es_message_t

Declaration

struct es_message_t

Overview

A message contains an event monitored by Endpoint Security and an action to perform. The event is a union of types specific to each kind of event. For example, a file-renaming event provides the source and destination paths as the union member rename. Similarly, a process fork event provides the process identifier of the new child process as the union member fork. Inspect the event_type to determine which member of the union to access.

A message can be an authorization request, or a notification of an event that has already taken place, as indicated by the action_type field. For authorization messages, your client handler calls es_respond_auth_result(_:_:_:_:) or es_respond_flags_result(_:_:_:_:) to authorize, deny, or pass behavior flags back to Endpoint Security.

Topics

Inspecting Message Properties

• action
• action_type
• es_action_type_t
• es_event_id_t
• es_result_t
• version

Identifying the Matched Event

• event
• es_events_t
• event_type
• es_event_type_t

Inspecting Timing Properties

• time
• mach_time
• deadline
• seq_num
• global_seq_num

Identifying the Source Process

• process
• es_process_t

Inspecting Thread Properties

• thread
• es_thread_t