Hi everyone! I'd like to create an application for system monitoring using the Endpoint Security framework. I already have a working prototype and now I am trying to expand its capabilities to capture more event types. Started looking at filesystem-related events as one of the most important ones for my use case. These seem to be supported fairly well by the framework (ES_EVENT_TYPE_NOTIFY_OPEN/CLOSE/CREATE/WRITE etc.) However, the "READ FILE" event seems to be absent… Am I missing something here, or Endpoint Security framework does not provide this kind of information? If it doesn't, what is the reason behind this? Capturing this type of events seems quite relevant for security-related software. Thanks & Best regards, Roman

Hi everyone! I'm developing a system where an application running in a VM communicates with the host operating system's components using vsock sockets (VZVirtioSocketDevice in Virtualization.framework). Both systems are running macOS. There may be multiple guests, and the existing implementation for other OSes relies on VM's CID to differentiate them. In macOS, getting the CID from inside the guest VM is straightforward—it is returned by IOCTL_VM_SOCKETS_GET_LOCAL_CID. However, in macOS the regular vsock API is not available on the host side, replaced by Virtualization.framework. I could not find anything in the Virtualization.framework's documentation that could be used to query (or set?) the CID for the specific virtual machine instance (which is certainly possible on other platforms utilizing Virtio drivers, e.g. Linux/QEMU). Am I overlooking something?