Update EDR_telem_mac.json - Uptycs - File Activity

[joshlemon]

EDR Telemetry Pull Request

Contribution Details

This PR updates the macOS telemetry data for Uptycs covering the File Activity category, including File Creation, File Modification, File Deletion, File Attribute Change, and File Open/Access. All five sub-categories are confirmed as Yes via the process_file_events table.

Telemetry Validation

All five File Activity sub-categories were validated by running the macOS EDR telemetry generation script and querying the process_file_events table in Uptycs. Each sub-category was triggered using a uniquely named temp directory (e.g. edr_telem_4bawmn6d/, edr_telem_zizzg1b_/, etc.) to isolate events.

File Creation — queried via:

select upt_time, operation, cmdline, executable, path, dest_path, cwd, pid, ppid, flags
from process_file_events
where upt_asset_id='564d1969-51b0-d23e-47e0-d0658d09af0d'
  and upt_day = 20260324
  and (path like '%edr_telem_4bawmn6d/%' or dest_path like '%edr_telem_4bawmn6d/%')
order by upt_time DESC

File Modification — queried via:

select upt_time, operation, cmdline, executable, path, dest_path, cwd, pid, ppid, flags
from process_file_events
where upt_asset_id='564d1969-51b0-d23e-47e0-d0658d09af0d'
  and upt_day = 20260324
  and (path like '%edr_telem_zizzg1b_/%' or dest_path like '%edr_telem_zizzg1b_/%')
order by upt_time DESC

File Deletion — queried via:

select upt_time, operation, cmdline, executable, path, dest_path, cwd, pid, ppid, flags
from process_file_events
where upt_asset_id='564d1969-51b0-d23e-47e0-d0658d09af0d'
  and upt_day = 20260324
  and (path like '%edr_telem_0605cf_z/%' or dest_path like '%edr_telem_0605cf_z/%')
order by upt_time DESC

File Attribute Change — queried via:

select upt_time, operation, cmdline, executable, path, dest_path, cwd, pid, ppid, flags
from process_file_events
where upt_asset_id='564d1969-51b0-d23e-47e0-d0658d09af0d'
  and upt_day = 20260324
  and (path like '%edr_telem_otjvookl%' or dest_path like '%edr_telem_otjvookl%')
order by upt_time DESC

File Open/Access — queried via:

select upt_time, operation, cmdline, executable, path, dest_path, cwd, pid, ppid, flags
from process_file_events
where upt_asset_id='564d1969-51b0-d23e-47e0-d0658d09af0d'
  and upt_day = 20260324
  and (path like '%edr_telem_9w9z0jzw/%' or dest_path like '%edr_telem_9w9z0jzw/%')
order by upt_time DESC

Documentation or Evidence:

• Official documentation (link: )
• Screenshots attached
• Sanitized logs provided
• Private documentation (will share confidentially)

Type of Contribution

• Adding telemetry information for an existing EDR product
• Adding a new EDR product that meets eligibility criteria
• Proposing new event categories/sub-categories
• Documentation improvement
• Tool enhancement

Validation Details

EDR Product Information

• EDR Product Name: Uptycs
• EDR Version: 5.19
• Operating System(s) Tested: macOS

Testing Methodology

The macOS EDR telemetry generation script was run on a managed macOS host enrolled in Uptycs. Each File Activity event type was triggered using a dedicated, uniquely named temp directory to allow unambiguous event isolation. Results were confirmed in the Uptycs platform by querying process_file_events with path-based filters matching the test artifact names. All five sub-categories returned matching events with the expected operation field values (e.g. CREATE, WRITE, DELETE, ATTR_CHANGE, OPEN).

Additional Notes

The underlying data source for all five File Activity sub-categories is the process_file_events table. The operation column differentiates event types within this single table. No configuration changes were required for these sub-categories.