From ba75d2bcce8c04f8e1e6cba579124dca005ba578 Mon Sep 17 00:00:00 2001 From: Colson Wilhoit Date: Mon, 30 Mar 2026 12:52:56 -0500 Subject: [PATCH] Add Library/Module Loaded subcategory to macOS telemetry New subcategory under Process Activity tracking dylib/shared library load events. Elastic Defend collects these via ESF events since 8.11.0, normalized as event.category: library and event.action: load. Co-Authored-By: Claude Opus 4.6 (1M context) --- EDR_telem_macOS.json | 13 +++++++++++++ Tools/compare.py | 1 + partially_value_explanations_macOS.json | 10 ++++++++++ 3 files changed, 24 insertions(+) diff --git a/EDR_telem_macOS.json b/EDR_telem_macOS.json index 75439e5..25a049e 100644 --- a/EDR_telem_macOS.json +++ b/EDR_telem_macOS.json @@ -25,6 +25,19 @@ "Qualys": "Yes", "Unnamed: 10": null }, + { + "Telemetry Feature Category": null, + "Sub-Category": "Library/Module Loaded", + "Phorion": "No", + "BitDefender": "No", + "CrowdStrike": "No", + "ESET Inspect": "No", + "Elastic": "Yes", + "LimaCharlie": "No", + "MDE": "No", + "Qualys": "No", + "Unnamed: 10": null + }, { "Telemetry Feature Category": "File Activity", "Sub-Category": "File Creation", diff --git a/Tools/compare.py b/Tools/compare.py index b9cc40c..5ba040a 100644 --- a/Tools/compare.py +++ b/Tools/compare.py @@ -109,6 +109,7 @@ # Process Activity "Process Creation": 1.0, "Process Termination": 0.5, + "Library/Module Loaded": 1.0, # File Activity "File Creation": 1.0, "File Modification": 1.0, diff --git a/partially_value_explanations_macOS.json b/partially_value_explanations_macOS.json index 868e60b..d3b5677 100644 --- a/partially_value_explanations_macOS.json +++ b/partially_value_explanations_macOS.json @@ -19,6 +19,16 @@ "CrowdStrike": "", "MDE": "" }, + { + "Telemetry Feature Category": null, + "Sub-Category": "Library/Module Loaded", + "LimaCharlie": "", + "Elastic": "", + "BitDefender": "", + "Qualys": "", + "CrowdStrike": "", + "MDE": "" + }, { "Telemetry Feature Category": "File Activity", "Sub-Category": "File Creation",