C-Prot macOS telemetry updates

[tsale]

EDR Telemetry Pull Request

Contribution Details

Consolidates the C-Prot macOS telemetry updates that were originally submitted as separate PRs for individual subcategories:

• C-Prot macOS File Open/Access #182 C-Prot macOS File Open/Access
• C-Prot macOS Process Access #183 C-Prot macOS Process Access
• C-Prot macOS Raw Device Access #184 C-Prot macOS Raw Device Access
• C-Prot macOS Process Injection Or Tampering #185 C-Prot macOS Process Injection Or Tampering
• C-Prot macOS Agent Start #186 C-Prot macOS Agent Start
• C-Prot macOS Agent Stop #187 C-Prot macOS Agent Stop
• C-Prot macOS Screen Locked #188 C-Prot macOS Screen Locked
• C-Prot macOS Screen Unlocked #189 C-Prot macOS Screen Unlocked
• C-Prot macOS Logon Failed #190 C-Prot macOS Logon Failed

Changed file:

• EDR_telem_macOS.json

Telemetry Validation

Documentation or Evidence:

• Official documentation
• Screenshots attached
• Sanitized logs provided
• Private documentation

This PR preserves the submitted C-Prot macOS changes as a single OS-scoped review unit. Evidence details remain as provided by the contributor in the original PRs and should be reviewed before publication/merge.

Type of Contribution

• Adding telemetry information for an existing EDR product

Validation Details

EDR Product Information

• EDR Product Name: C-Prot EDR
• EDR Version: Not specified in the original PRs
• Operating System(s) Tested: macOS

Testing Methodology

Not specified in the original PRs. This consolidation was validated mechanically by:

• dry-merging PRs C-Prot macOS File Open/Access #182-C-Prot macOS Logon Failed #190 together locally with no merge conflicts
• validating EDR_telem_macOS.json as syntactically valid JSON

Additional Notes

This PR is intended to replace the individual C-Prot macOS PRs listed above so the project can review multiple same-OS telemetry changes in one pull request.

[tsale]

@husnuoner thank you for the C-Prot EDR telemetry contributions.

For future submissions, please group related telemetry updates into a single pull request per operating system rather than opening one pull request per individual category or row. For example:

• one PR for multiple Windows changes
• one PR for multiple Linux changes
• one PR for multiple macOS changes

This makes review, validation, and merging much easier for the project.

I’ve consolidated the current submissions into OS-scoped PRs here:

• macOS: #195
• Windows: #196

Thanks again for contributing.

[tsale]

Thanks for the evidence @husnuoner. Everything looks good except Process Access and Process Injection/Tampering.

Raw Device Access is accepted because the test successfully read from /dev/rdisk0, and the exported event directly records the raw device access attempt.

Process Access and Process Injection/Tampering are staying as No for now. Those events look more like detection/prevention records and do not expose enough direct telemetry detail for scoring under the project methodology.