There isn’t a one-to-one mapping between system calls and EndpointSecurity messages. You should look through the es_event_type_t list in <EndpointSecurity/ESTypes.h> to find the event types that obviously correlate to the system calls of interest. If you find that there’s no event that matching a system call you care about, post the details here and I’ll take a detailed look.
Make sure to include both the system call itself and what you’re hoping to do by detecting that system call.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
