity. es_process_creation has some process based stuff which highlights good src/dst info, curious if anyone else has taken a different approach?

Can you expand a bit on what you are looking for? More socket like things?

at a high level, i think the goal is to audit user activity for instances where file sharing services such as nfs, smb, (s)ftp, scp are used on macOS endpoints to accomplish data movement