Attendees will learn how to use Apple's Endpoint Security API as an event source to build behavior-based detections. This session will explore the difference between old and new ways of detecting malicious activity on Mac, how to use (often overlooked) process field information, and how to use ES events to determine when more advanced system exploitation is occurring.