New:
- Moved cmdReporter to an App bundle in /Applications folder
- Implemented Apple's endpoint security framework for some monitoring operations
- Improved process_name resolution logic
- Originating process information added to relevant events
- Originating LaunchDaemon and LaunchAgent information added to relevant events
- Execution argument summaries for high-volume RATE_LIMIT_END_EVENT(s)
Improvements:
- Xprotect logs are now separate events instead of one summary event
- QoS Optimizations across all cmdReporter threads
- Improved parent process attribution
- Improved battery and system impact
- Fixed: Rare error when macOS maximum open files is exceeded
- Fixed: Logic to avoid rare CPU spikes on system login
- Fixed: Rare crash on cmdReporter shutdown
- Fixed: Offline log unspool rate slowed to avoid server rate-limiting
- Fixed: Misc small bug fixesÂ
New Fields:
| subject.process_information.program | Path to the originating process at the root of the execution chain |
| subject.process_information.submitted_by_name | Name of the originating process at the root of the execution chain |
| subject.process_information.submitted_by_pid | PID of the originating process at the root of the execution chain |
| subject.process_information.submitted_by_plist | Preference file for the background task that originated this event |
| subject.responsible_process_id | PID of the process that directly spawned this event |
| subject.responsible_process_name | Name of the process that directly spawned this event |
| event_attributes.rate_limit_summary{} | Array of the 10 most common exec_args.args_compiled strings from a RATE_LIMIT_END event |