With EndpointSecurity framework we are able to receive a process audit token for every event that was made by it.
However, we sometimes find ourselves in need to enumerate running processes, or validate an existing process matching the one on our memory. This can also happen after our daemon is installed, and we want to query current system information.
In this case we need to be able to get a process audit token on demand, and not by an even that it had made. Is it possible to do such query? is there a plan to add something like that?
However, we sometimes find ourselves in need to enumerate running processes, or validate an existing process matching the one on our memory. This can also happen after our daemon is installed, and we want to query current system information.
In this case we need to be able to get a process audit token on demand, and not by an even that it had made. Is it possible to do such query? is there a plan to add something like that?