Yeah, I already saw a similar thread about es_event_iokit_open_t and that there is no way to get to the actual device from it.

In the video Mathew said that creating a new ES client triggers cache invalidation. Nothing about that is in the documentation. Maybe there are another cases when the cache gets invalidated? I've noticed that I receive only one AUTH_OPEN request if I open the same file couple of times per second. And I start receiving more requests when I increase time interval between opening the file, like 1 second between opening.

I'm playing with the sample code and noticed that there is no url and hostname in the flow when I make any request in Google Chrome. It requests ip address directly. Probably it has cached DNS? Is it possible to get the hostname somehow?