Noureddine RAMDI / mac-monitor: macOS security monitoring with dynamic Endpoint Security event subscriptions

Created Mon, 04 May 2026 10:23:01 +0000 Modified Sat, 23 May 2026 20:41:27 +0000
951 Words
github-stars swift macos endpoint-security system-extension xpc security-monitoring

Brandon7CC/mac-monitor

Mac Monitor is a macOS-native security monitoring tool that takes a sophisticated approach to capturing low-level system events with minimal resource overhead. By separating the GUI app from a security extension via XPC and dynamically subscribing to Endpoint Security events only during active traces, it balances performance and event fidelity in a way most macOS monitoring tools don’t.

What mac-monitor does and how it’s built

At its core, mac-monitor uses Apple’s Endpoint Security (ES) framework combined with System Extension APIs to monitor system events on macOS. The project is written entirely in Swift, targeting macOS Ventura (13.1+) and later, supporting both Apple Silicon and Intel architectures.

The architecture is split between a GUI application and a background Security Extension that handles event monitoring. Communication between these two components uses XPC (interprocess communication), which allows the GUI to control the security extension’s lifecycle and event subscriptions dynamically.

This design means the security extension only collects events when needed — during active “traces” — reducing the performance impact typical of constant monitoring tools. The GUI app provides an interface to start/stop traces, visualize process subtrees, and export telemetry data.

Under the hood, mac-monitor employs Core Data configured for in-memory storage to handle potentially unlimited event volumes efficiently. This enables maintaining a rich history of correlated events at the process level without disk I/O bottlenecks.

Technical strengths: dynamic event subscription and event correlation

The standout feature of mac-monitor is its dynamic runtime subscription to Endpoint Security events. Unlike many static monitoring tools that subscribe to a fixed set of events, mac-monitor’s security extension subscribes and unsubscribes to ES events at runtime based on the user’s active trace configuration.

This approach reduces noise and resource consumption by focusing only on the events relevant to the current investigation. Additionally, it implements API-level path muting to filter out uninteresting file paths, further refining event capture.

Event correlation is performed at the process level, allowing the tool to visualize entire process subtrees. This is crucial for threat hunting and forensic workflows where understanding the causal chain of events matters.

The use of Core Data in-memory storage is a practical tradeoff that prioritizes speed and responsiveness over long-term persistent storage. Users can export telemetry data in JSON or JSONL formats for archival or further analysis.

This architecture and approach come with tradeoffs:

  • The reliance on Endpoint Security APIs requires Full Disk Access permissions, which users must explicitly grant, reflecting macOS security model constraints.
  • In-memory event storage means data is lost on app quit unless exported.
  • Dynamic event subscriptions add complexity but result in improved performance.

Overall, the codebase is surprisingly clean for a system-level Swift app, with clear separation of concerns and use of macOS-native APIs.

Quick start with mac-monitor

Requirements

  • Processor: We recommend an Apple Silicon machine, but Intel works too!
  • System memory: 4GB+ is recommended
  • macOS version: 13.1+ (Ventura)

How can I install this thing?

☕️ (Recommended) Homebrew

brew install --cask mac-monitor

📦 Installer package

Install

  • Open the app: Mac Monitor.app
  • You’ll be prompted to “Open System Settings” to “Allow” the System Extension.
  • Next, System Settings will automatically open to Full Disk Access – you’ll need to flip the switch to enable this for the Mac Monitor Security Extension. Full Disk Access is a requirement of Endpoint Security.
  • 🏎️ Click the “Start” button in the app and you’ll be prompted to reopen the app. Done!

Install footprint

  • Event monitor app which establishes an XPC connection to the Security Extension: /Applications/Mac Monitor.app with signing identifier com.swiftlydetecting.agent.
  • Security Extension: /Library/SystemExtensions/../com.swiftlydetecting.agent.securityextension.systemextension with signing identifier com.swiftlydetecting.agent.securityextension.systemextension.

Uninstall

  • From the Finder delete the app and authenticate to remove the System Extension. You can’t do this from the Dock. It’s that easy!
  • You can also just remove the Security Extension if you want in the app’s menu bar or by going into the app settings.
  • (1.0.3+) Supports removal using the ../Contents/SharedSupport/uninstall.sh script.

verdict: who is mac-monitor for?

mac-monitor is a solid choice for security researchers, macOS system administrators, and threat hunters who want a native macOS tool that captures rich endpoint security events with more control and less overhead than always-on monitors.

Its dynamic subscription model and process-level correlation make it suitable for forensic investigations and real-time threat analysis workflows. However, it requires macOS Ventura or higher and explicit Full Disk Access permissions, which may limit casual use.

The in-memory event storage means users need to export data proactively if they want to keep logs beyond the current session. This is a tradeoff between performance and persistence.

If you need a native Swift app that respects macOS system security paradigms and want to explore Apple’s Endpoint Security framework in action, mac-monitor is worth trying. It’s not a turnkey enterprise product but an open-source project that balances usability, performance, and system integration thoughtfully.

→ GitHub Repo: Brandon7CC/mac-monitor ⭐ 1,313 · Swift